Threat landscape’s increasing complexity adds impetus to drive for consistency across 27 member states

EU targets standardization as key to bloc-wide cyber-resilience

ANALYSIS The European Union (EU) wants to see greater standardization across European cybersecurity legislation and regulations, according to the bloc’s cybersecurity agency.

The EU sees standards as vital to increasing security across the bloc, as well as ensuring that cybersecurity measures are consistent between member states. This, the European Commission argues, will make it easier for both security vendors and businesses in general to work across borders.

EU-wide standards are envisaged for both product certification and legislation on computer misuse.

RECOMMENDED ‘Dangerous’ EU web authentication plan threatens to undercut browser-led certification system

The work is being led by ENISA, the EU’s agency for cybersecurity.

“Given the increasing complexity in an evolving cyber threat environment, cybersecurity standards can be an essential tool by which an organization can improve its cybersecurity posture by ensuring its cybersecurity strategy and policies are implemented in a consistent and measurable manner,” a spokesperson for ENISA told The Daily Swig.

Legislative landscape

ENISA is working with the European Commission and European standards agencies, including ETSI, CEN, and CENELEC, to promote standardization. So far ENISA has produced two reports, one reviewing existing standards in risk management and another looking at 5G.

The work is being informed both by the US’s Cybersecurity Act (CSA), which gives ENISA a lead role in setting security standards, and by the EU’s standardization strategy, set out earlier this year.

The EU’s NIS directive, which sets out measures to bolster cybersecurity across the bloc, specifically calls for EU countries to use European or internationally accepted standards to secure network and information systems.

The EU’s Cybersecurity Act will set up a “European cybersecurity certification framework for ICT products, services and processes”, according to ENISA. Standardization is seen as crucial to the framework’s efficacy. So far, ENISA and the standards agencies have investigated security standardization in 5G, artificial intelligence, digital identity wallets, infrastructure and supply chains, and data protection.

RELATED ENISA urges data-handling innovation amid growing tide of healthcare breaches

“Standards in the area of IT and technology are crucial to assure interoperability – without them the systems of different vendors wouldn’t work together,” ENISA told The Daily Swig. ENISA expects to provide independent advice to vendors and other stakeholders on cybersecurity standards in future legislation.

Facilitating GDPR compliance

The cybersecurity standardization process is not part of the EU’s General Data Protection Regulation (GDPR). Although in some ways GDPR set the ball rolling, by setting standards for data privacy, the regulation stops short of telling organizations how to comply with the law. Standards will therefore be a key part of ensuring GDPR compliance.

“GDPR was a regulation that was applicable across the bloc when it came into force. Most other work in this space has been in the form of directives that need to be transposed into national laws,” Jon France, CISO of security body (ISC)2, tells The Daily Swig.

“There is broad recognition that cybersecurity is a core requirement within all EU member states, but it remains a very broad topic area covering products, services, development, operation and more across many sectors and industries.”

Tricky task

France believes ENISA is taking on a daunting task.

“The regulatory landscape across Europe is in some respects overt and easy to understand,” he explains. “However, implementation is not as easy with a plethora of rules, regulations, and ways to address them to consider, compounded by security remaining a sovereign reserved right for each member state, with each retaining the ability to choose in many cases what to implement and how to implement within local regulation and law.”

Catch up with the latest cybersecurity policy and legislation news

And although the EU acknowledges that standards are an international issue, and the organization takes part in international groupings such as the ISO, ENISA is not currently working with ‘third countries’ on this. This might change in the future, however.

“A standardized approach within the EU would mirror similar initiatives in other regions, for example the US, which has had success with NIST standards for risk assessment and penetration testing that are becoming adopted around the world,” Phil Robinson, principal consultant and founder of Prism Infosec, tells The Daily Swig.

Setting standards would, he said, allow businesses to use one consistent risk assessment across the EU.

“Additionally, in a similar fashion to a safety ‘kitemark’, products and services can also have a standardized certification that will mean that a consumer, business or personal [other individual], can be assured of the cybersecurity certification across the entire region.”

DON’T FORGET TO READ Quantum leap: Biden administration commits to ensuring leadership in emerging tech