Connect with us

Hi, what are you looking for?



ENISA Transforms to European Union Agency for Cybersecurity

A New ENISA to Develop New Harmonized European Security Certifications

A New ENISA to Develop New Harmonized European Security Certifications

The EU Cybersecurity Act came into force on June 27, 2019. The temporary European Union Agency for Network and Information Security (ENISA) has been replaced by the permanently mandated European Union Agency for Cybersecurity — same people, same place, but with a new name, a budget increased from €11 million to €23 million over a period of five years, and staffing levels allowed to rise by 50%.

With additional resources comes additional requirements. Key among these is involvement in a new EU Cybersecurity Certification Framework. “ENISA will have market related tasks,” commented the agency’s executive director, Udo Helmbrecht, “notably by preparing ‘European cybersecurity certification schemes’ that will serve as the basis for certification of ICT products, processes and services.”

Product certification is a hard nut to crack. It has been attempted many times before at both national and international levels. If requirements are set high, product development costs increase. Prices rise and innovation, especially by new start-ups, is deterred. If requirements are set low, the value of the certification can be questioned. Again, if certification is mandatory, product prices will increase; if it is voluntary, then it is often ignored.

The European intention is for certification to include ‘type’ (e.g. self-assessment or third-party evaluation), and ‘level’ (e.g. basic, substantial and/or high). It is also intended to be voluntary — so ‘voluntary basic self-assessment’ is currently a very low hurdle. However, the European Commission adds that it “will assess whether a specific European cybersecurity certification scheme should become mandatory through relevant EU legislation to ensure an adequate level of cybersecurity of ICT products, services and processes and improve the functioning of the internal market.”

The functioning of the European internal market — usually referred to in Europe aspirationally as the ‘digital single market’ — is the primary driver for the certification scheme. Just as GDPR was meant to harmonize data protection laws across all EU nations, so the European certification is meant to harmonize certification — and the EU believes this will benefit both users and producers. 

“The resulting certificate will be recognised in all Member States,” declares the European Commission, “making it easier for businesses to trade across borders and for users to understand the security features of the product or service. This allows for beneficial competition between providers across the whole EU market, resulting in better products and higher value for money.”

Advertisement. Scroll to continue reading.

However, the actual need for and value of this harmonized certification could be questioned. A survey (PDF) by ENISA in August 2017 asked participants (28 agencies from member states, 24 vendors and manufacturers from the private sector, and 4 consumer associations) about problems encountered when dealing with security certification procedures. The top concern was ‘cost’ (24 participants). Second was the duration of the process (19). The lack of mutual recognition of certificates across member states ranked only third highest concern (17 participants). At this time, the problems involved in certification ranked higher than the potential benefits.

How the EU Cybersecurity Certification Framework could be applied to products imported from outside of the European Union — from North America or the Far East — remains to be seen. The certification cannot be mandated at foreign manufacture, but could be mandated at European purchase. This would give non-EU manufacturers a simple choice: get certified or ignore the European market.

However, the voluntary nature of the scheme could be bolstered by the growing concern over the security of supply chains. A larger company buying and integrating components from third-party manufacturers could insist, as part of its own risk management processes, that the components are certified to a certain level. This could operate in a manner similar to the UK’s proposal for regulating IoT devices. Here, a labeling scheme is being considered, confirming conformance to up to 13 published manufacturing guidelines. A similar labeling scheme could demonstrate foreign manufacture compliance with EU certifications.

Application software certification is not explicitly described, but software cannot be excluded because of its integral nature to security product. The Cybersecurity Act states (para 96 of the preamble), “European cybersecurity certification schemes should take into account current software and hardware development methods and, in particular, the impact of frequent software or firmware updates on individual European cybersecurity certificates.”

The two key elements of software certification are likely to be proof of ‘security by design’, and confirmation of the duration for which the supplier will support the product with updates and patches.

Outside of certification, the new Agency’s existing European advisory role on network security will continue and is expanded. For example, it states that it “will assist Member States and Union institutions, bodies, offices and agencies in establishing and implementing vulnerability disclosure policies on a voluntary basis.”

But perhaps of particular interest is the statement that, “At the EU level, ENISA will continue to support the coordination of responses to large-scale cyber-attacks and crises, in cases where two or more EU Member States are affected. This includes the possibility for the Agency to carry out post-incident analysis, when requested by the Member States.”

This relates to an announcement from the European Council in May 2019. It announced a new framework “which allows the EU to impose targeted restrictive measures to deter and respond to cyber-attacks which constitute an external threat to the EU or its member states, including cyber-attacks against third States or international organisations where restricted measures are considered necessary to achieve the objectives of the Common Foreign and Security Policy (CFSP).”

Responses will be purely political (travel ban) and/or economic (asset freeze) sanctions “on persons or entities that are responsible for cyber-attacks or attempted cyber-attacks, who provide financial, technical or material support for such attacks or who are involved in other ways. Sanctions may also be imposed on persons or entities associated with them.” The Agency’s role will likely be forensic and recovery, plus attribution.

There is no indication in this of any suggestion for a form of hacking back mandate at the European level — although individual nations may reserve the right to do so. The UK, for example, believes that in severe incidents, it has the right to strike back both in cyber and on land. In May 2018, Jeremy Wright (then Attorney General and now Secretary of State for Digital, Culture, Media and Sport — DCMS) said “The UK considers it is clear that cyber operations that result in, or present an imminent threat of, death and destruction on an equivalent scale to an armed attack will give rise to an inherent right to take action in self-defense, as recognized in Article 51 of the UN Charter.”

ENISA’s role will remain primarily advisory. It was formed in 2004 to provide EU member states with guidance on the technicalities of network and information security. The Cybersecurity Act has maintained and expanded this basic role. 

Related: Proposed EU Cybersecurity Product Certification Scheme Has Global Effects 

Related: EU Invests €450 Million in Cybersecurity Partnership 

Related: ENISA Report Provides ICS-SCADA Protection Recommendations 

Related: EU Telecommunications Standards Institute Publishes New IoT Security Standard

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.