Certification: is European cybersecurity battle-ready?

War is at our doorstep… And our backdoors: “the war in Ukraine has made it clear that cyberspace is a new field of operations,” says Jean-Pierre Quémard, CEO of KAT and board member of the Alliance pour la Confiance Numérique. The conflict, particularly in its first phases, played out in cyberspace https://www.lesechos.fr/2015/06/chirac-sarkozy-et-hollande-ont-ete-mis-sur-ecoute-par-la-nsa-266790 https://www.lesechos.fr/2015/06/chirac-sarkozy-et-hollande-ont-ete-mis-sur-ecoute-par-la-nsa-266790. Another frontline for the sector, as cybercrime rose 600% during the pandemic, according to the UN.

In terms of cybersecurity, are European certifications the answer to this growing threat? “Product certification is not the only answer, but it guarantees trust in the solutions we implement,” emphasizes KAT’s CEO, before adding: “Intelligence on threat progression, timely communication of vulnerabilities, user awareness and training are also answers, and can be subject to certification.”

Long-awaited by professionals and finally passed in June 2022, the EU’s Cybersecurity Act “outlines a European certification and cybersecurity framework in an effort to standardize certification assessment methods and guarantee levels on a European scale,” as currently pointed out by Anssi.

Guaranteeing “trust in products”

There has since been progress, as evidenced by the Cybersecurity Certification Conference held by the ADT on January 11, 2022, with the participation of Anssi and ENISA representatives. And this is necessary for Europe to make its voice heard in the field, explains the ACN board member: “Digital sovereignty requires setting up a body of processes supported by global and European standards that will ensure and guarantee trust in the products, systems and services implemented. Certification is one of the means available to analyze, verify and certify safety performance in a given operational environment.”

While the technical aspect mentioned here is subject to constructive debate, reaching an agreement on the political implications of this sovereignty is more difficult. Indeed, the European Commission, inspired by the French SecNumCloud model, requested ENISA to include guarantees of immunity from foreign jurisdictions at the highest certification level. To put it plainly, a member State’s strategic services would go through companies that are not only based in Europe, but under European Statute. Therefore, they could not turn to US cloud services, subject to US legal extraterritoriality.

The cloud, a European sovereignty conundrum

The result is a general outcry from some of the member States, but also some ENISA experts. Besides having to potentially forego high-performance services, critics of this approach, particularly in Berlin, point out that the Commission introduced a political notion to a purely technical text. Even though nothing was settled as of December 2022, 13 trade associations also voiced their disagreement with this project. Unsurprisingly, the sector’s American heavyweights are members of most of them. Washington sees the move as a protectionist measure.

Pending the conclusion of this thorny debate, from a technical standpoint, Europe’s strategic autonomy is underway, highlights Jean-Pierre Quémard. And the EU is going for broke in this effort. In order to create and grow a favorable space for European cyber players, “a unique certification policy must be set up on a European level that will guarantee the compatibility and recognition of certifications throughout the EU. This will avoid imposing 27 certifications, one for each member State, and will establish a European single market that is significant enough in comparison to major world players.”

Effectively, Internet giants, in both infrastructure and services, are mostly American or Chinese. They are imposing increasingly fierce and even aggressive competition on Europe.

Faced with Chinese and US competition, “certification is a factor of excellence”

In this difficult context, can European certification be seen as an instrument of influence and standing for European digital trust companies? Not exactly, according to Jean-Pierre Quémard: “Certifications are not meant to be a vehicle for influence but rather a factor of excellence and competitive advantage. Indeed, European certification, through its transparency, global recognition, and the world-renowned expertise of its manufacturers, can be perceived as independent of the major global players, typically China and the United States.”

While it ensures greater prospects for market players and reinforces consumer trust, certification is of course not a cure-all. Online services of all kinds face increasingly sophisticated attacks from independent, State-backed, and even State-orchestrated criminal groups.

In dealing with complex threats, there must also be an in-depth response, analyzes the ACN board member: “In this context, intelligence is crucial, as well as proper cooperation between the various political, State and industry actors. Cooperation and coordination at a European level are also necessary to ensure the best possible response to a rapidly evolving threat. As such, European regulations eIDAS, NIS2, CSA, CRA, etc. as well as the creation of ENISA are essential components of European sovereignty.”

When States take back control

There are, however, strategic areas where sovereignty still lies with the State: for instance, in protecting a State’s vital interests, particularly against espionage, which is the doing of opponents as well as allies. The wiretapping of Jacques Chirac, Nicolas Sarkozy, François Hollande and other European leaders, including Angela Merkel, is an example of this.

“Clearly, intelligence is one of the crucial components of a national cybersecurity policy. Hence the need to outline priority sovereignty areas (sovereign clouds, secure communications, digital ID, critical infrastructure…) for which high-level certification will be required. This area falls under national defense and is the purview of the General Secretariat for Defense and National Security; it is considered in the Military Programming Act,” explains Jean-Pierre Quémard.

This area is not spared by the a forementioned sovereign cloud controversy. Its scope is ultimately limited compared to all the applications covered by European certifications, highlights the CEO of KAT: “The potential coverage of certification is very broad and outlining horizontal standards that support various vertical implementation areas is important. For example, one IoT certification can cover health, the automotive sector, transportation, energy, communications etc.”

Cybersecurity Act vs Cyber Resilience Act

And while the public is mainly concerned with services, professionals know that behind digitalization there is very tangible equipment, which enters the scope of implementation of European certifications: “Basic components (microcontrollers, sensors, actuators…) will fall under the same certification. This is being developed by the European Committee for Standardization and the European Committee for Electrotechnical Standardization with the 303 645 European standard. It ensures a minimum level of trust and generally raises the level of resistance to cyberattacks, which is the purpose of the CRA (Cyber ​​Resilience Act) being drafted by the European Commission,” reminds the ACN board member.