(by Army General (2S) Watin-Augouard, Founder of the FIC)
Europe kicks off!
Such was the base line of the FIC 2019. As the European Union has become increasingly interested in the FIC–of which it promoted the creation–the FIC wanted to support its efforts to create a safer European digital space bearing the values that distinguish us and bring us together.
Despite the difficulties, the digital Europe is waking up. This should be celebrated, since it complements the efforts of the Member States and offers an enabling environment for a shared sovereignty. It produces regulations and guidelines–the best known being the GDPR and the NIS Directive. This directive lays down requirements concerning the national capacities in cybersecurity and introduces the first measures to strengthen vital sectors to enhance strategic and operational cooperation between Member States.
The Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification was published in the Official Journal of the Union on 7 June. It sustains ENISA, whose mandate was to end in 2020, and creates a three-level European certification.
The “new ENISA”, a Union body with legal personality, is now permanent. Its mandate (Art. 3 of the Regulation) states that it must provide advice regarding cybersecurity and promote operational cooperation both between Member States and between the Member States and Union institutions, bodies, offices and agencies. It also aims at providing skills and acting as a centre of information and knowledge of the Union. It should encourage the exchange of best practices between Member States and the private sector and propose actions to the Commission and the Member States.
ENISA will need to support the development and enhancement of the national and Union computer security incident response teams (‘CSIRTs’) provided for in Directive (EU) 2016/1148, with a view to achieving a high common level of their maturity in the Union. It should not replace the Member States but should be able to provide support, upon request. ENISA should participate in cooperation actions with OECD, OSCE and NATO, without prejudice to the specific character of the security and defence policy of any Member State.
The new regulation promotes the use of the European Cybersecurity Certification in order to tackle the fragmentation of the domestic market. It establishes the principle of mutual recognition within the EU of the certificates issued by a Member State. The aim is to build a uniform European cybersecurity certification framework to prevent “certification shopping” based on different levels of stringency in different Member states. This regulation does not leave the past behind as it aims “to make possible a smooth transition from the existing schemes under such systems to schemes under the new European cybersecurity certification framework.” According to the regulation, a “European cybersecurity certificate” is a document issued by a competent body certifying that a given ICT product, ICT service or ICT process has been evaluated with regards to its compliance with the specific security requirements laid down in a European scheme for cybersecurity certification. A Stakeholder Cybersecurity Certification Group is established. Its members are selected by the Commission from among recognised experts representing the relevant stakeholders. This governance of the certification must adopt patterns offering three levels: a “basic” level for non-critical systems (objects for the public), a “substantial” level, and a “high” level for systems presenting the highest risk to cyberattacks.
It was feared that the “new ENISA” would be a supranational body, while the certification criteria would encourage the “lowest bidder” by choosing the lowest common denominator. The ANSSI (French national cybersecurity agency)–which just celebrated its ten years of existence–could not see its efforts annihilated. It expresses its satisfaction on its website.
Former Inspector General of French armed forces – National Gendarmerie, General Watin-Augouard is today at the head of the Research Center of the National Gendarmerie Officers’ School (CREOGN). He founded the FIC in 2007.