EUROPEAN COMMISSION

Brussels, 13.9.2017

SWD(2017) 500 final

COMMISSION STAFF WORKING DOCUMENT

IMPACT ASSESSMENT

Accompanying the document

PROPOSAL FOR A REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act'')

{COM(2017) 477 final}
{SWD(2017) 501 final}
{SWD(2017) 502 final}

Table of Contents

Glossary Glossary

1. 1. Introduction: political and legal context

2. 2. Problem Definition

2.1. 2.1. Overview of the findings of the evaluation of ENISA and the relevant public consultations

2.2. 2.2. What is the size of the problems?

2.3. 2.3. What are the prob lem drivers?

2.4. 2.4. What are the problems for action?

2.4.1. 2.4.1. Problem 1: Fragmentation of policies and approaches to cybersecurity across Member States

2.4.2. 2.4.2. Problem 2: Dispersed resources and fragmentation of approaches to cybersecurity across EU institutions, agencies and bodies.

2.4.3. 2.4.3. Problem 3. Insufficient awareness and information of citizens and companies.

2.5. 2.5. Who is affected by the problem and to what extent?

2.6. 2.6. How will the problem evolve?

3. 3. Why should the EU act?

3.1. 3.1. Legal basis

3.2. 3.2. Subsidi arity

4. 4. Objectives: what should be achieved?

4.1. 4.1. General objectives

4.2. 4.2. Specific objectives

5. 5. What are the available policy options?

5.1. 5.1. What is the baseline from which options are assessed?

5.2. 5.2. Policy options related to ENISA

5.3. 5.3. Options related to certification

5.4. 5.4. Options discarded at an early stage

6. 6. What are the impacts of the policy options?

6.1. 6.1. ENISA

6.2. 6.2. Certification

7. 7. How do the options compare?

8. 8. Preferred Option

9. 9. How will actual impacts be monitored and evaluated?

Table of Figures

Figure 1 Priority areas for EU action in cybersecurity Figure 1 Priority areas for EU action in cybersecurity

Figure 2 Selection of significant cyber-attacks in 2016. Figure 2 Selection of significant cyber-attacks in 2016.

Figure 4 Problem Tree Figure 4 Problem Tree

Figure 5 Some issues on awareness and knowledge of cybersecurity issues in Europe Figure 5 Some issues on awareness and knowledge of cybersecurity issues in Europe

Figure 6 Overview of a how a European cybersecurity certification scheme is adopted Figure 6 Overview of a h ow a European cybersecurity certification scheme is adopted

Table of Tables

Table 1 Summary of results of the evaluation according to the criteria Table 1 Summary of results of the evaluation according to the criteria

Table 2 Scope of NIS Directive in relation to key areas Table 2 Scope of NIS Directive in relation to key areas

Table 3 Most urgent gaps and needs, as emerging from the stakeholder consultations Table 3 Most urgent gaps and needs, as emerging from the stakeholder consultations

Table 4 Mission of relevant EU agencies and bodies in the cybersecurity field Table 4 Mission of relevant EU agencies and bodies in the cybersecurity field

Table 5 Overall impact of the various policy options for ENISA. Table 5 Overall impact of the various policy options for ENISA.

Table 6 Overall impact of the various policy options for certification. Table 6 Overall impact of the various policy options for certification.

Table 7 Overview of main changes in the tasks between current ENISA and preferred option Table 7 Overview of main changes in the tasks between current ENISA and preferred op tion

Table 8 List of indicators to monitor progress towards general objectives Table 8 List of indicators to monitor progress towards general objectives

   List of Annexes    

Annex 1 Procedural Information, including organisation and timing of the initiative, exceptions to the Better Regulation Guidelines, the replies to the ISG comments made and the list of evidence provided.

Annex 2 Stakeholder Consultations, including the consultation strategy (which stakeholders, which type of mechanism) and the individual consultation results.

Annex 3 EU Agencies Budget and Staff, providing information on the total EU financial contribution to the 32 decentralised EU agencies, as well as their authorised establishment plans (i.e. staff) in 2017.

Annex 4 Preliminary Mapping of the 16 EU-level Entities that Provide Cybersecurity Content. 

Annex 5 Final Study on the Evaluation of ENISA, as delivered 20 July, 2017 which involves an evaluation over the 2013-2016 period, assessing the Agency’s performance, governance and organisational structure, and positioning with respect to other EU and national bodies. It assesses ENISA’s strengths, weaknesses, opportunities and threats (SWOTs) with regard to the new cybersecurity and digital privacy landscape. It also provides options to modify the mandate of the Agency to better respond to new, emerging needs and assesses their financial implications.

Annex 6 Economic Analysis of Policy Options for ENISA, providing an estimation of the costs related to each of the four options for the future of ENISA derived from the results of the evaluation of ENISA.

Annex 7 ICT Security Certification Study as final version of the commissioned study providing the essential evidence base for the Impact Assessment, as delivered 25 July, 2017.

Annex 8 JRC Study on Certification, which investigates and proposes recommendations for the establishment of a European ICT security certification framework and assesses the feasibility of a European cybersecurity labelling framework.

Annex 9 Sectoral Mapping of EU and International initiatives on Cybersecurity, as recently revised which maps ongoing initiatives in the field of cybersecurity across key sectors covered by Chapter III of the NIS Directive: energy, transport, banking and finance, health, drinking water.

Annex 10 Who is Affected and How, describing the practical implications of the preferred option identified in the Impact Assessment for stakeholder groups likely to be directly or indirectly affected by the initiative.

Annex 11 ICT Security Certification Landscape, which lists the International and national certification schemes and other initiatives.

Annex 12 Case Studies as a new annex on certification schemes in the areas of smart meters, and cloud computing.

Glossary

The below table explains the key terms or acronyms used in this document.

1.Introduction: political and legal context

Since 2013, when the first EU Cybersecurity Strategy 1 was adopted and the Regulation (EU) No 526/2013 set out the current mandate and tasks for European Union Agency for Network and Information Security (ENISA), the challenges related to cybersecurity 2 have significantly evolved alongside with technology and market developments.

Since then, cybersecurity and cybercrime have been included in the Commission political priorities on the Digital Single Market Strategy 3 (DSM) and in the European Agenda on Security 4 . The EU agencies, in particular ENISA and the European Cybercrime Center (EC3) at Europol, have been in the frontline in terms of supporting the EU response to cybethreats, for example by providing information on the threat landscape, supporting Member States in building their capabilities and providing operational and analytical support to Member States’ investigations.

Following up from the 2013 strategy, two cornerstones for European cybersecurity were adopted in 2016: the Directive on security of network and information systems 5 , (the 'NIS Directive') and the contractual public-private partnership on cybersecurity 6 between the EU and the European Cybersecurity Organisation (ECSO) 7 .

These developments are helping to further build-up the EU’s cybersecurity resilience.

Nevertheless, cyberattacks are increasing at an alarming pace. The latest example of a ransomware 8 cyber-attack in May 2017 shows the potentially massive impact of a cyber-attack across sectors and countries: more than 150 countries and over 230,000 systems were affected, including those related to essential services such as hospitals, despite the damage being contained this time in comparison to the potential (deeper) consequences it may have had 9 . This example is just the last of a series: more than 4,000 ransomware attacks have occurred every day since the beginning of 2016, a 300% increase over 2015 10 .

The number and size of cyberattacks can affect public trust in the capacity of modern societies to ensure security and privacy, therefore undermining the very foundations of the digital economy. Moreover, the digital society is shifting from specific connected devices (computers, smartphones or wearables) to omnipresent connectivity (household items, industrial goods, etc.). By 2020 it is estimated that billions of devices, including consumer ones (televisions, refrigerators, washing machines etc.), will be connected to the internet in the EU alone. 11 A connected economy and society is more vulnerable to cyber threats and attacks and requires stronger defences.

In order to gain and preserve trust and security, ICT products and services need to incorporate security features directly in the early stages of their technical design and development. Customers and users need to be able to ascertain the level of security assurance of the products and services they procure or purchase. By providing specific procedures for the evaluation of security properties, formal processes such as certification play an important role in increasing trust and security in products and services. This is particularly relevant for new systems that make extensive use of digital technologies and which require a high level of security, such as connected and automated cars, electronic health, industrial automation control systems (IACS) 12 or smart grids.

Against this background, in the 2016 Communication on Strengthening Europe's Cyber Resilience System and Fostering a Competitive and Innovative Cybersecurity Industry 13 , the Commission encouraged Member States to make the utmost use of the voluntary cooperation schemes under the NIS Directive. The Commission announced a number of measures to further step-up cooperation mechanisms and information and knowledge sharing to increase the EU’s resilience and preparedness, also taking into account large scale incidents and a possible pan-European cybersecurity crisis. In this context, the Commission announced that it would advance the evaluation and review of ENISA as an opportunity for a possible enhancement of the Agency’s capabilities and capacities to support Member States in a sustainable manner in achieving cybersecurity resilience.

In the same Communication, the Commission noted that multiple national initiatives are emerging to set high-level cybersecurity requirements for ICT components on traditional infrastructure, including certification requirements. Even if important, these initiatives bear the risk of creating single market fragmentation and interoperability issues. Accordingly, the Commission announced that it would work, among others, on a possible European ICT security certification framework proposal, to be presented by end-2017, and to assess the feasibility and impact of a European lightweight cybersecurity labelling framework.

This vision was further confirmed in the 2016 Council Conclusions, which acknowledged that "cyber threats and vulnerabilities continue to evolve and intensify which will require continued and closer cooperation, especially in handling large-scale cross-border cybersecurity incidents". The conclusions reaffirmed that "the ENISA Regulation is one if the core elements of an EU cyber resilience framework" 17 . At the same time, the Council called on the Commission "to explore the opportunity to create a cybersecurity certification scheme, while reflecting the existing effective security schemes, if relevant, with a view to proposing measures, including legislative ones".

In its Communication on the DSM Strategy Mid-term Review of May 2017, the Commission further specified that by September 2017 it would review the 2013 EU Cybersecurity Strategy to address the risks faced today, help improve the security in the Union and Member States and increase the confidence and trust of businesses and people in the digital economy and society. Moreover, it would review the mandate of ENISA in order to define its role in the changed cybersecurity ecosystem and develop measures on cybersecurity standards and certification to make ICT-based systems, including connected objects more cyber-secure. 18 This approach has been endorsed by the European Council in June 2017, which welcomed the Commission's intention to review the Cybersecurity Strategy in September and to propose further targeted actions 19 .

On this basis, the Commission is discussing a set of measures in three interrelated areas (see figure 1) as part of the Strategy’s review that will be presented in the upcoming September Communication 20 , which sets out the vision for the EU to adopt a proactive approach to protect European prosperity, society and values through effective cybersecurity. The Communication includes actions directed to increase EU resilience, step-up response to cyber attacks, stimulate a single market for cybersecurity and cooperate globally on cybersecurity and defence.

Figure 1 Priority areas for EU action in cybersecurity

The initiative under assessment in this report refers specifically to the review of ENISA and the policy on ICT security certification, which are combined as they address complementary aspects forming part of the overall effort to increase harmonisation of cybersecurity policy and ensure the proper functioning of the single market. In addition, the combined analysis of policies and organisational solutions to implement these with a view of developing a single legislative proposal is a common practice at EU level. One relevant example is provided by the Regulation establishing the European Aviation Safety Agency (EASA) which at the same time covers the common rules in the field of civil aviation 21 . In the case of the policy on ICT security certification, ENISA has been identified as the main organisation to support its implementation by virtue of ENISA being the only EU-level body with extensive experience and knowledge base in the field of security certification such as its Cloud Certification Schemes Metaframework (CCSM) 22 and standardisation (more details are provided in section 5.3). It can moreover present an organizational structure which ensures relevant, consistent and structured Member State input while mainitaining an independent EU-level verification capacity. Bringing cybersecurity resilience and cybersecurity certfication under one roof and under one Regulation would further favour efficiency gains and avoid the setting up of completely new organisational structures.

The proposed actions addressed in the present impact assessment would be part of the EU’s wider resilience building efforts to be endorsed in the 2017 September Communication 'Resilience, Deterrence and Defence: Building strong cybersecurity for the EU' 23 , and therefore also effect the work of ENISA. More specifically, in addition to addressing the end of the Agency’s current mandate and the review of its tasks and functions, the proposed Regulation would also address the role of such an Agency in the wider cybersecurity ecosystem in the EU. Building on the responsibilities conferred to ENISA by the NIS Directive, this would include its role in in handling incidents for which Member States may ask ENISA for assistance and in large scale cross-border incidents referred to in the EU cybersecurity blueprint 24 , an initiative that is part of the September 2017 Communication 25 , which describes how national and Union actors should interact (cooperate and exchange information) in response to large scale cross-border cybersecurity incidents and crises within existing crisis management mechanisms such as the IPCR and ARGUS. The crisis management ecosystem as regards cybersecurity at Union level involves many actors including ENISA, CSIRTs Network, the European Cybercrime Centre (EC3) at Europol, and CERT-EU. As regards ENISA, blueprint it identifies its role and responsibilities within established crisis management procedures as well as the role it plays in the CSIRTs Network during crises.

The new Regulation would also build such a capacity that would allow ENISA to also have a role in providing assistance upon creation of an EU emergency fund 26 subject to the relevant legal instrument’s requirements. ENISA’s role would also be further enhanced and supported by the eventual creation of the European Cybersecurity Research and Competence Centre 27 , bringing together a network of European centres from which ENISA could draw further competences and expertise for its functions.

2.Problem Definition

2.1.Overview of the findings of the evaluation of ENISA and the relevant public consultations

The present impact assessment is supported, among other sources of evidence, by the results of the ex-post evaluation of ENISA (2013-2016 period) and two public consultations related to the evaluation and review of ENISA’s mandate and the contractual public-private partnership (cPPP) on cybersecurity, where a section was devoted to the topic of ICT security certification. In this paragraph a brief overview of their results is presented, while a detailed summary can be found in Annex 2, together with the results of the targeted consultation activities. References to specific results are also included throughout the document.

The evaluation of ENISA

The Commission, according to the evaluation roadmap 28 , assessed the relevance, impact, effectiveness, efficiency, coherence and EU added value of the Agency with regard to its performance, governance, internal organisational structure and working practices in the period 2013-2016. Inter alia, the results of stakeholder consultations for this evaluation suggest that ENISA's resources and mandate need to be adapted so that it can adequately support Member States to respond to the challenges of the future.

The main findings can be summarised as follows (for more see the Staff Working Document on the subject, accompanying the impact assessment).

Table 1 Summary of results of the evaluation according to the criteria

Relevance: In a context of technological developments and evolving threats and of significant need for increased network and information security (NIS) in the EU, ENISA's objectives proved to be relevant. In fact, Member States and EU bodies rely on expertise on the evolution of NIS, capacities need to be built in the Member States to understand and respond to threats, and stakeholders need to cooperate across thematic fields and across institutions. NIS continues to be a key political priority of the EU to which ENISA is expected to respond; however, ENISA’s design as EU agency with a fixed-term mandate: (i) does not allow for long-term planning and sustainable support to Member States and EU Institutions; (ii) may lead to a legal vacuum as the provisions of the NIS Directive entrusting ENISA with tasks are of a permanent nature 29 ; (iii) lacks coherence with a vision linking ENISA to an enhanced EU cybersecurity ecosystem.

Effectiveness: ENISA overall met its objectives and implemented its tasks. It made a contribution to increased NIS in Europe through its main activities (capacity building, provision of expertise, community building, support to policy). It showed potential for improvement in relation to each. The evaluation concluded that ENISA has effectively created strong and trustful relationships with some of its stakeholders, notably with the Member States and the CSIRT community, “acting as a neutral, independent broker at EU level and as a bridge between the strategic and operational worlds” 30 . Interventions in the area of capacity building were perceived as effective in particular for less resourced Member States. Stimulating broad cooperation has been one of the highlights, with stakeholders widely agreeing on the positive role ENISA plays in bringing people together. However, ENISA faced difficulties to make a big impact in the vast field of NIS. This was also due to the fact it had fairly limited human and financial resources to meet a very broad mandate. The evaluation also concluded that ENISA partially met the objective of providing expertise, linked to the problems in recruiting experts (see also below in the efficiency section).

Efficiency: Despite its small budget the Agency has been able to contribute to targeted objectives, showing overall efficiency in the use of its resources. The evaluation concluded that processes generally were efficient and a clear delineation of responsibilities within the organisation led to a good execution of the work. One of the main challenges to the Agency’s efficiency relates to ENISA’s difficulties in recruiting and retaining highly qualified experts. The findings show that this can be explained by a combination of factors, including the general difficulties across the public sector to compete with the private sector when trying to hire highly specialised experts, the type of contracts (fixed term) that the Agency could mostly offer and the somewhat low level of attractiveness related to ENISA's location, for example linked to difficulties encountered by spouses to find work. A location split between Athens and Heraklion required additional efforts of coordination and generating additional costs but the move to Athens in 2013 of the core operations department increased the agency's operational efficiency.

Coherence: ENISA’s activities have been generally coherent with the policies and activities of its stakeholders, at national and EU level, but there is a need for a more coordinated approach to cybersecurity at EU level. The potential for cooperation between ENISA and other EU bodies has not been fully utilised. The evolution in the EU legal and policy landscape make the current mandate less coherent today.

EU-added value: ENISA’s added value lie primarily in the Agency’s ability to enhance cooperation, mainly between Member States but also with related NIS communities. Indeed, “ENISA is providing significant added value to the cybersecurity activities implemented in the Member States” 31 There is no other actor at EU level that supports the cooperation of the same variety of stakeholders on NIS. The added value provided by the agency varied according to the diverging needs and resources of its stakeholders (e.g. big versus small Member States; Member States versus industry) and the need for the agency to prioritize its activities according to the work programme. The evaluation concluded that a potential discontinuation of ENISA would be a lost opportunity for all Member States. It will not be possible to ensure the same degree of community building and cooperation across the Member States in the field of cybersecurity without a decentralised EU agency the picture would be more fragmented where bilateral or regional cooperation stepped in to fill a void left by ENISA.

Results of the public consultations on the contractual public-private partnership on cybersecurity (cPPP) and the ENISA evaluation and review.

The results from the 2016 consultation on cybersecurity cPPP 32 on the section on certification show that:

·50,4% (e.g. 121 out of 240) of respondents do not know whether national certification schemes are mutually recognised across EU Member States. 25.8% (62 out of 240) replied 'No', while 23.8% (57 out of 240) replied 'Yes'.

·37,9% of respondents (91 out of 240) think that existing certification schemes do not support the needs of Europe's industry. On the other hand, 17, 5% (42 out of 240) – mainly global companies operating on the European market - expressed the opposite view.

·49.6% (119 out of 240) of respondents says that it is not easy to demonstrate equivalence between standards, certification schemes, and labels. 37.9% (91 out of 240) replied 'I do not know', while only 12,5% (30 out of 240) replied ‘Yes’.

In addition, in the context of the 2017 public consultation on the evaluation and review of ENISA, 67.5 % of respondents to the specific question (54 out of 80, of which 11 national authorities) expressed the view that ENISA could play a role in establishing a harmonized framework for security certification of ICT products and services In terms of stakeholder coverage, the consultation provided a good and representative level of qualified input, covering relevant stakeholders ranging from operators of critical infrastructures, service providers, ICT vendors, associations from the ICT, banking or telecommunications sectors, to Member States and their cybersecurity and certification agencies. Their responses showed that stakeholders count on ENISA to continue its work and strengthen its role in the future. Some of the most supportive comments speak of it ‘becoming a central information hub’, ‘a more visible agency in the service of all Member States’, express the wish to ‘confirm and reinforce’ ENISA. Other comments highlight the need for ENISA to adapt to changing circumstances, also strengthening its resources, or by offering ‘real-time cybersecurity warnings’ or commending the organisation of the cyber-exercises and acting as ‘energizer for the industry’ and ‘enabler of a security designed in Europe label’. With specific regard to ENISA past performances and future, the main trends emerging from the 2017 consultation are the following 33 :

·The overall performance of ENISA during the period 2013 to 2016 was positively assessed by a majority of respondents (74%). A majority of respondents furthermore considered ENISA to be achieving its different objectives (at least 63% for each of the objectives). ENISA’s services and products are regularly (monthly or more often) used by almost half of the respondents (46%) and are appreciated for the fact that they stem from an EU-level body (83%) and for their quality (62%).

·Respondents identified a number of gaps and challenges for the future of cybersecurity in the EU, in particular the top five (in a list of 16) were: cooperation across Member States; capacity to prevent, detect and resolve large scale cyber-attacks; cooperation across Member States in matters related to cyber security; cooperation and information sharing between different stakeholders, including public-private cooperation; protection of critical infrastructure from cyber-attacks.

·A large majority (88%) of respondents considered the current instruments and mechanisms available at EU level to be insufficient or only partially adequate to address these. A large majority of respondents (98%) saw a need for an EU body to respond to these needs and among them ENISA was considered to be the right organisation to do so by 99%.

2.2.What is the size of the problems?

Europeans increasingly value and rely on digital technologies. According to a recent Eurobarometer survey 34 , the majority of citizens think digital technologies have a positive impact on the economy (75%), on their quality of life (67%) and on society (64%).

Critical economic sectors such as transport, energy, health or finance have become increasingly dependent on network and information systems to run their core businesses. The Internet of Things (IoT), interconnecting objects between them and with people through communication networks 35 , is already a reality and it is expected to boom in the near future: a few billions of IoT connections are forecasted in the EU in 2020 36 .

While the growing digital connectivity brings enormous opportunities, it also exposes the economy and society to cyber threats.

Cyber-attacks are constantly on the rise. In some Member States, it has been estimated that half of all the crimes are cybercrimes 37 . Some of these attacks have aimed at high-profile targets, including power grids, important webmail services, central banks, telecommunications companies and electoral commissions. This is reflected also in citizens' own perception of risk: 86% of respondents to the latest Eurobarometer on the subject believe that the risk of becoming a victim of cybercrime is increasing 38 .

A 2016 study by PwC revealed that the number of security incidents across all industries rose by 38% in 2015, which is the biggest increase in the past 12 years, while at least 80% of European companies have experienced at least one cybersecurity incident. 39 . In Q3 2016 alone, 18 million new malware samples were captured, i.e. an average of 200,000 per day.

Moreover, a large share of cybersecurity incidents are due to technical failures without malicious intent – deriving from products which are weak on security, to the lack of software updates or appropriate procedures – or are due to some type of human error.

Cyber incidents cause major economic damage to European businesses, undermine the trust of citizens and enterprises in the digital society and affect citizens’ fundamental rights. A 2014 study 40 estimated that the economic impact of cybercrime in the Union amouted to 0.41% of EU GDP (i.e. around EUR 55 billion) in 2013; with Germany being the most affected Member States (1.6 % of GDP). A recent report, in the afternmath of the "wannacry" attack, estimated that a serious cyber-attack could cost the global economy more than $120bn (£92bn) – as much as catastrophic natural disasters such as Hurricanes Katrina and Sandy 41 .

The most affected sectors are financial services, energy, technology, services, industry and defence 42 and, as shown in figure 2, several big attacks to critical sectors were reported in 2016.

Figure 2 Selection of significant cyber-attacks in 2016.

Source: European Political Strategy Centre, 2017

The IoT has brought new risks. This applies in particular to consumer IoT, as it can involve "non-technical" or "uninterested" consumers, who connect an increasingly wide variety of devices to their home networks. They risk losing track of which devices are connected to the Internet over time, therefore making the efforts of securing them even more challenging 43 . Connectable home devices, such as TVs, home thermostats or home alarms, create multiple connection points for hackers to gain entry into IoT ecosystems, access customer information, or even penetrate manufacturers’ back-end systems 44 .

Cyber threats evolve so rapidly that strategies and tools to prevent and respond to them easily become outdated. For example, in the public consultation on ENISA review, 83% of respondents considered that the current instruments and mechanisms at European level (such as the regulatory framework, cooperation mechanisms, funding programmes, EU agencies and bodies) are either “partially” or only “marginally adequate” and 5% found them “not at all adequate” to promote and ensure cybersecurity.

In this context, ICT security certification is a valuable tool whose use is inadequate in the EU. All participants to a recent ENISA survey (see Annex 2) agreed on the need to leverage on certification to mitigate cybersecurity risks. In addition, 40 out of 46 respondents 45 to a survey aimed at SMEs think that ICT security certification is a valuable tool to reduce cyber vulnerabilities of ICT products or services (see Annex 2).

2.3.What are the problem drivers? 

The analysis of the evidence supporting the impact assessment identified the following main drivers contributing to the problem:

·Incomplete regulatory framework, in particular as regards a coherent approach to cybersecurity policies at the EU-level. Several pieces of legislation contain provisions on cybersecurity requirements, primarily; the NIS Directive, the General Data Protection Regulation (GDPR), the current Telecoms Framework (and the related proposal for a European Electronic Communications Code), the Payment Service Directive 2 (PSD2) but also market regulation (e.g. Radio Equipment Directive). These legislative acts do not provide for an EU-wide coordinated approach on the implementation of the requirements and the guidance on the implementation is entrusted to different agencies or bodies, risking a silo-ed and in many cases sectoral approach 46 . This leads to fragmentation of policies and approaches across Member States and EU institutions and agencies in an area where a harmonised approach is fundamental to increase resilience and ensure the functioning of the internal market.

·Immature cooperation mechanisms. Cooperation across Member States, between public and private actors and between the national and the EU level is taking shape, although at slow pace. In particular, the NIS Directive provides for mechanisms that can stimulate cross-border cooperation at least on a voluntary basis. However, these measures are only starting to take place. Furthermore, the shift in culture towards cooperation in an area close to national security takes time to progress especially at EU level, where cooperation takes place mostly on an ad-hoc basis or according to bilateral agreements between different actors. The low degree of development of cooperation mechanisms has a direct impact on the fragmentation of the policies and the approaches to cybersecurity across Member States and across the EU institutions, agencies and bodies.

·Lack of EU-wide reliable data and analyses. There is little information and independent analyses on key cybersecurity issues (such as the economics of cybersecurity, reliable trends of expected new challenges, the best solutions to face threats or criminal statistics related to cybercrime 47 ) covering the whole EU. This applies in particular to the cybersecurity incidents. The incident reporting requirements of the GDPR, the NIS Directive and as well as other similar requirements stemming from other pieces of legislation 48 , should somehow improve the situation, but primarily at the national level as notifications are to be addressed to the national authorities. This is insufficient for the EU needs and it leads to fragmentation of policies and approaches across the Member States and EU institutions, and to insufficient awareness and information of citizens and companies. In particular, companies that are present in more than one Member State, EU-level regulators or even national regulators in sectors with significant cross-border dependencies, need to be aware of the situation in the entire EU if they want to make reliable risk-based decisions or take appropriate measures. The lack of EU-wide reliable data also impacts the cybersecurity industry’s ability to design products that would meet the requirements of companies and citizens across the whole EU.

·Limited efficiency and suitability of current certification mechanisms: The main mutual recognition instrument in Europe - the SOG-IS MRA - has a number of shortcomings.It only includes twelve Member States plus Norway and has developed only a few protection profiles regarding certain digital products (such as digital signatures, digital tachograph and smart cards). Furthermore, SOG-IS MRA is based on the methodology of Common Criteria (CC), which is criticised for the long duration of process and high costs, among others 49 . CC envisages seven Evaluation Assurance Levels (EAL), with one being the lowest-level evaluation and seven being the highest-level one 50 . It has been estimated that a CC certificate for the lowest level of assurance can be obtained in about six months at a cost of around EUR 20,000. A higher assurance level certificate (e.g. EAL 4) for an ICT product can take one to two years, and, often, by the time the process is completed a new version of that product is already delivered 51 . According to the smart metering industry, CC certification is the most expensive (not less than EUR 500,000) among the various certifications they have to provide. Govenments and industry have taken actions to develop more agile certification scheme. However, the use of these schemes is occurring in an uncoordinated way. As a result, manufacturers of products such as smart meters would typically need to apply for different certification schemes or comply with different security requirements across the EU. The duration of each certification process for these products can take from six months to one year. These initiatives acknowledge the importance of ICT security certification and are in line with the objective of mainstreaming cybersecurity in the EU policy making. However, they can also lead to dispersed resources and diverging approaches to cybersecurity if the initiatives across different policy domains are not, as it it currently the case, sufficiently coordinated.

·Insufficient and uneven resources allocated at national and EU level, is a driver for all three problems outlined in figure 3. Only in recent years has cybersecurity acquired a status of important policy where both governments and companies have decided to invest and yet, as presented above, it is still very difficult to estimate the return on such investments, sometimes making the choice to allocate resources difficult. The differences in the resources available across organisations, Member States and EU institutions impact directly the level of capabilities and preparedness of Member States, the EU capacity to complement the action of Member States and the information made available to citizens and businesses. Furthermore, in the context of the budgeting policies of each organisation, limited resources also hamper the possibility to invest as needed in the cooperation and coordination mechanisms, leading to an overall insufficient cooperation and coordination across Member States and EU institutions.

· Insufficient education and awareness programmes. The lack of adequate education and awareness programmes, together with the lack of sufficient data and analyses, leads to the insufficient awareness of cyber threats. There is not such a culture of embedding basic measures of cybersecurity among the key learnings for the citizens of the digital society and the pace at which people become aware of cyber threats and possible remedies is much slower than the one at which they embrace technological innovations.

2.4.What are the problems for action? 

Within the broader course of action defined by the review of the EU cybersecurity strategy, and within the limits of the available instruments, the present initiative aims to contribute to tackling the following interrelated problems:

·Fragmentation of policies and approaches to cybersecurity across the Member States. This problem, highlighted by stakeholders (see Annex 2 presenting results of stakeholders' consultation), covers several aspects that are under remit of ENISA (support to cooperation among Member States, EU level capabilities to support Member States, coordination between the EU bodies, support in implementation of legislation) and specifically the policy on certification (emergence of multiple national certification schemes and initiatives that are not recognised across EU in a coherent manner).

·Dispersed resources and approaches to cybersecurity of the EU institutions, agencies and bodies.

·Insufficient awareness among citizens and companies of cyber threats and insufficient information concerning the security properties of ICT products and services they purchase.

The three problems in turn lead to a series of consequences related to cyber resilience and market dynamics (see also figure 4):

·Cyber resilience: The fragmentation of policies and approaches at both national and EU level, together with a continuing lack of awareness of cybersecurity issues among individuals and organisations lead to the insufficient protection of critical infrastructures, the potential proliferation of incidents due to human behaviour, the exposure of the whole system to the effects of incidents due to "weaker links" in other words less equipped parts, and to a lack of preparedness of the EU to face large scale cross-border incidents.

·Market dynamics: The emergence of multiple national certification schemes which are not recognised throughout the EU may lead to single market fragmentation and - due to the fact that ICT vendors might need to undergo several certification processes to be able to sell in several Member States - a loss of competitiveness for the businesses, in particular for SMEs. The lack of information on security properties of ICT products and services in a context of growing cyber threats undermines the trust of users (both citizens and businesses) in digital products and services.

The impact of each sub-problem on the cyber resilience and the market dynamics are explained more in detail in the following sections.

Figure 4 Problem Tree

2.4.1.Problem 1: Fragmentation of policies and approaches to cybersecurity across Member States

Problem 1.a: Insufficient cooperation and coordination in responding to cyber threats and incidents.

Cybersecurity is a truly global issue, which is cross-border by nature and is becoming increasingly cross-sector due to the interdependencies between networks and information systems. The impact of incidents that affect one organisation can easily spread to others and the same logic applies to countries.

When it comes to attacks, as shown in several cases including the most recent ransomware campaign, the perpetrators often tend to collaborate internationally by sharing information, building their intelligence collectively and rapidly responding to possible counter-measures from the victims.

Despite some progress made in the past years, the Commission cannot see the same level of cooperation and coordination on the side of public authorities and businesses in the EU.

Since its establishment in 2004, ENISA has aimed to foster cooperation between Member States and the NIS stakeholders, including through the support of public-private cooperation. This included the technical work to provide an EU-wide picture of the threat landscape 52 , the setting-up of expert groups and the organisation of pan-European cyber incident and crisis management exercises for public and private sectors exercises (in particular "Cyber Europe 53 ").

The 2016 NIS Directive is a key step in building trust between Member States to stimulate information sharing, mutual learning and shared approaches to risk management. However, the scope of the NIS Directive is not all-encompassing (see table 2) and does not cover some of the key areas this initiative is addressing. To do this would require specific measures that complement the NIS Directive (see description of the preferred option in section 8).

Table 2 Scope of NIS Directive in relation to key areas

Better and more technical support at the EU level is also needed to help bridge the existing gaps, for example regarding the availability of reliable data and analyses on threats and incidents and of EU-wide good practices, in particular in critical sectors.

The lack of an adequate EU-wide technical support and the differences in the approaches to cybersecurity standards make it difficult to establish common baselines and security requirements, for instance, to reduce cost burdens on businesses which operate cross-border.

It is furthermore becoming clear that a variety of requirements for security certification are emerging at both the national and regional level. For example at a national level, although VPN 57 products are usually certified against international “collaborative” protection profiles (cPP) 58 , vendors wanting to access the French market are typically requested to obtain an additional CSPN certification (see box 4). This process takes from six to nine months and it costs around EUR 80,000. Security products such as Hardware Security Module (HSMs) and/or the cryptographic modules they employ are typically certified to internationally recognized standards such FIPS. However, SOG-IS members request an additional CC certificate with a related vulnerability analysis. At a regional level, an Italian local public authority 59 had for example issued requirements in a public procurement procedure for security certification of a video surveillance system according to Common Criteria 60 (CC) at a low assurance level (EAL 1). It has been estimated that such a certification process takes 6 months and costs around EUR 20,000 (see Annex 7). In the absence of common ICT security requirements, authorities may decide both at which level such products should be tested and indeed whether such products should be tested at all, again leading to a situation of fragmentation and uncertainty within the EU.

Furthermore, existing mechanisms for cooperation on operational matters, in particular on detection and response to cybersecurity incidents are still limited and often restricted to close circles of CSIRTs. Despite good results in ‘simulation mode’, especially in the context of Cyber Europe exercises, and the initial work of the CSIRT Network, the EU is lacking a coordinated approach in case of cross-border incidents and it is today not prepared to handle a potential cybersecurity crisis, such as simultaneous attacks on critical information systems in several Member States.

The type of gaps and developments described above were confirmed by the results of the recent stakeholder consultations (see table 3 below and for more details Annex 2), in particular the public consultation. Here – notwithstanding the adoption of the NIS Directive – cooperation at different levels, including public-private cooperation, and the capacity to prevent and handle large scale cyber-attacks are still perceived as the most urgent gaps in the EU.

Table 3 Most urgent gaps and needs, as emerging from the stakeholder consultations

In addition, there are still gaps in the cooperation and information-sharing mechanisms both within the private sector, as well as between public and private actors. For example, the role of industrial players in collecting, analysing and disseminating information on cyber threats is essential, but the emergence of proper Information Sharing and Analysis Centres (ISACs) as a two-way information sharing resource between the private and public sector to support the protection of critical infrastructures is only a recent phenomenon in the EU. Closing the cooperation gap along these lines should be further stimulated both within sectors and across different sectors.

Problem 1.b: Uneven capabilities and preparedness across Member States

The persistence of gaps between Member States in terms of their cybersecurity capabilities and thus their preparedness in facing cybersecurity challenges is a longstanding issue that requires continuous attention. Today, considerable discrepancies can still be observed between Member States’ cybersecurity policies, legal frameworks and operational capabilities 61 . As a consequence, the effectiveness of the measures taken at national level by one or a few Member States can be affected by the lower level of protection in another Member State, potentially resulting in a ‘contagion’ effect in case of serious disruptions affecting the ‘weakest links’ in the EU community.

The implementation of the NIS Directive will introduce some common requirements for the minimum capabilities in each Member State; namely a national strategy, a CSIRT and a NIS competent national authority. However, it is clear that Member States cannot count on the same level of resources, experience and risk management culture, which impacts directly on their level of preparedness 62 . For example, while most Member States have established operational entities, such as CSIRTs, the mission and the experience of those entities vary greatly. Also, only about half of the Member States are currently conducting national cybersecurity exercises. Similarly, in the area of security certification, a clear gap of capabilities (e.g. in terms of expertise and conformity assessment bodies) can be noticed across Members States, thus maintaining an uneven level of preparedness.

Another significant gap is the different approach to collaboration between governments and the private sector, including those operating critical infrastructures. While the role of the industry is key in responding to cybersecurity challenges, only a few Member States have mature frameworks for public-private partnerships 63 in place.

In this area, the conclusions of the ex-post evaluation of ENISA present both positive and negative aspects. An overall positive assessment of the Agency emerges when it comes to meeting its objective of supporting Member States' capacity building. This is mainly due to the trainings provided and to the support in developing national strategies, but also by ENISA acting as a ‘broker’ of national good practices 64 .

However, Member States have different needs and expectations when it comes to ENISA support especially on capacity building. While the most equipped ones rely little on the Agency, the less resourced or experienced Member States would need increased support, including for detection and response to cybersecurity incidents 65 .

Problem 1.c: The emergence of multiple national and sectoral certification schemes

The rise of cybercrime and security threats has resulted in national initiatives setting high-level cybersecurity and certification requirements for ICT components including those used in traditional infrastructure. While products and services - for which a mandatory certification is not required - can still circulate in the internal market, the emergence of these national initiatives bears the risk of creating market fragmentation and erecting barriers for interoperability. In the absence of mutual recognition mechanisms among these schemes, one possible consequence would be that an ICT vendor needs to undergo several certification processes to be able to sell the same products or service in several Member States.

For example, the technical study that supports this impact assessment shows that smart meter manufacturers comply with three different certification schemes in three European countries. These are CPA in the UK, CSPN in France (see box 4 for a description of the schemes), and a specific protection profile based on CC in Germany. The overall cost of these certifications is about EUR 1 million, which in particular penalises small and medium sized enterprises (SMEs). This is an additional barrier to market entry. For example, in Germany, only one of the biggest smart-metering companies is embarking on various certification processes to enter other markets, all the other companies are only present in the German market.

As the reliance on digital devices increases, requirements for ICT security are expected to proliferate and cover a wide range of products and services. In the worst case, an ICT product or service designed to fulfil cybersecurity requirements in one Member State would have difficulties to enter the market of other Member States where different requirements are in place.

The risk of a proliferation of national certification initiatives increases costs for businesses operating cross-border. It would generate a low incentive for them to embark on such a cumbersome process, with an overall detrimental effect on the quality and security of ICT used in Europe. Furthermore, such fragmentation would also impact the performance of evaluators, in that only a limited number of conformity assessment bodies would be able to certify against the requirements of different schemes.

In the preliminary results of a survey aimed at SMEs (see more details in Annex 2), 18 out of 46 respondents believe that the current existence of multiple ICT certification schemes represents a barrier to market entry because they are too costly and therefore not affordable for SMEs 75 . A recent ENISA survey on ICT security certification (see Annex 2 for the summary results) shows that 57% of respondents (19 out of 33) are aware of multiple existing ICT security certification schemes across EU Member States for the same product or service; 37% (12 out of 33) of the respondents replied ‘No’ to the same question, but expressed their preparedness to accept one single scheme, while 2 ‘do not know’. In the same survey, 90% (30 out of 33) of respondents agreed that mutual recognition of ICT security certification schemes is desirable at European level to address further fragmentation.

In written submissions related to the public consultation on cPPP, respondents emphasized that no reliable certification scheme exists at the moment at the European level. Others pointed to the fact that existing national schemes and security requirements act as barriers to market entry, complaining about the costs of compliance. Some of the industry associations state that further fragmentation of the market with numerous certification schemes should be avoided.

2.4.2.Problem 2: Dispersed resources and fragmentation of approaches to cybersecurity across EU institutions, agencies and bodies. 

Problem 2.a: Insufficient critical mass at EU level to complement the action of Member States.

Despite the importance of cybersecurity on the European agenda, there is still a lack of cybersecurity capabilities and instruments at European level to complement the individual efforts by Member States. Overall, the EU investment 76 today - including in the development and the deployment of cybersecurity technology and solutions - is below the critical mass needed to protect our economy and institutions, in particular if compared to other key international players 77 .

While many organisations at EU level have started to include a cybersecurity perspective in their policies and/or their operations (see next section), the European Commission has no operational capabilities, (the Europol's European Cybercrime Centre (EC3) is dealing specifically with cybercrime) and CERT-EU is responsible for the protection of the EU institutions, agencies and bodies. The only organisation with some preventive operational capabilities 78 and with the official mandate to contribute to the overall network and information security of the Union is ENISA.

ENISA has a broad mandate (see box 3 in section 1) but it is a rather small agency with one of the lowest budgets and number of staff compared to all EU agencies (Annex 3 shows the detailed figures per each agency). ENISA is also the only EU agency with a fixed-term mandate, which limits long term planning of its contribution to Member States and EU institutions. Moreover, the results of stakeholders' consultations also suggested that ENISA currently does not have sufficient resources to meet its broad mandate. Looking at the future, the mandate itself, conceived in a different political, legal, technological and threat landscape, cannot take into account more recent developments, including the tasks attributed to ENISA by the NIS Directive, and it does not sufficiently empower the Agency to respond to the forthcoming cybersecurity challenges.

In particular, the results of the evaluation of ENISA show that the agency needs to prioritize the demands of Member States and EU institutions, leaving at least partially the needs of private stakeholders and in particular industry aside. The industry on the other hand sees a potential important role for ENISA as a future link between the public and private sector. It could better support European businesses by providing high quality strategic analysis of threats, developing sector-specific expertise and ensuring harmonisation baseline requirements for cybersecurity across the EU. Industry sees ENISA focusing on future priority areas such as the Internet of Things, the move to big data and machine intelligence, certification, and envisages ENISA becoming more active in the educational field. Specifically, the large majority of stakeholders that were consulted on issues related to certification, envisage a role for ENISA in future policy developments in this area.

Looking ahead, the recently established Cooperation Group and CSIRTs Network could in the future add to the European level capacity by pooling resources, expertise and information. However, these remain subject to the limitations explained in the section above.

In particular when it comes to operational capabilities for the prevention, detection and response to cyber-incidents, there is currently no EU level capacity to guarantee the speed, accuracy, efficiency and effectiveness of response needed in a case of crisis. There is furthermore no European level system which for example covers: the early warning of threats and incidents; the ability to establish a common qualified picture in case of cross-border incidents; the capacity to handle communication with the public; and the ability to pool resources to help the victims of an attack.

Among the EU institutions, agencies and bodies, only CERT-EU has response capabilities but, as explained above, its mandate is limited to the protection of the institutions. CERT-EU also does not have 24/7 capabilities.

Problem 2.b: Insufficient coordination of the action of EU institutions, agencies and bodies.

The pervasiveness of digital technologies in all spheres of economy and society warrants the mainstreaming of cybersecurity issues into EU policies. The strategic importance of this objective, set out in the 2013 EU Cybersecurity Strategy, has been reaffirmed in the NIS Directive – that specified which organisation operating in specific ‘critical’ sectors would be subject to security and notification requirements 79 – and in the 2016 Communication on Strengthening Cyber Resilience, which highlighted the need for continuous efforts to find cross-sectoral synergies and to mainstream cyber requirements in all relevant EU policies.

A number of instruments have already been put in place to mainstream cybersecurity issues at EU level covering: horizontal legislation, sectoral policy initiatives (e.g. in the energy and transport field), international relations, research & innovation, and EU agencies and bodies. As a consequence, many organisations in the EU ecosystem are involved and some are gaining competence in cybersecurity. Within the European Commission, two main Directorate Generals 80 are tasked with addressing overall cybersecurity and cybercrime; while at least eight Directorate Generals have started initiatives at sectoral level (see Annex 9 for detailed information). The European External Action Service (EEAS), which manages the EU's diplomatic relations with other countries outside the EU and conducts EU foreign & security policy, handles cyber defence as it relates to state activities and multinational or multilateral organisations (UN, NATO, OECD, etc.).

The same picture applies to EU agencies and bodies, where it is possible to identify four main actors dealing with cybersecurity, cybercrime and cyber defence (see table 4 below) and at least a further four which are gaining competences in cybersecurity in sectors like energy, transport and finance (see Annex 9).

Table 4 Mission of relevant EU agencies and bodies in the cybersecurity field

One of the results is that information and expertise are dispersed across several entities. As shown in Annex 4, there are over ten organisations that produce, collect and disseminate information and analyses, in some cases on the same topic and addressing the same public. Furthermore, the coordination mechanisms, where they exist, are not always adequate. For example, a conclusion from the evaluation of ENISA and the stakeholder consultations is that a good level of cooperation and coordination has been achieved between ENISA and EC3: There is almost no overlap between the two organisations, which seem to cooperate well. On the other side, there is still room for improvement in the coordination between ENISA and sectoral agencies, and between ENISA and CERT-EU. In particular, the evaluation highlighted that in spite of different scope of their mandate (one EU-wide, the other targeted to EU institutions) there is a risk of overlap between ENISA and CERT-EU in the areas of direct support and assistance to Member States' CSIRTs and cross-border operational cooperation.

Without increased cooperation and a more coordinated approach between the EU institutions, agencies and bodies, there is the risk of dispersing the efforts and decreasing the effectiveness and efficiency of their contribution to the EU’s overall cyber resilience.

2.4.3.Problem 3. Insufficient awareness and information of citizens and companies.

Problem 3.a: Citizens' and companies are not sufficiently aware of cyber threats.

Those who want to learn and/or specialize in cybersecurity can nowadays enrol in almost 500 university courses and trainings across Europe 81 .

At least 18 Member States organise national awareness campaigns, mostly targeting public sector (80%) but also SMEs and citizens; adults, children, adolescents 82 . At EU level, ENISA, together with partners in Member States and the European Commission, has been running the European Cyber Security Month (ECSM) since 2013. This is an EU advocacy campaign designed to raise awareness about cybersecurity issues throughout the month of October and which promotes a sense of shared responsibility towards safe and informed behaviour on the Internet 83 among citizens.

The findings of a recent survey reveal that Member States' authorities believe that European cooperation needs to be extended towards more learning and support, and that the coordination role of ENISA and Europol should be strengthened, with more funds provided to these bodies for such activities 84 .

However, despite cybersecurity gaining increasing prominence in the political agenda, companies’ discourse and in the media, and in spite of Member States and EU actions, European citizens and companies still lack awareness and knowledge of cybersecurity issues. This knowledge gap ranges from basic steps to secure one's online presence to the financial and economic impact of cyber incidents. As an example of the first aspect, very recently a cyberattack on the UK Parliament has compromised dozens of email accounts belonging to parliamentarians who reportedly did not respect guidance issued by the Parliamentary Digital Service regarding password strength 85 .

According to the Norton Cyber Security Insights Report 86 , over six in ten (62% 87 ) end-consumers said they believe connected home devices were designed with online security in mind. However, Symantec researchers identified security vulnerabilities in 50 different connected home devices ranging from smart thermostats to smart hubs that could make the devices easy targets for attacks. 

Figure 5 Some issues on awareness and knowledge of cybersecurity issues in Europe

Sources: "Special Eurobarometer 464", 2017, Attitudes towards the impact of digitisation and automation on daily life" Eurobarometer 2017, Continental European Cyber Risk Survey 2016 Report

At macro (industry) level, there is still lack of sufficient independent, neutral, EU-wide, reliable data and analyses on cyber threats, be it cross-sector or sector specific, and lack of exchange of best practices for the security of the critical infrastructures, including Internet infrastructure. Furthermore, there is a lack of systematic and reliable information on the economic impact of cyber incidents 88 . This affects investment in cybersecurity, and makes it very difficult to determine return on investments for instance from staff trainings or from equipment.

At micro (organisational) level, low security awareness of employees is considered the first factor inhibiting organizations from adequately defending themselves against cyber threats 89 . It is widely acknowledged that successful attacks are often the result of poor basic cyber "hygiene" 90 . Regular, simple security measures could significantly reduce the risks of an attack and, in the current interconnected business models, spreading the impact of a cyber-attack to other organisations. However, current cyber hygiene programmes across Europe vary and do not have a common approach 91 .

The low level of awareness of cyber threats and their possible impact is a serious issue that translates in the proliferation of incidents due to human mistakes and it also contribute to the more general lack of adequate risk management practices within organisations.

Problem 3.b: Citizens' and companies do not have sufficient information concerning the security properties of ICT products and services they purchase (insufficient use of certification).

The security properties of an ICT product or service are difficult to assess. There is an information asymmetry between designers and vendors on one side, and customers/users of ICT solutions on the other; whereby the former has greater information than the latter regarding the security properties of an ICT product or service.

Customers lacking information cannot select their products on the basis of their real security qualities. In a targeted survey, operators of critical infrastructures 92 report that ascertaining the accuracy of the security information provided by the vendors on a specific ICT product is a major obstacle. As such, the selection of products and services tends to be based on the reputation of the vendor or on price rather than on security properties. This leads to a potential race to the bottom with regard to investments and resources allocated to security. Such a sub-optimal outcome would, in a worst case scenario, increase vulnerability. Currently, Industrial Control Systems (ICS) products - used to monitor and control electricity generation plants or transportation systems - often rely on commercial, uncertified off-the-shelf software. This results in a reduction of costs and improved ease of use, but at the same time the exposure to computer network-based attacks is increased. Such a circumstance creates a vulnerability that can be exploited to shut off power to large areas or directing cyber-attacks against power generation plants 93 .

Furthermore, the co-existence of multiple schemes and standards for security certification hinders the ability of market operators and public authorities to compare and judge which ones best satisfy their particular security requirements. In April 2017, ECSO has published a State-of-the-Art Syllabus which presents an overview of certification schemes and standards in various sectors and for various products and services. For example, the document lists six schemes and two standards for security certification in the area of cloud services. Such a plethora of certification instruments translates into a missed opportunity in the digital single market. As a targeted survey shows 94 , operators in the energy and finance sectors refrain from the use of cloud services due to insufficient clarity and guarantees that the available standards and schemes can satisfy certain security requirements (e.g. secure data storage).

Against this background, formal processes such as certification can contribute to increase transparency of information on the security properties of a product or a service. According to a recent ENISA survey, 81% (27 out of 33) of respondents from the certification community 95 say that, if properly designed, certification can be an effective tool to increase transparency of the level of assurance of ICT products and services and enhance trust across the digital single market (see Annex 2 for the details of the survey results). In the same survey, 66% (22 out of 33) of respondents say that greater efforts are needed to promote certification, while 21% of respondents believe that certification is a pure market issue. In the result of another survey aimed at SMEs (see Annex 2), 39 out of 46 respondents were in favour of a common label for certified ICT products 96 . According to Eurobarometer, the majority of respondents said that the security and privacy features of an ICT product play a role in their choice; 27% are ready to pay more for better security and privacy features, while 34% are not willing to pay more but these aspects have a role in their choice 97 .

The suboptimal use of certification impacts the intrinsic security of the products, but also the level of information on security features of the products. To give an example, if a proper certification system had been in place throughout the EU, hospitals and other critical operators affected by the latest Wannacry attack (see section 1) would have been able to compare IT systems' security levels and, most importantly, the IT vendors' commitment to providing on-going support to users, which is not the case today.

A number of factors can explain this situation. First, existing certification schemes are to a large extent inefficient due to their high costs and lengthy processes. In addition, the current complexity of the certification landscape exacerbates such inefficiency, where separate schemes co-exist or are emerging across the EU without being mutually recognised.

These are some of the main factors which explain why ICT certification is only used in a systematic way in certain very specific domains, such as public procurement, defence and critical sectors. In many other cases, certification is left to private sector initiative, often without any involvement from public authorities and therefore without a proper monitoring on their suitability and functioning. As such, commercial/mass consumption products are rarely cyber-certified. The ever-increasing connectivity of poorly secured devices (including systems that control our cars, factories, homes, farms and critical infrastructures) could further increase the level of vulnerability of ICT devices used in Europe.

Overall, the lack of adequate information on the security properties of an ICT device can adversely affect the capacity of buyers to procure more secure products and can create a low incentive to produce more secure ICT devices. This would have a detrimental result on the level of cybersecurity of our society and economy.

2.5.Who is affected by the problem and to what extent?

Section 2.2 above presented the possible scale of cybersecurity incidents and their far-reaching impact on the economy and society. Possible failures or attacks could have an impact on a vast number of stakeholders, comprising large and small businesses, public authorities, administrations and individual citizens. In other words, everyone is concerned and potentially affected by cybersecurity issues.

Businesses

The existing gaps in the cooperation and information-sharing mechanisms within the private sector and between public and private actors limit the access to key information on cyber threats and to possible solutions for businesses to handle cyber incidents.

They are also impacted by the dispersed resources and approaches across EU institutions, agencies and bodies since they lack adequate EU-level technical support, for example to identify threats, and to learn from EU-wide good practices. Also, businesses operating cross-border may face additional costs and different policies established at EU level if required to comply with different national security requirements.

In addition, the insufficient awareness of cyber-threats of employees and poor cyber hygiene practices within the organisations can lead to the proliferation of incidents due to human behaviour which can seriously harm the network and information security of small and large companies.

All these factors contribute to increased vulnerability of companies to cyber-threats, which, in case of significant incidents can lead to potentially huge direct financial losses, a loss of productivity, reputational damages and loss of competitiveness 98 . Beyond the costs that are currently best known – such as technical investigations, customer breaches notifications, replacement of hardware/software, legal expenses – there are less "visible" costs that can occur also once the incident has been solved: insurance premium increases, increased costs to raise debts, value of lost contract revenues, just to give a few examples 99 .

Manufacturers/vendors of ICT products or providers of ICT services are affected by the emergence of multiple certification schemes since they may need to certify their products or services in several Member States. Moreover, they may find it difficult to compete for public contracts, as the tender conditions refer to specific and different security and certification requirements. In general, the fragmentation of security and certification schemes and requirements leads to additional costs for businesses operating cross-border and may thus favour local firms.

Businesses who are buyers of ICT products and services, in particular operators of essential services, are affected by inadequate certification schemes as they have little information on the security properties of the ICT devices used in their infrastructures.

Conformity assessment bodies are affected by the fragmentation of security and certification schemes as they may find it difficult to penetrate other national markets where different local security requirements and/or certification schemes are present.

Public authorities 

National authorities can be impacted by the the lack of adequate European capacity to complement Member States action. This refers both to insufficient technical support, for example for the establishment of best practices or the implementation of EU policies at national level, and to the lack of hands-on support, especially for the less equipped Member States needing assistance in prevention, detection and response to cyber incidents. This situation creates inefficiencies, due to duplication of efforts (many Member States tackling issues individually) on the one side, and to limited yet dispersed resources for cybersecurity on the other.

National and European public authorities can also be victims of cyber incidents and are therefore also impacted by fragmented approaches to cybersecurity and insufficient awareness of cyber threats. This can, result in direct financial losses, loss of productivity and reputational damages including critical breaches concerning national security.

Public authorities are also affected as important category of buyers of ICT products and services by the lack of sufficient information on the level of assurance of these products. Given the public interest dimension of their activities, they may wish to receive particular assurance that the solutions they procure provide a certain cyber-security assurance. They may insert in their public procurement contracts a requirement that only certified solutions are used. In case these requirements act as a barrier to foreign bidders, public bodies cannot reap the full benefits of unfettered competition and cross-border free trade across the Union.

Citizens

Citizens are still not sufficiently aware of cyber threats and how to handle them. Very often they have only a limited knowledge of basic measures, such as the need to regularly change passwords or avoiding opening attachments in suspicious emails (see section 2.2.3). According to the UK government document “Using behavioural insights to improve the public’s use of cyber security best practices" 100 , even people aware of security risks continue to ignore best practices (e.g. leave devices always on and online).

Citizens are therefore exposed to significant risks to bear the costs of repairing or replacing damged software or hardware, to lose and expose personal data and to direct financial losses (for example as a result of identity theft). Citizens are also affected by the lack of information on the level of assurance of ICT products and services that are on the market as they are rarely certified (see problem 3.b above). Security concerns can influence citizens' choices and prevent them to fully benefit from the advantages of digital economy and society.

EU citizens are also indirectly impacted by the multiple approaches to cybersecurity across Member States and across the EU institutions, as these can contribute to an insufficient protection of critical infrastractures and hence prevent citizens from accessing essential services (e.g. healthcare, water, energy, transport) in case of significant incidents.

2.6.How will the problem evolve?

The number, complexity and scale of cybersecurity incidents and their impact on economy and society are growing over time and they are expected to further increase in parallel to technological developments, for example the proliferation of the internet of things. It is predicted that cybercrime will continue rising and cost businesses globally more than $6 trillion annually by 2021 101 .

This implies that the need for increased common effort from Member States, EU institutions and private stakeholders to face cybersecurity threats can only be expected to increase in the future.

With regard to the issue of cooperation across Member States, between public and private actors and across EU institutions, agencies and bodies, some progress may happen over time but at the time of drafting there is no existing plan or benchmarks in this respect. In particular, the voluntary cooperation mechanisms foreseen by the NIS Directive do not present specific targets to be achieved for both the strategic and operational levels and the level of ambition depends on work plans adopted by Member States for both the Cooperation Group and the CSIRT Network.

In absence of intervention, maintaining the status quo would imply that ENISA would remain a small agency with a broad while temporary mandate and yet key activities in the area of resilience (for example linked to policy implementation and operational cooperation) and market (in particular certification) would not be refocused according to the new context or not included at all. The Agency would therefore not be able to provide long term sustainable support to the Member States and the EU to address new threats which are horizontal in nature impacting on multiple industrial sectors.

The information asymmetry and ineffectiveness/inefficiency of the current certification schemes is unlikely to be solved in the absence of intervention. In fact, as technology becomes increasingly complex and pervasive, it will be increasingly difficult for buyers to ascertain the security qualities of ICT products and services in absence of adequate certification. Furthermore, in the absence of action, the market fragmentation is very likely to increase in the short-medium term (next 5-10 years). As technology evolves so do the cyber-threats and vulnerabilities and with them a number of national and sectorial certification schemes and requirements keep on emerging. The lack of coordination and interoperability across such initiatives on certification is an element which decreases the potential of the digital single market.

The number and scale of cyber incidents and attacks are expcted to lead to a modest natural increase in the level of awareness, due to the rising attention paid to cybersecurity issues at the level of public authorities and enterprises.

More details on the expected evolution of the problem can be found in section 5 where baseline scenarios are presented.

3.Why should the EU act?

3.1.Legal basis

The legal basis for EU action is Article 114 TFEU, which deals with the approximation of laws of the Member States in order to achieve the objectives of Article 26 TFEU, namely, the proper functioning of the internal market.

The internal market legal basis for ENISA has been recognised by the Court of Justice (C-217/04, judgment of 2 May 2006) and was further confirmed by the 2013 Regulation setting the current mandate of the Agency. In addition, activities that would reflect the objectives to increase cooperation and coordination and EU level capabilities to complement the action of Member States, they fall within the field of "operational cooperation". This is specifically identified by the NIS Directive (for which art 114 TFEU is the legal basis) as an objective to be pursued in the context of the CSIRT Network where "ENISA shall provide the secretariat and shall actively support the cooperation" (Article 12(1)). In particular, Article 12 (f) further identifies as tasks of the CSIRT Network: identifying further forms of operational cooperation, including in relation to: (i) categories of risks and incidents; (ii) early warnings; (iii) mutual assistance; (iv) principles and modalities for coordination, when Member States respond to cross-border risks and incidents.

The current fragmentation of the certification schemes for ICT products and services is a result of the lack of a common legally binding and effective framework process applicable to the Member States. This hinders the creation of an internal market for ICT products and services and hampers the competitiveness of the European industry in this sector.

3.2.Subsidiarity

The subsidiarity principle requires the assessment of the necessity and the added value of the EU action.

Cybersecurity is an issue of common interest of the Union. The interdependencies between networks and information systems are such that individual actors (public and private, including citizens) very often cannot face the threats, manage the risks and the possible impacts of cyber incidents in isolation. On one hand, the interdependencies across Member States, including with regard to the operation of critical infrastructures (energy, transport, water, just to name a few) make public intervention at the European level not only beneficial but needed. On the other hand, the EU intervention can bring a positive "spill over" effect due to the sharing of good practices across Member States, which can result in an enhanced cybersecurity of the Union.

In summary, in the current context and looking at the future scenarios, it appears that to increase collective cyber-resilience of the Union individual actions by Member States and a fragmented approach to cybersecurity will not be sufficient.

The respect of subsidiarity in this area was also recognised when adopting the current ENISA Regulation 102 .

EU action is deemed necessary also to address the fragmentation of the current certification systems. It would allow manufacturers to fully benefit from an internal market with significant savings regarding testing and redesign costs. While the current SOG-IS Agreement has achieved important results, it has also shown important limitations to be a long term suitable and sustainable solution.

The added value of acting at EU level, in particular to enhance cooperation between Member States but also between NIS communities, has been recognised by the 2016 Council Conclusions 103 and it also clearly emerges from the evaluation of ENISA.

None of the options analysed in this Impact Assessment go beyond what is necessary to achieve the objectives set in the following section in a satisfactory manner. Furthermore, the scope of EU intervention would not impede any further national actions in the field of national security matters.

EU action is therefore justified on grounds of subsidiarity and proportionality.

4.Objectives: what should be achieved?

Based on the problems identified in section 1, the following policy objectives for the current initiative have been set:

4.1.General objectives

The main policy objectives of this initiative are to:

1.Increase the cyber resilience of the Member States, businesses and the EU as a whole.

2.Ensure the proper functioning of the EU internal market for ICT products and services.

3.Increase the global competitiveness of the EU companies operating in the ICT field.

4.2.Specific objectives

With the general objectives in mind, in the broader context of the new Cybersecurity Strategy the initiative intends to achieve the following specific objectives:

1.Increasing capabilities and preparedness of Member States and businesses

2.Improving cooperation and coordination across Member States and EU, institutions, agencies and bodies.

3.Increasing EU level capabilities to complement the action of Member States, in particular in the case of cross-border cyber crises.

4.Increasing awareness of citizens and businesses on cybersecurity issues.

5.Increasing the overall transparency of cybersecurity assurance 104 of ICT products and services to strengthen trust in the digital single market and in digital innovation.

6.Avoiding fragmentation of certification schemes in the EU and related security requirements and evaluation criteria across MS and sectors.

5.What are the available policy options?

5.1.What is the baseline from which options are assessed?

The instruments currently available to support Member States capabilities, cooperation and the EU cyber resilience, including those of the current ENISA Regulation and the NIS Directive, are insufficient for the current cybersecurity challenges. As presented earlier in the problem statetemet, although the NIS Directive entered into force only in July 2016, and consequently it is too early to give conclusive assessment of its effectivenenss, it does not cover all sectors and it does not necessarily include sufficient mechanisms to stimulate fully fledged EU-wide cooperation for the future cyber challenges. Also, the NIS Directive does not address the topic of ICT security certification and it does not include provisions for handling of large scale cross border incidents.

With the (upcoming) adoption of the 2017 Septemper Communication, new instruments would be in place, in particular in the field of cybersecurity resilience and response (see paragraph 1 of the report). For the purpose of this analysis, the baseline scenario would be affected by the adoption of the Recommendation on the EU cybersecurity blueprint and the (forthcoming) legal instruments to implement the European Cybersecurity Research and Competence Centre and possibly also on the Emergency Fund.

With regard to the blueprint, it is assumed that the EU will have in place a framework for coordinated response to possible large scale cross-border cyber incidents. However, the role of ENISA envisaged in the blueprint – from supporting situational awareness to handling communications – goes beyond the current mandate of the Agency. Therefore, the blueprint could not be implemented effectively without a revised mandate of the Agency or a replacement of the Agency with other similar body to perfom those functions. In the context of EU response to cybersecurity crisis situations, the baseline scenario would include – upon its adoption in the context of the next Multiannual Financial Frameword - the Cybersecurity Emergency Fund that would allow Member States to seek help at the EU level in case of major incident, provided that the Member State had put in place a prudent system of cybersecurity prior to the incident, including full implementation of the NIS Directive, mature risk management and respective supervisory frameworks at national level. The Fund could deploy a rapid response capability in the interests of solidarity and finance specific emergency response actions such as replacing compromised equipment or deploying mitigation or response tools to assist victims.

In the field of research and development, upon the adoption of the related legal instrument, ENISA (both in case of existing and revised mandate) would links its efforts in the area – maninly advisories on EU needs – to the work the European Cybersecurity Research and Competence Centre, which would become a major player by pooling and shaping research efforts and supporting the development of industrial capabilities.

Article 36 of the current ENISA Regulation includes a sunset clause, fixing the duration of the agency mandate for seven years until June 2020. For the purpose of this analysis, the status quo, which sees the existence of an EU decentralised agency with a fixed term mandate, is considered as baseline scenario. The sunset clause and thus termination of ENISA is also explored among the possible options.

With specific regard to certification, the baseline scenario translates into non-EU action. In this case, it is unlikely that ICT producers would establish self-regulatory measures to allow buyers to better ascertain the security qualities of ICT products and services. It is however possible that Member States take action, which could result in even more national and sectoral only certification schemes. In this case, fragmentation is expected to widen in the short-medium term (5-10 years) with a negative impact on the full potential of the digital single market.

The current SOG-IS agreement and the CCRAs are also unlikely to constitute a possible solution to the problem in the short and medium term. As explained above, the SOG-IS MRA is based on the methodology of CC, thus it shares similar criticism related to the length of process, high cost, unsuitable for products requiring low level of assurance, suitable to certify products rather than services. For these reasons, only a few protection profiles related to digital products have been developed under the current SOG-IS MRA. These are for example, digital tachographs, digital signatures and smart cards.

5.2.Policy options related to ENISA

The policy options on the possible future of ENISA, including those that were discarded as result of the impact assessment exercise, are presented below.

Option 0 – Baseline scenario

This option is about the preservation of the status quo. ENISA would continue to be an Agency with a mandate limited in time. ENISA's mandate would be extended in a manner similar to the previous renewals (Regulation (EC) No 1007/2008 and Regulation 580/2011) and the objectives and tasks of the Agency would be largely similar to the ones of today subject to adaptations based on acts that entered into force after the adoption of the current ENISA Regulation in particular the NIS Directive and the Regulation on electronic identification and trust services for electronic transactions in the internal market 105 (eIDAS Regulation). It might also include provisions from the Electronic Communications Code, which is currently in the legislative process and therefore not yet adopted. Preserving the status quo would also imply maintaining a fixed-term mandate for ENISA. Therefore, the activities described in the box below would also be subject to a time limit.

Option 1 – No policy intervention –Expiry of ENISA’s current mandate without renewal and termination of ENISA

This option would not entail a new legislative proposal to amend or repeal the current ENISA Regulation. This would lead to the termination of ENISA at the end of its mandate in June 2020 (seven years from 19 June, 2013 in accordance with article 36 of ENISA Regulation). The Commission would then need to decide on the possible redistribution of competences/activities at EU and/or national level. To be noted that according to the provisions of the Common Approach on decentralised agencies "closing down an agency could be a solution for dealing with underperforming agencies unless the agency is still the most relevant policy option, in which case the Agency should be reformed" 106 . In this case and in the absence of a new proposal, in accordance with the current Regulation (recital 54 to be in footnote) the Commission should take the relevant measures addressing in particular issues relating to staff contracts and budget arrangements.

Option 2 – 'Reformed ENISA' 

This option would reform the Agency building on the strengths emerged in the course of the current mandate and addressing shortcomings and weaknesses. The new mandate would take into account new threats, policy, actors and technology changes as well as the results of the evaluation.

In particular, this would imply a redefinition of ENISA's role, competences and functioning, scope, the duration of the mandate, as well as the synergies with other EU agencies and bodies.

Option 3 – EU cybersecurity agency with full operational capabilities.

This option implies restructuring ENISA according to the model that several Member States have adopted, by bringing together three main functions: 1. policy advisory 2. the centre of information and expertise and 3. the Computer Emergency Response Team. In this case, the Agency would cover the entire cybersecurity lifecycle and deal with prevention, detection and response to cyber incidents.

5.3.Options related to certification

The results of the consultations with national certification authorities, ICT vendors and providers, operators of critical infrastructures (see Annex 2) as well as inputs of technical support studies and reports (e.g. by JRC and ENISA) have been used to select the most appropriate policy options to address the problems identified in this Impact Assessment. These options respond to the need to promote security certification through agile and flexible mechanisms on the one hand, as well as the desire to support an EU-wide approach to security certification that builds as much as possible on existing mechanisms, on the other hand.

On this basis, the following policy options were considered to achieve the policy objectives and to address the problems identified.

Option 0: Baseline scenario - Do-nothing.

Under this option the Commission would not undertake any policy or legislative action. With regard to the three identified problems, this option would result in the following situation:

Option 1: Non-legislative ("soft law") measures. Under this option, the Commission would use soft policy instruments to reach the objectives of this initiative (e.g. improve the level of information related to the security pproperties of ICT devices and reduce fragmentation). As such, the Commission could issue interpretative guidelines, encourage co- or self-regulation initiatives, promote the development of technical standards, support reasearch or awareness rising activities. The specific contents of the individual measures cannot be delineated with precision at this stage, as they will emerge as a result of the overall process within the Commission and with the stakeholders.

Option 2: EU legislative act to create a mandatory system for all Member States based on the SOG-IS system.

Under this policy option, the Commission would propose a legislative act that would incorporate SOG-IS MRA so that it becomes binding on all Member States. Therefore, the Management Committee of the current SOG-IS MRA will be composed of representatives from all Member States. Sectoral Working Groups will provide technical support to the Management Committee. ENISA would help run the Secretariat of the Management Committee and would support the coordination of activities of the Working Groups.

The legislative act will have the following essential content:

Option 3: EU general ICT cybersecurity certification framework

Under this option, the Commission would propose a new European ICT Security Certification Framework laying down rules for the development of individuals EU-wide cybersecurity certification schemes for specific ICT products and services or cybersecurity risks, leading to the issuance of certificates valid and recognised in the whole EU.

A European Cybersecurity Certification Framework (the "Framework") for ICT products and services and specifies the essential functions and tasks of ENISA in the field of cybersecurity certification. The Framework lays down common provisions and procedures enabling the creation of EU-wide cybersecurity certification schemes for specific ICT products/services or cybersecurity risks. The creation of European cybersecurity certification schemes in accordance with the Framework will allow certificates issued under those schemes to be valid and recognised across all Member States and to address the current market fragmentation.

A European cybersecurity certification scheme shall be understood as the comprehensive set of rules, technical requirements, standards and procedures defined at Union level applying to the certification of ICT products and services falling under the scope of the scheme. As such, the type of ICT product and service covered by a European certification scheme will be defined in the approved scheme itself. Moreover, it is essential to underline that certification schemes do not, as a rule, set the technical standards, i.e. they do not lay down the technical requirements that the products need to comply with. This is the task of legislation and technical standardisation. 112 Certification schemes set out, insetad, a specific process for evaluating – at a specific level of assurance - the security properties of ICT products and services falling within the scope of the scheme 113 Evaluation of security functionalities of these products or services would be carried out against the requirements to which a particular scheme will refer. Existing standard can be used when considered appropriate to express these technical requirements ..

The main elements of this option are specified in more detail below:

Option 4: ICT security internal market legislation

Under this option the Commission would propose an EU ICT security legislation based on the 2008 internal market New Legislation Framework. As a result of this option, selected ICT products and services could only be put on the market if they comply with identified essential requirements on the basis of a prior conformity assessment. This would entail adding a new requirement for compliance with an ICT security standards to the other requirements needed to obtain the CE mark. In line with the approach of the new legislative framework, the law would rely on standards 115 and would establish a presumption that compliance with such standards implies compliance with the EU internal market. The main elements of such legislation are discussed below:

5.4.Options discarded at an early stage

In the course of the impact assessment exercise two of the policy options identified in the previous section were discarded at an early stage and thus were not subject to deeper analysis and assessment.

·Option 1 'Expiry of ENISA mandate'. This option has been discarded for several reasons. First of all from the evaluation it emerged that the Agency showed to be relevant and to provide EU added value and that, if its weaknesses are addressed, ENISA has the strong potential to contribute even more to increase cybersecurity in the EU. The need for even further cooperation, including at operational level, is one of the key findings of the evaluation. This concluded that it would not be possible to ensure the same degree of community building and cooperation across the Member States without a more centralised EU agency for cybersecurity; the picture would be more fragmented with bilateral or regional cooperation stepping in to fill a void left by ENISA. ENISA is in fact the only EU agency that currently can ensure EU coordination and the needed cross-border approach.

Secondly, the option of terminating ENISA would be incoherent with the provisions of the NIS Directive, which require ENISA to perform tasks that have no end date. Some of the tasks conferred upon ENISA by the NIS Directive could be performed by the Commission. However, this would be incoherent with the decision of the co-legislators that specifically assigned those to an independent EU agency. The termination of ENISA - and in the that case it would not be replaced by an equivalent EU level body - would also imply less EU level support in the field of cybersecurity and, as such, be in contrast with the vision expressed in the review of the EU Cybersecurity Strategy. In particular, it would be incoherent with the EU cybersecurity blueprint for large scale cross-border incidents, which foresees a role for ENISA in supportive a cooperative Union response to such incidents.

Thirdly, with regard to the EU budget, the discontinuation of ENISA would imply the disinvestment of the current contribution to ENISA budget (about EUR 11 million per year). However, in case of a discontinuation of ENISA without replacement, this would require additional investments by national public authorities (multiplied per each Member State) and businesses as they would not benefit any longer from ‘free of charge’ services (for example the trainings, the publications, the good practices, the cyber exercises) that would have to be replaced either with in-house capacity or with external contracts. A recent study shows that it is considerably less costly to carry out the tasks assigned to the agencies at the EU level than it would be if these tasks were undertaken by the EU28 Member States 116 . In the case of the replacement of ENISA with a new EU level body, the EU would incur additional set-up and operating costs, which would be as a minimum equal to the existing ones. The establishment of a new body would require additional time: a minimum estimate would be of additional three years (including one year to develop a proposal and one to two years for a new seat agreement and logistic set-up). A significant negative impact on the efficiency would derive from the loss of the current expertise of ENISA staff and economies of experience of the organisation as a whole.

Lastly, this option has not received support by any category of stakeholders. The need for an EU-level body, in particular ENISA, to improve cybersecurity across the EU has been expressed by 98% of the respondents to the public consultation on ENISA review. The opinions expressed by stakeholders across the board (Member States authorities, CSIRTs, industry, academia, EU institutions) went in the same direction during the course of the evaluation of ENISA and the other targeted consultations (CSIRTs Network survey, stakeholder workshops, Member States roundtable – see Annex 2 for more details).

·Option 4 'ICT security internal market legislation'. This option could significantly solve the problems identified. However, it would entail the identification or development of a cybersecurity standard that is product-specific. Extensive analysis would be needed to identify such a product. It would be also challenging to justify the selection of a specific product or sectors over others equally in need of cybersecurity assurance. Such a 'vertical' approach may be limited in light of the high variety of ICT products and services, their specific security needs and types of employment. Rather, stakeholders’ consultations and technical studies suggest focusing on identifying priorities for ICT certification across sectors. Moreover, this option was discarded because it would imply a disproportionate burden and cost, especially for industry and Member States. 72% of respondents (e.g. 24) of the ENISA survey on ICT security certification (see Annex 2) indicate 'cost' as the main issue they face when dealing with security certification. SMEs in particular will bear an unduly high costs and administrative burden. Another factor that explains this choice is related to the lack of evidence as on the impact as well as on what should be the scope of such a measure (products, services, sectors, component, and systems) and capabilities across the EU. This option will require a significant mobilization of resources to monitor and ensure compliance. In addition, this approach is not flexible enough to cope with technological changes and developments taking place in a dynamic environment.

For these very reasons, this option has very little support from stakeholders. Overall, at least at this stage, this is a very ambitious and impractical option, that could however be considered in the future, as further evidence on its impact and scope becomes available.

6.What are the impacts of the policy options?

This section analyses the economic, environmental and social impact of the options in line with the Better Regulation Guidelines together with the coherence with other policy and the views of stakeholders. The description of the impact of the options included in this section is complemented by the economic analyses conducted by external contractors in the context of two studies supporting the present impact assessment (see Annexes 5, 6 and 7). As the external studies make clear, the economic assessment faced some limitations in the collection of data, whose impact was mitigated to a maximum possible extent.

6.1.ENISA 

Option 2 Reformed ENISA

Option 3 EU cybersecurity agency with full operational capabilities

6.2.Certification 

Option 1: Non-legislative ("soft law") measures

Option 2: EU legislative act to create a mandatory system for all Member States based on SOG-IS.

Option 3: EU general ICT security certification framework

7.How do the options compare?

This section presents a comparison of the options in the light of the impacts identified. The options are assessed against the three core criteria of effectiveness, efficiency and coherence, as well as taking into account the support expressed by the different stakeholders.

ENISA

Table 5 below presents a comparison of the options based on the analysis of the options 0 and 1 and the detailed assessment of the options 2 and 3. The comparison is mostly based on a qualitative analysis, while quantitative data support the assessment of the economic impact and efficiency. With regard to this criterion, it is assessed the expected impact on the EU economy as well as the financial implications for the EU budget. As stressed since the beginning of this report, the impacts of the options for the future of ENISA cannot be considered as generated exclusively by the Agency, as no entity can have a standalone impact in cybersecurity. Therefore, the effort here made is to focus as much as possible on the impact that can be attributed to the Agency, while taking into account the contextual elements and the other known instruments.

Having regard to the effectiveness, it appears that both option 0 (baseline) and option 1 (expiry of ENISA mandate) would not be able to achieve the objectives of the initiative which call for increased capabilities, cooperation, transparency and reduced fragmentation. With respect to the baseline, both option 2 and 3 are clearly more effective. A 'Reformed ENISA', which builds on the NIS Directive, including in terms of operational cooperation, and the key strengths highlighted in the evaluation (such as the cyber exercises and the community building) and provides support in such a key area for the market as security certification for ICT products, is expected to effectively contribute to most objectives. Option 3 is deemed more effective than both baseline and option 2 in relation to meeting the objective of increasing EU level capabilities to support Member States and the overall preparedness of the EU, especially in times of crisis.

The economic impact of option 0 and option 1 is deemed to be negative. Under the baseline scenario, ENISA would continue for a fixed number of years to receive funding from the EU budget – which being rather small in comparison to the investment in other agencies can be judged as 'efficient' – but with its current mandate and resources would not be able to properly support Member States, EU institutions and businesses, with indirect negative consequences on the economy. In comparison to the baseline, both option 2 and 3 bear advantages. A 'Reformed ENISA' is expected to bring positive effects for the cyber resilience and the internal market while still staying an agile organisation which would require a financial contribution from the EU higher than it is currently the case but still fairly below other agencies that also operate in critical areas (in the range of about EUR 23 million per year). The option 3 is expected to have further reaching economic benefits than option 2 (and the baseline) because the Agency would be able to provide an extra operational help to both Member States and operators of critical infrastructures. At the other end, the option of a cybersecurity agency with full operational capabilities would put higher pressure on the EU budget (associated costs estimated at about EUR 28 million per year, including the costs needed for the initial set-up). Both option 2 and option 3 are still considered efficient as potentially conducive of 'high value for money'.

In terms of social impact, option 1 is expected to have negative consequences in comparison to the baseline, while option 2 and 3, as presented earlier can provide increasing level of cyber resilience and thus positively impact the social sphere.

According to the criterion of coherence, option 1 would have a negative impact because it would imply reducing the EU effort in cybersecurity, while option 0 is considered moderately incoherent with NIS policy, because a fixed term mandate (in contrast to the tasks conferred to ENISA by the NIS Directive) and no update to the tasks/resources to match the new needs would not be consistent with the EU priorities set in the Cybersecurity Strategy and the Digital Single Market. Option 2 and 3 are both positively assessed against this criterion, as completely aligned to the objectives of EU policy.

The impact assessment exercise has shown that among all options the stakeholders favour option 2 the most. There is in fact widespread consensus that an EU cybersecurity agency is needed and that the current ENISA (baseline) does not fulfil the conditions to exercise the roles that are needed and to face the present and future cybersecurity challenges, but that it has a large potential to do so if appropriately mandated and resourced. As presented above in section 6.1, there is consensus across all categories of stakeholders for a reformed Agency, for which the main pillars can be found in existing NIS policy/law and the key strengths emerged from the evaluation. Adding full operational capabilities to ENISA would be a welcome development for some stakeholders, while it would be seen as 'unnecessary revolution' by others, in particular the most equipped Member States.

Certification

As the table 6 shows, baseline and option 1 would not produce effective results to achieve the objectives. National and private schemes would continue to proliferate and create fragmentation. Such a trend is expected to continue, unless Member States agree on mutual recognition of their schemes or - together with the Commission - work on the development of a voluntary European scheme. However, this will occur on an ad hoc basis. In addition, as Member States would continue to use and improve their national schemes; they would also create a strong legacy, therefore making harmonisation more difficult.

End-users making cross-border purchases will not necessary understand or have access to the information regarding the security properties of the devices they have purchased. Business segments already subject to certification requirements will continue to bear costs related to multiple processes. Conversely, businesses that are currently not subject to certification requirements will not bear any upfront costs and remain free to choose whether or not to be involved in any certification process. Costs for them may arise in the future as requirements for ICT certification would be progressively put in place. No substantial upfront costs are envisaged for Member States.

These options would also yield unsatisfactory results in terms of increasing the level of assurance of critical infrastructures. The coherence with policies related to the Digital Single Market, the internal market and the NIS Directive are not fully supported, while international trade is promoted to the extent that actors concerned commit to use international standards. However, these options are expected to have positive impact on innovation and competitiveness at least in the short term. Finally, these options enjoy some support from industry, especially large, international corporations while Member States see the risk that providers of essential services operating cross-border could be subject to different security requirements in relation to ICT certification.

Option 2 would produce some effective results to achieve the objectives. The extension of the membership of the current SOG-IS MRA to all Member States provides an institutional framework that ensures mutual recognition. However, such a positive effect is expected to be limited to certification at high level of assurance. National and private schemes would continue to proliferate for a wide range of commercial products and services, thus increasing fragmentation. In addition, end-users of these products may not have the necessary information on the cybersecurity properties of these products and services. This option would produce efficient results for industry already applying for SOG-IS certificates; businesses that are currently not subject to certification requirements for their commercial products and services will not bear any upfront costs and remain free to choose whether or not to be involved in any certification process. As for efficiency, costs for Member States would vary depending on the status that thet would achieve in the SOG-IS MRA (certificate consumer or producer). Existing members of SOG-IS MRA may face an increase in demand for certification, which may translate in higher costs to accommodate such a demand but also higher revenues.  This option would also produce satisfactory effects regarding the increase of the level of assurance of critical infrastructures as well as the coherence with other policies such as NIS Directive.  To the extent that it ensures mutual recognition for certification of high level of assurance and it continues to utilise international standards such as CC, this option provides some support to the internal market and international trade. Finally, industry representatives as well as existing members of SOG-IS MRA agree on the need to shape future certification initiatives in Europe building on the experience of the SOG-IS MRA, but they also stress the need to significantly reform such a EU-wide mechanism. 

Option 3 achieves the objectives effectively. This option builds on the Option 2 (e.g. extension of the existing SOG-IS MRA) but it goes much further as it envisages the creation of an institutional, voluntary framework that would allow the Commission to adopt schemes for ICT security certification, prepared by ENISA in cooperation with national authorities - represented in a dedicate Group - at various levels of assurance, thus potentially covering a wide range of products and service as the need arise. In other words, the proposed framework differs from SOG-IS MRA as the latter is one scheme while the framework is a "system" of many schemes for different product categories, different assurance levels 131 using different evaluation methods. Moreover, as it emerged from consultations and technical studies underpinning this Impact Assessment, SOG-IS MRA (a scheme built on specific CC standards) does not cover or does not respond well to market needs for a faster and cheaper certification at lower assurance levels.

In addition, Option 3 would help promote information on the cybersecurity of ICT products and services. This would be in line with the results of a Eurobarometer survey in which the majority of respondents consider that security and privacy features of an ICT product play a role in their choice. As for its efficiency, this Option would not imply additional, upfront costs for the industry (incl. SMEs). Rather, it would generate significant savings for those firms that already certify their products (or that are willing to carry out security certification), with beneficial effects on their competitiveness worldwide.

On the other side, it would involve some budgetary commitment to ensure the full operation of the framework at Commission, but mostly at ENISA level. Member States will have to bear the necessary costs to ensure the implementation and supervision of the framework at national level.

This option is expected to significantly support internal market by significantly reducing fragmentation. Positive impacts are also expected on international trade to the extent that the Framework backs international standards.

Table 5 Overall impact of the various policy options for ENISA.

The symbols "✓" and "✗" indicate respectively positive (✓) and negative (✗) impacts. For each symbol a maximum a scale 1 to 3 (maximum positive or negative assessment) is used.

Table 6 Overall impact of the various policy options for certification.

The symbols "✓" and "✗" indicate respectively positive (✓) and negative (✗) impacts, the number of the symbols is the net result of the summing-up of the respective individual ratings of the policy option as indicated in Annex 13 and indicates the magnitude of the change.

8.Preferred Option 

Based on the above comparison, it appears that a combination of Option 2 with regard to ENISA and Option 3 for certification is the best option to achieve the objectives, while taking into account the criteria of efficiency and coherence.

Under this scenario, the EU would have a reformed agency for cybersecurity, focused on providing support to Member States, EU institutions and businesses in areas where it would bring the most added value: i.e. policy development and implementation; information knowledge and awareness; research; operational cooperation and crisis; market. Moreover, ENISA would play a paramount role in the field of EU cybersecurity certification policy, as it will prepare (in cooperation with MS certification authorities) candidate European cybersecurity certification schemes. The reformed ENISA would also see addressed its current weaknesses in the new mandate.

Under Option 3 for certification, the legislative proposal would provide the EU with a much needed framework of rules for establishing European cybersecurity certificates valid and recognised in 28 Member States. The framework will put the right conditions in place for effectively addressing the problem related to the co-existence of multiple certification procedures in various Member States, reducing certification costs and thus making certification in the EU overall more attractive from a commercial and competitive perspective. Altogether, this should facilitate and improve (in the short-medium run) businesses' cyber-certification practices, thereby contributing to the spreading of better cybersecurity practices in the design of ICT products and services (security by design).

The solution to combine these options is therefore considered the most effective for the EU to reach the identified objectives of: increasing cybersecurity capabilities, preparedness, cooperation, awareness, transparency and avoiding market fragmentation.

This combination of options is also the most coherent with policy priorities, as it is entrenched in the Cybersecurity Strategy and related policies (e.g. NIS Directive), and the Digital Single Market Strategy. In addition, from the consultations carried out so far, it clearly emerges that the preferred options enjoy the favour of the majority of stakeholders.

Furthermore, the analysis conducted in this impact assessment demonstrates that the combination of these two options would reach the objectives through a reasonable employment of resources. In particular, a 'reformed ENISA' would provide Member States with a more adequate support to achieve cyber resilience, and will only have a limited impact on the EU budget. At the same time, a voluntary European certification framework will help promote the cybersecurity of digital products and services in the EU, with a limited impact on the resources of Member States and EU budget, and no upfront costs for industry.

In line with the principle of proportionality, the preferred option proposes actions that are not considered going beyond what is necessary to achieve the objectives defined in this impact assessment. In addition, the nature of the objectives is such that they cannot be achieved sufficiently by a unilateral action of Member States. For this purpose, an intervention at Union level is necessary.

Finally, linking the review of the ENISA mandate with the measures on certification is a coherent way to address the common problem mainly related to insufficient cyber awareness, and the fragmentation of policies and approaches towards cybersecurity across Member States. As explained throughout the document, security certification is an area in which such a fragmentation is increasingly emerging and greater awareness is particularly needed. This creates a negative impact on the internal market. As an internal market agency, and as further confirmed in the evaluation process and the stakeholders consultations, ENISA is best placed to support a coherent approach to security certification across the EU.

The establishment of a European legal framework would be a first step to develop a common policy in this field, build consensus on new priority areas to tackle and plan future activities, as needs arise. In a fast-moving, dynamic market, such as the one of ICT products and services, this approach would create the conditions for key decisions to be taken in the future by the competent authorities, such as the matching between the products/services and the needed level of security.

The preferred option entails EU legislative intervention as only a binding instrument can guarantee the translation into practice of the measures proposed and the achievement of the related specific objectives. The chosen legal instrument is a Regulation that will cover the new mandate for ENISA and lay down a European ICT security certification framework.

Table 7 Overview of main changes in the tasks between current ENISA and preferred option

Case studies on the preferred option:

An example of Reformed ENISA in the event of a cyber crisis

Examples of how the EU Cybersecurity Certification Framework would change the present situation.

1. Smart meters

2. Cloud Computing

9.How will actual impacts be monitored and evaluated?

This section describes the monitoring and evaluation that could be applied to assess the impact of the objectives and the preferred option.

Monitoring will start right after the adoption of the legal instrument and it will focus on its application. The Commission will organise meetings with ENISA, Member States representatives (e.g. group of experts) and the relevant stakeholders in particular to facilitate the implementation of the rules concerning certification such as the establishment of the Cybersecurity Certification Group.

In particular, monitoring activities on certification will consider the widening of the product and services scope covered by EU certification schemes. This would help better evaluate the potential uptake and interest in the setting up of EU-level certification schemes. Moreover, an eventual decrease of national initiatives or industry-driven schemes would equally provide an indication of a reduced level of fragmentation in the certification landscape in the EU. Similarly, it would signal a positive move towards a proper functioning of the EU internal market for ICT products and services. Transparency elements such as publication of cybersecurity market trends in Europe and surveying the awareness of security features of ICT products and services among end-users and businesses would provide further indications.

The first evaluation should take place five years after the entry into force of the legal instrument, provided sufficient data is available. An explicit evalaution and review clause, by which the Commission will conduct an independent evalaution, will be included in the legal instrument. The Commission will subsequently report to the European Parliament and the Council on its evaluation accompanied where appropriate by a proposal for its review, in order to measure the impact of the Regulation and its added value. Further evaluations should take place every five years. The Commission Better Regulation methodology on evaluation will be applied. These evaluations will be conducted with the help of targeted, expert discussions, studies and wide stakeholders consultations.

ENISA's Executive Director should present to the Management Board an ex-post evaluation of ENISA's activities every two years. The Agency should also prepare a follow-up action plan regarding the conclusions of retrospective evaluations and report on progress bi-annually to the Commission. The Management Board should be responsible to vigilate on the adequate follow-up of such conclusions.

Alleged instances of maladministration in the activities of the Agency may be subject to inquiries by the European Ombudsman in accordance with the provisions of Article 228 of the Treaty.

The list of monitoring indicators that could be used to monitor progress towards meeting the general and specific objectives is presented in table 8 below. The data sources for planned monitoring would mostly be ENISA, the European Cyber-Certification Group, the Cooperation Group, the CSIRT Network and the Member States' authorities. Besides the data deriving by the reports (including the annual activity reports) of ENISA, the European Cyber-Certification Group, the Cooperation Group and the CSIRTs Network, specific data gathering tools will be used when needed (for example surveys to national authorities, Eurobarometer and reports from Cybersecurity Month campaign and the pan-European exercises).

Table 8 List of indicators to monitor progress towards general objectives

10.Lead DG, Decide Planning / CWP References

This Impact Assessment Report was prepared by Directorate H "Digital Society, Trust and Cybersecurity" of the Directorate General "Communications Networks, Content and Technology" (DG CNECT).

The Decide Planning reference of the initiative "Proposal for a Regulation of the European Parliament and of the Council concerning the European Union Agency for Network and Information Security (ENISA), repealing Regulation (EU) No. 526/2013 and laying down a European security certification framework for Information and Communications Technology (ICT) Products and Services" is 2017/CNECT/005.

The initiative on the review of ENISA was included in the Commission Work Programme for 2017.

11.Organisation and Timing

Several services of the Commission with an interest in the assessment of the initiative have been associated in the development of this analysis.

An Inter-Service Steering Group (ISG), consisting of representatives from various Directorates-General of the Commission and the European External Action Service (EEAS), was set up in 2016 to steer the evaluation of ENISA during all key phases. In 2017, this group was further enlarged to discuss the review of the initiative involving the review of ENISA Regulation and the European ICT security certification framework.

In 2016, two meetings of the ISG on the review of ENISA were held. The first meeting took place on 24 June 2016. DG CNECT, DG HOME, JRC, DG JUST, the Secretariat General (SG) and EEAS participated in the meeting. The second meeting was held on 9 December, 2016. The representatives from DG CNECT, DG DIGIT, SG and EEAS were present.

The third ISG meeting was dedicated to the review of ENISA and the set-up of a European ICT security certification framework, and took place on 24 May, 2017. The meeting was chaired by SG, and DG CNECT was flanked by DG BUDG, DG COMP, DG DGIT, DG EMPL, DG ENER, DG FISMA, DG GROW, DG HOME, DG HR, DG NEAR, DG TRADE, and EEAS.

The fourth ISG meeting took place on 22 June, 2017. This was the last meeting of the ISG before the submission to the Regulatory Scrutiny Board (RSB) on 28 June, 2017.. The meeting was chaired by SG and the participants were the following: DG BUDG, DG DGIT, DG EMPL, DG ENER, DG GROW, DG HOME, DG HR, DG JUST, the Legal Service (LS), DG MOVE, DG TAXUD, and DG TRADE. DG CNECT has updated the Impact Assessment Report by taking into account the comments received at - and following - the ISG meeting, in particular the comments made by, DG GROW, DG JUST, LS, DG TRADE, and SG. Following a positive opinion issued by the RSB, a final Fast Track ISG meeting was held on 30 August

12.Exceptions to the Better Regulation Guidelines

DG CNECT has identified one exception to the Better Regulation Guidelines. Specifically, a dedicated public consultation focussing on ICT security certification in the EU has not been conducted. However, stakeholders were given the opportunity to express their views on the issue of ICT security certification in the following public consultations:

·The public consultation on the public-private partnership on cybersecurity and possible accompanying measures that took place in 2016; and

·The public consultation on the review and evaluation of ENISA, conducted in 2017.

Additionally, two surveys regarding ICT security certification have been organised in 2017 to complement the results of the past consultations:

·The survey on ICT security certification, targeting the certification community and organised by ENISA; and

·The small and medium enterprises survey on ICT certification and security framework was closed on 30 June, 2017 and final results were used in the revised report. The survey is currently also being broadened and results may be available in September.

13.Consultation of the Regulatory Scrutiny Board (RSB)

The Impact Assessment report was examined by the Regulatory Scrutiny Board on 19 July, 2017. On 25 August the Board issued a draft positive opinion with reservations. The table below summarises how the comments of the Board and of other Services have been addressed.

14.Evidence, Sources and Quality

The Commission gathered qualitative and quantitative evidence from various sources:

(1)Two public consultations (a summary of which is attached to Annex 2 to this report) regarding:

a.The evaluation and review of ENISA; and

b.The public-private partnership on cybersecurity and possible accompanying measures (included a Section on ICT security certification).

(2)Four stakeholder workshops with Member States and industry:

a.Three regarding ICT security certification; and

b.One regarding the ENISA review.

(3)Fifty expert interviews regarding the ENISA review.

(4)A survey on the ENISA review to the Computer Security Incident Response Teams Network.

(5)A survey to the ENISA Management Board, Executive Board, Permanent Stakeholder Group, and ENISA staff.

(6)Three technical studies:

a.One final draft report on the evaluation and review of ENISA prepared by an external contractor; and

b.Two studies regarding ICT security certification (one conducted by the Joint Research Centre (JRC), and another one by an external contractor).

(7)A survey on certification and labelling addressed to small and medium enterprises (SMEs).

(8)A survey for national cybersecurity authorities, industry and consumer associations on certification and labelling conducted by ENISA;

(9)Inputs regarding ICT security certification from the European Cybersecurity Organisation (ECSO);

(10)Direct dialogue with stakeholders, in particular through ad hoc meetings with representatives of interested industries, in particular regarding ICT security certification.

(11)A roundtable with European Commission Vice-President for the Digital Single Market, Andrus Ansip, on 25 April 2017.

(12)Desk research and literature review done in-house by DG CONNECT.

With regard to the quality of the evidence, the following three points must be noted:

·The survey on certification and labelling addressed to SMEs closed on 30 June 2017;

·The ENISA study is a final draft report;

·There are limitations with regard to gathering data. For instance, the public consultation on the ENISA review received 90 submissions, and CNECT has not received much input from SMEs in our input-gathering exercise. With a total of 90 responses, the results of the public consultation cannot be considered to be fully representative of all stakeholders concerned. However, the views of national authorities of 15 Member States (including the position paper provided by France) are represented. The private sector is represented by 27 respondents which include eight umbrella organisations, thus representing a significant number of European enterprises whose activities are linked with cybersecurity;

·The quality of the studies is impacted by the overall lack of evidence in the field of cybersecurity as a whole. In particular, companies are reluctant to share information regarding cybersecurity, considering that reporting on these topics could potentially harm them. In addition, there is no overall agreed taxonomy. This is one of the issues that the initiative is aiming to tackle.

·As regards to the survey on ENISA that was addressed to CERTs and CSIRTs, and the survey on the European ICT security certification framework addressed to SMEs, the answers in both surveys were anonymous. Thus, it is not possible to know whether some of the respondents might have started the survey and only partially completed this, and might then have reopened it using a different browser or device to complete the survey then. This would result in a double counting of the answers.

15.Stakeholder Consultation Strategy

In order to make sure that the Union's general public interest – as opposed to special interests of a narrow range of stakeholder groups – is well reflected in the assessment of the initiative, the Commission developed a stakeholder strategy to ensure the widest consultation possible. This strategy ensures transparency and accountability in the Commission's work.

In order to identify the most appropriate mix of consultation methods, the first step has been to identify the relevant stakeholder groups and the best way to consult them in order to gather relevant input.

The Commission pays attention to differentiate data gathering tools and adapts them to different types of contributions the stakeholders might have (See Section 2.2 below). Furthermore, in order to allow for wide participation, the consultation period spanned over a long period - from July 2016 to May 2017 approximately.

In view of the wide variety of sources and stakeholders consulted, and the relatively high degree of responses and input received from all stakeholders' group, the stakeholders views hereby discussed are considered as overall representative.

As regards the methodology and tools, the basic analysis approach has been largely adopted. Responses have been mostly grouped into broad stakeholder groups (e.g. Member State authorities, respondents from private sector, other respondents, etc.). Responses from a particular group on a particular issue helped provide an overview of the most recurrent points being made.

16.Identification of groups of stakeholders consulted, means of consultation, and consultation topics

16.1.Whom has the Commission consulted?

A non-exhaustive list of stakeholders that have been consulted (for both the review of ENISA and the EU ICT security certification framework, unless otherwise indicated below), includes the following bodies:

·The EU Member States national authorities as well as those from European Free Trade Association (EFTA) Countries;

·Standardisation bodies;

·Senior Officials Group – Information Systems Security (SOG-IS) members (mostly regarding certification);

·The members of ENISA's Management Board, Executive Board, Permanent Stakeholder Group and Network of Liaison Officers;

·Trade associations and industry representatives, including the European Cybersecurity Organisation (ECSO), Alliance for Internet of Things Innovation (AIOTI), DigitalEurope, and the Enterprise Europe Network (in particular for small and medium enterprises (SMEs);

·Consumers' representatives;

·Computer Emergency Response Teams (CERTs)/Computer Security Incident Response Teams (CSIRTs) (mostly regarding ENISA);

·European Commission's services;

·The European External Action Service, the European Parliament, the Council of the European Union, the European Economic and Social Committee, the Committee of the Regions; the European Court of Auditors;

·Other EU Agencies and bodies, such as Computer Emergency Response Team for the EU institutions (CERT-EU), Europol and its European Cybercrime Centre (EC3), European Defence Agency, Body of European Regulators for Electronic Communications (BEREC), European Agency for the Operational Management of Large-scale IT Systems in the Area of Freedom, Security and Justice (Eu-LISA) (mostly regarding ENISA);

·International Organisations; and

·Citizens.

16.2.How has the Commission consulted stakeholders?

Depending on the stakeholder group identified, different tools and methods were used in order to conduct the consultation.

·During a 4-week period, all interested stakeholders were able to provide feedback on the ENISA evaluation roadmap .

·Public Consultations:

oIn 2016, a 12-week online public consultation was carried out at the occasion of the launch of the contractual public-private partnership on cybersecurity, which included specific questions / section on the topic of certification (approx. 240 respondents).

oIn 2017, a 12-week online public consultation was carried out to seek views from the wider public (approx. 90 respondents) on ENISA evaluation and review. The consultation included also questions on the future needs and priorities in the area of cybersecurity, including the topic of certification.

·Survey targeted at ENISA staff and management, Management Board, Executive Board, Permanent Stakeholder Group, Network of Liaison Officers to cover more in-depth issues related to the efficiency and the effectiveness of the Agency and to its governance and organisation.

·Survey on ENISA targeted at the Computer Security Incident Response Teams Network (CSIRTs), for which the Agency provides the secretariat according to the NIS Directive.

·In-depth interviews, with approximatively 50 key players in the cybersecurity community on the ENISA review, including on its role in certification.

·Stakeholder workshops:

oIn 2016, 2 workshops with national authorities were held on the topic of certification;

oIn 2017, 2 workshops were carried out on the ENISA review and certification respectively.

·Survey of national certification authorities, industry, consumers associations on the topic of certification and labelling, conducted by ENISA and the Commission.

·A targeted questionnaire on the topic of ICT security certification and labelling was conducted in June 2017.

·Inputs from the European Cyber Security Organisation (ECSO) on the challenges of certification and labelling. Working Group 1 of ECSO on certification and labelling includes 236 registered experts.

·Direct dialogue with individual stakeholders reaching out to the Commission on ENISA review and certification.

17.Have the Commission Standards been met?

The Commission standards as set in the Better Regulation Guidelines have been met. However, please see the exception to the Better Regulation Guidelines identified in Annex 1, points 3 and 5.

18.Summary of Results from the Consultations regarding ENISA

18.1.Results of the public consultation on the evaluation and review of ENISA

The open public consultation on the evaluation and review of ENISA took place between 18 January and 12 April 2017. The public consultation aimed to gather the views of stakeholders and interested parties to assess ENISA's overall contribution to the cybersecurity landscape for the period 2013 to 2016. The public consultation also contributed to a reflection on potential policy options for the revision of ENISA's mandate. For this purpose, the consultation was structured around two sections:

·Backward looking – ex-post evaluation of ENISA; and

·Forward looking – focusing on evolving needs and challenges in the cybersecurity landscape and the possible role of an EU body to meet them in the future.

Respondents were allowed to answer either one or both sections. In addition, respondents had the possibility to send position papers.

With a total of 90 responses, the results of this public consultation cannot be considered to be fully representative of all stakeholders concerned. However, the views of national authorities of 15 Member States (including the position paper provided by France) are represented. The private sector is represented by 27 respondents which include eight umbrella organisations, thus representing a significant number of European enterprises whose activities are linked to cybersecurity.

Main results related to the backward looking questions:

·The overall performance of ENISA during the period 2013 to 2016 was positively assessed by a majority of respondents (74%). A majority of respondents furthermore considered ENISA to be achieving its different objectives (at least 63% for each of the objectives).

·ENISA’s services and products are regularly (monthly or more often) used by almost half of the respondents (46%) and are appreciated for the fact that they stem from an EU-level body (83%) and for their quality (62%).

·A majority of respondents considered ENISA’s size in terms of staff members to be insufficient (59%).

Main results related to the backward looking questions regarding specific topics:

1.Interaction with ENISA

oAmong the respondents, 50% interacted with ENISA’s products and services “a few times per year” or only “on to two times per year”, while 46% of respondents interacted “on a weekly basis” or “on a monthly basis”.

oWhen comparing the frequency of interaction with ENISA or the use of ENISA’s products and services within a given group, 47% of the national authority respondents interact “on a weekly basis”, while the largest proportion of private enterprise and business association respondents (50%) do so “a few times per year” and 35% of “other respondents” interact “one to two times per year”.

oNational authorities most frequently indicated “Guidelines & recommendations, including on standards” as being either “relevant” or “very relevant” to their work / activities.

oAmong private enterprises or business associations, the products or services most frequently selected as being “(very) relevant” to respondents’ work / activities were “Reports & Research Publications” as well as “Events”. “Training material or toolkit” was most often selected as being only “somewhat” or “not relevant”. The group of “other” respondents gave the same assessment for this service.

2.ENISA’s contribution to NIS in the EU

oAll respondents to the public consultation indicated that ENISA had achieved its targeted objectives to some or to a great extent.

oThe objective of “Developing and maintaining a high level of expertise in cybersecurity” was selected as being achieved to a “great extent” or to “some extent” by the highest number of respondents (86% or 56), followed by “Supporting cooperation in the cybersecurity community, e.g. through public-private cooperation, information sharing, enhancing community building, coordinating the Cyber Europe Exercise” (79% or 51).

oWhen comparing the responses of different stakeholder categories, the results showed that the three categories felt different about which objectives had been met to a “great” or to “some extent”.

§All national authorities (100% or 15) indicated that “Supporting the implementation of EU policy” had been achieved “to a great extent” or “to some extent”.

§Private enterprises or business associations (71% or 17) most frequently indicated that ENISA had achieved “Supporting cooperation in the cybersecurity community e.g. though private-public cooperation, information sharing, enhancing community building”.

§“Other” respondents (85% or 22) most frequently indicated that ENISA had achieved “Developing and maintaining a high-level of expertise in cybersecurity”.

oRespondents were asked to comment on what they perceived as ENISA’s main achievements over 2013-2016. In total 55 open responses were received of which 13 came from national authorities, 20 from private enterprises and business associations and 22 from “other” respondents. Respondents from all groups perceived the following as ENISA’s main achievements:

§The coordination of the Cyber Europe exercises.

§The provision of support to CERTs/CSIRTs through training and workshops fostering coordination and exchange.

§ENISA’s publications that were considered as useful to create and update national security frameworks, as well as for reference to policy makers and cyber practitioners.

§Assisting with the work under the NIS Directive.

§Efforts to increase awareness on cybersecurity via the European Cybersecurity Month.

3.Coherence of ENISA’s activities with those of other organisations

o83% respondents considered ENISA’s activities to be to a “large extent” or to “some extent” coherent with the policies and activities of their organisation (i.e. take into account, do not overlap, do not conflict with).

4.Location and organisational structure

oRespondents were asked whether they felt that ENISA’s split location between Heraklion and Athens affected its ability to conduct its work effectively and efficiently. There were mixed perceptions expressed in relation to this question with 28% judging that the split location affected ENISA’s ability to conduct its work effectively and efficiently to “some extent” or to “a large extent”, while 20% stated “not at all”.

Main results related to the forward looking questions:

·Respondents identified a number of gaps and challenges for the future of cybersecurity in the EU, in particular the top 5 (in a list of 16) were: cooperation across Member States in matters related to cyber security; capacity to prevent, detect and resolve large scale cyber-attacks; cooperation and information sharing between different stakeholders, including public-private cooperation; protection of critical infrastructure from cyber-attacks; skills development, education and training of professionals.

·A large majority (88%) of respondents considered the current instruments and mechanisms available at EU level to be insufficient or only partially adequate to address these. A large majority of respondents (98%) saw a need for an EU body to respond to these needs and among them ENISA was considered to be the right organisation to do so by 99%.

Main results related to the forward looking questions regarding specific topics:

1.Future needs and challenges

oRespondents were asked to select the most urgent needs or gaps in the cyber security field in the EU over the next ten years among a list of 16 needs and gaps. From the assessment made by 84 respondents, the largest number of respondents identified “Cooperation across Member States in matters related to cyber security” and the “Capacity to prevent, detect and resolve large scale cyber-attacks” as a main gap or need in the cybersecurity field in the EU over the next ten years. A majority of respondents within each respondent category (i.e. national authorities, private enterprise or business association and “other”) identified these as needs or gaps.

oThe views of the different respondent groups in relation to each of the options were relatively balanced, with the notable exception - among the most referred to gaps or needs – of “Cooperation and information sharing between different stakeholders, including public-private cooperation” where only two national authority respondents (out of a total of 14 national authority respondents) identified it as one of the most urgent needs or gaps.

o55 respondents elaborated further on their answers to the question of what the most urgent needs or gaps in cybersecurity field will be in the next ten years. Out of the respondents to this open question, six were national authorities, 21 represented private enterprises or business associations, and 29 belonged to the group of “other” respondents. The contributions below represent the responses of all respondents given that little to no divergence was found in the answers among the different respondent categories:

§Respondents commenting on the need for increased cooperation across Member States suggested that cooperation was necessary not only to bridge the security gaps that arise from a lack of cross-country cooperation, but also to build trust and confidence within the EU in matters of cybersecurity. Some respondents pointed to additional benefits of such cooperation, including increased market integration through the provision of internet services, support to the increase in cybersecurity capacity of less advanced Member States, and innovation for responses to current and future threats.

§Closely linked to the identified need for cooperation were the identified needs for harmonised standards and certification in the field of cybersecurity, where respondents stated that the establishment of a common certification framework would help bridge inconsistencies and gaps in the implementation of security controls as well as to achieve trust across Europe.

§Comments on the need to increase capacity to prevent, detect and resolve attacks pointed to the fact that the EU should step up the detection and real-time response to cyberattacks in information, communication technology (ICT), critical infrastructures, SMEs, government and public agencies.

§Another largely discussed need or gap relates to skills development and education in the field of cybersecurity. Respondents commenting on this priority saw the need to increase the skills for cybersecurity professionals, particularly to address the changing market needs where industries increasingly need a highly skilled workforce. Respondents further commented that increasing citizen awareness on the importance of cybersecurity was a gap to be necessarily filled in given that “the human element" is the weakest link in cybersecurity.

oIn this context, respondents from the groups of private enterprises and business associations and “other” respondents proposed a set of roles that ENISA could take on to address the identified needs or gaps. These included:

§Promote coordination among EU institutions, Member States and the private sector, facilitating cooperation and effective flow of threat and incident information for swift responses and adaptation of security defensive solutions.

§Support towards Member States to further cybersecurity research.

§support the harmonisation of standards and certification by promoting existing internationally agreed standards and frameworks.

§support government efforts related to the development of cybersecurity workforce through the development of guidelines-supporting cybersecurity experts across Europe.

§ensure that the NIS Directive transposition across Member States is homogeneous.

oRespondents were also asked if the current instruments and mechanisms at the European level are adequate to promote and ensure cybersecurity in relation to the needs previously identified. Only 6% of the respondents judged the current instruments and mechanisms at the European level (such as regulatory framework, cooperation mechanisms, funding programmes, EU agencies and bodies) to be “fully adequate” to promote and ensure cybersecurity. 83% of respondents regarded them as either “partially” or only “marginally adequate” and 5% found them “not at all adequate”. National authority respondents appear to be more positive about the adequacy of these instruments and mechanisms in comparison with representatives of private enterprises or business associations and “other” respondents.

oBased on the identified needs or gaps, respondents were asked what the priorities for EU action should be from now on and select up to three responses out of a list of 15. “Stronger EU cooperation mechanisms between Member States, including at operational level” was most frequently selected as a top priority, followed by “Stronger public-private cooperation in cybersecurity” and “improving research to address cybersecurity challenges”.

2.The role of an EU body in the future EU cybersecurity landscape

o98% of respondents saw a role for an EU-level-body in improving cybersecurity across the EU. Furthermore, almost all of the respondents (81 out of 82) who saw a role for an EU-level body in improving cybersecurity considered that ENISA could fulfil a role in bridging the different gaps in the future.

oRespondents have given examples of what ENISA’s future role could be in addressing identified gaps and needs. The role seen for ENISA covered the following activities: fostering cooperation between Member States at international level and between the public and private sector; having a stronger role in policy development and implementation; ensuring harmonisation of approaches and setting baselines; certification and standardisation; providing incident response information; ensuring awareness raising, training and capacity building; supporting the private sector; ensuring the transposition of the NIS Directive; and fostering research. These activities were suggested by all respondent groups. Some national authorities underlined that ENISA should not take on an operational role in providing incident response activities, considering potential overlaps with CERT-EU and the need for the Agency to focus its resources on its core activities.

18.2.Results of the survey to CERT / CSIRT

The survey was conducted in January 2017 and targeted CERT / CSIRT representatives from all 28 Member States.

28 respondents completed the survey and 7 partially completed it. 1 partially completed response was deleted as it only answered the first question of the survey. The other partially completed answers were kept as they answered all of the mandatory questions except the ones in the section on “degree of coherence and complementarity”.

Main results:

o88% of respondents assessed that ENISA proactively supported cooperation among CERTs/CSIRTs to some or high extent during the 2013-2016 period. 82% of respondents assessed that ENISA covered the needs of the CERTs/CSIRTs to some or high extent.

oA very large majority (97%) expressed the view that ENISA’s capacity building activities (e.g. training, National Cybersecurity Strategy support, identification of good practices) for CERTs/CSIRTs’ development were either important or very important.

oLooking at the future, 85% of respondents assessed that the new roles foreseen for ENISA by the NIS Directive would enable ENISA to better cover CERTs/CSIRTs’ needs to either some or high extent.

oRespondents were asked to provide more details, in concrete terms, of what they would foresee ENISA doing as part of its new role as secretariat for the CSIRTs Network (as foreseen in the NIS Directive); 16 respondents provided answers in the following categories:

§Facilitating cooperation (standardization in data sharing at EU level; providing the link between the Cooperation and CSIRT Network Groups ; coordination of the CSIRTs' network activities)

§Direct Support (e.g. contributing to the work program development)

§Helping CERTs implement the NIS Directive (e.g. providing best practice recommendations on technical, organisational and legal issues concerning CSIRTs)

§Capacity Building

§Understanding Needs

18.3.Results of the survey to ENISA's staff and direct stakeholders

The survey addressed to ENISA's staff and direct stakeholders took place in January 2017.

The link to the survey was sent to a total of 173 stakeholders. We obtained 106 responses made up of 83 complete answers and 23 partially complete answers. Only the partially completed answers which responded to 50% or more of the mandatory questions were taken into account for the analysis. This led to a total of 88 answers, of which 83 were complete answers and 5 were partially completed answers. The responses provided a good representation of ENISA staff, Management and Executive Board members (71%) as well as Permanent Stakeholder Group (PSG) and Network of Liaison Officers (NLOs) representatives (29%).

Main results:

1.ENISA's organisational set-up

oWhen asked whether the size of the Agency is appropriate for the work entrusted to ENISA and adequate for the actual workload, the majority of respondents gave a negative opinion: 14.8 % not at all; 36.4% to a limited extent; 30.7% to some extent. Respondents provided similar views across all categories; however ENISA staff (including management) were slightly more negative than Management Board (MB), Executive Board (EB), PSG and NLOs.

oThe majoirty of ENISA staff found that the recruitment and training procedures are appropriate for the work entrusted to ENISA and adequate for the actual workload only to a limited extent (20.5%) or some extent (43.2%). The PSG expressed similar views, while Management Board and Executive Board were more positive, with almost 90% considering the recruitment and training procedures adequate to some or high extent.

oThe staff composition was judged adequate to some or high extent by the majority of respondents (64.8%), with similar opinions expressed across all categories of respondents.

2.ENISA's effectiveness and efficiency

oThe majority of respondents (85,2%) found that the current governance structure, with a Management Board, an Executive Board and the Permanent Stakeholder Group, is conducive to the effective and efficient functioning of the Agency to some or high extent. The respondents from the Management Board, Executive Board and PSG were slighlty more positive than the ENISA staff and the NLOs.

oThe establishment of an Executive Board was found to lead to a more efficient functioning of the Management Board. This view has been supported in particular by the representatives of the MB and EB, while about 40% of the representatives of the staff, the PSG and NLOs said they did not know.

oENISA’s management practices are considered conducive to creating an effective and efficient organisation to some or high extent respecitvely by 73% and 74% of respondents across all categories. ENISA's staff was slightly more critical than the other categories: 7% of the respondents found the management practices not at all conducive of effectiveness.

oThe questions on whether ENISA’s location enables it to effectively (i.e. in terms of meeting its objectives) and efficiently conduct its work received mixed feedback. With regard to effectiveness respondents replied: not at all (11.4%); to a limited extent (17.0%); to some extent (27.3%); to high extent (39.8%). ENISA staff was proportionally more positive than the other categories of respondents; for example, 42% of respondents from the Management Board replied "not at all" or "to a limited extent". The same trend was found in the question related to the efficiency of the location: 11,4 % replied "not at all", 23,9% "to a limited extent"; 23,9% "to some extent", 35,2% "to a high extent". Again, ENISA staff was found to reply more positively than the other categories of respondents.

3.ENISA's relationship with stakeholders:

oThe vast majority (93%) expressed the views that ENISA to some or high extent has built strong and trustful relationships with its stakeholders when executing its mandate.

o94% of respondents found that ENISA's activities are coherent with the policies and activities of its stakeholders. Respondents across all categories expressed similar views.

18.4.Results of the workshop on the future contribution of ENISA to EU cybersecurity

The workshop took place on 22 March 2017 in Brussels at the premises of DG Connect.

The workshop hosted a variety of stakeholders to enable engaging discussions. A group of 48 stakeholders included representatives of the Commission, members of ENISA’s Management and Executive Board, as well as members ENISA’s permanent stakeholder’s group (PSG), representatives from national cybersecurity authorities and CERTs, industry representatives and academia.

The workshop was an opportunity to actively engage with them to discuss, qualify and validate the preliminary findings of the draft interim report on the “Study on the Evaluation of the European Union Agency for Network and Information Security” and to discuss the policy options for the future of ENISA. By discussing key findings with stakeholders, an assessment of findings and additional insights were gained contributing to the data collection and analysis of the study. The group also discussed the perceived needs in Europe in the area of cybersecurity.

Main results:

·The workshop participants identified the following four high relevance objectives for the work of the Agency:

oDeveloping and maintaining a high level of expertise of EU actors.

oAssisting Member States and the EU institutions in developing policies necessary to meet the regulatory requirements of NIS.

oAssisting Member States and the Commission in enhancing capacity building throughout the EU.

oStimulating cooperation both between EU Member States and between related NIS communities.

·The workshop participants assessed that the ENISA mandate was highly relevant butthe actual activities did not fully meet the needs of the community. The main limitations noted were the fixed term ENISA mandate; limited ENISA's in-house expertise; limited ENISA's visibility; and limited resources.

·The workshop participants assessed that ENISA's main added value is the ability to enhance cooperation between Member States and NIS communities.

·A discussion took place on the possible options for the future of ENISA. Four options were presented (Keeping the status quo; Terminating ENISA; Strengthening ENISA with changes to its mandate; Establishing an EU cybersecurity centre). Following the discussion workshop participants indicated the option to strengthen ENISA with changes to its mandate as the favourite one. It was, however, indicated that the option of establishing an EU cybersecurity centre should have been further investigated.

19.Summary of Results from the Consultations regarding ICT Security Certification Framework

19.1.Results of the public consultation on the contractual public-private partnership on cybersecurity and accompanying measures related to ICT security certification

The public consultation on the contractual Public Private Partnership on cybersecurity took place from 18 December 2015 to 11 March 2016.

Respondents represented a wide variety of organisations, with a good balance between big business (41), SMEs (33), microbusiness (6) as well as other stakeholders e.g. research bodies (20), national public administrations (7) and regulators (1), NGOs (13).

Main results related to certification:

1.When answering the question whether national certification schemes are mutulally recognised across EU Member States 50,4% (121 out of 240) of respondents stated they "did not know", 25.8% (62 out of 240) replied 'No', while 23.8% (57 out of 240) replied 'Yes'.

2.37,9% of respondents (91 out of 240) think the existing certification schemes do not support the needs of Europe's industry. On the other hand, 17, 5% (42 out of 240) – mainly global companies operating on the European market - expressed the opposite view.

3.49.6% (119 out of 240) of respondants says that it is not easy to demonstrate equivalence between standards, certification schemes, and labels. 37.9% (91 out of 240) replied 'I do not know'.

In comments to the open question, some respondents emphasize that no reliable certification scheme exists at the moment at the European level, some others point also to the fact that existing national schemes act as barriers to market entry, complaining about the costs of complying with several certification schemes in Europe. Some of the industry associations state that further fragmenting of the market with numerous certification schemes should be avoided.

At the same time, some industry players emphasize the risk for companies of being overburdened with yet another certification scheme and therefore suggest a cautious approach to any new initiatives in this regard.

With regard to the EU cybersecurity industry, the majority of respondents view the European market as insufficiently competitive. Among the main weaknesses identified are different rules to access public procurement and fragmentation of EU market (in terms of cybersecurity requirements). In particular:

4.More than 44.3% of respondents (78 out of 176) stated that they experience barriers related to market access and export within the EU and/or beyond EU countries, particularly due to the fragmentation of the EU cybersecurity market along EU internal borders.

5.Some respondents also pointed out that the lack of a European certification scheme and the emergence of national schemes, is factor that force them to go through different costly and complex procedures.

19.2.Results of the Workshops on 'The development of a European ICT Security Certification Framework'

The series of workshops presented below served as a follow-up on the Commission's commitment to consult stakeholders in the process of developing a proposal for a European ICT security certification framework as stated in Commissions’ COM(2016) 410.

19.2.1.Workshop 1: October 2016

The Commission (DG CNECT, JRC) together with ENISA organised a workshop aiming at bringing together representatives from Member States to discuss the development of a possible ICT security certification of products and services. 15 representatives of Member States took part in the workshop. This workshop was a continuation of previous event on the topic of security certification. organised by ENISA in February and March 2016.

Main conclusions:

·A majority of national delegates welcomed the initiative of the Commission in the area of ICT security certification. In particular, they stressed the need to foster harmonization of security requirements at the European level.

·A roadmap indicating next steps for the development of European security certification framework was to be elaborated.

·A future certification framework should be based on different levels of certification including self-certification.

·It is necessary to harmonize evaluation methodologies across European labs.

·Any certification initiative should build as much as possible on the existing mechanism and international standards.

19.2.2.Workshop 2: December 2016

On 5 December 2016, the Commission and ENISA organised a follow-up workshop aiming at bringing together representatives from Member States to discuss the development of a possible ICT security certification of products and services. This workshop built on the discussion of the previous workshop (October) and saw the participation of 18 representatives from Member States.

A draft Roadmap - previously circulated by email – was further discussed during the workshop. While agreeing on the need to harmonize rules for ICT certification procedures at the European level, Member States called for greater clarity on key issues such as: Definition of scope of the overall initiative (e.g. products vs services, products category, sector)

Main conclusions:

·It was recommended that the Commission and Member States should: a) identify key sectors or product category; b) define fundamental principles for security certification in Europe; c) consider a pilot project that can help provide the skeleton of a future European certification and labelling Framework, identify initial priorities, estimates, resource allocation and timing.

·The European framework should be based, as much as possible, on existing mechanism and internationally recognised standards.

Participants were asked to outline a number of key points that will feed in the upcoming activities leading to the development of the future framework. The following work items – not formally adopted – were identified:

·Existing initiatives and practises should be identified;

·Industry’s point of view, through European Cybersecurity Organisation (ECSO), should also be taken into consideration;

·A master plan of all ongoing activities should be put together;

·Exceptions, due to high value/high risk should be clearly scoped and considered; and

·The aspect of liability should also be taken into account.

All participants were given the opportunity to provide a written contribution by the end of December 2016.

19.2.3.Workshop 3: April 2017

On 27 April 2017, the Commission and ENISA organized a workshop attended by 90 participants. This workshop was a follow-up on the Commission's previous workshops (October, December 2016) and saw the participation of representatives from industry as well as Member States.

The workshop consisted of a plenary session in which public and private sector organizations presented their views on the challenges of a European ICT security certification framework. In the afternoon session participants had the opportunity to discuss in small focus groups the four main policy options that were presented such as:

Option 0 - Do nothing: No EU policy initiative or action – baseline scenario

Option 1 - Soft law approach: The Commission to encourage and support national or industry initiatives

Option 2 - Extension of SOGIS agreement: Legislative proposal making MS participation to the SOG-IS agreement mandatory

Option 3 - European certification framework: EU-wide framework with its own scope, functioning and governance rules.

Main conclusions:

·Following the group discussion, there was an overwhelming support - from Member States (DE, FR, SE, NL, PL, UK, AT, IT)  and industry – for the policy Option that proposes the creation of a European institutional framework for ICT certification that builds on existing ICT certification mechanisms (e.g. SOG-IS Mutual Recognition Agreement);

·However, many underlined the importance to allocate adequate resources in order to ensure an appropriate maintenance of such a Framework;

·For this purpose, it was stressed that an EU body/ Agency (e.g. ENISA) should help carry out secretarial tasks;

·Other Options: it emerged that "no-action option" is not an option. While being more cost-effective, a soft law approach will not tackle the issue of fragmentation caused by emerging national ICT certification schemes popping up across Europe;

·Some Member States (e.g. SE, UK) and industry (e.g., DigitalEurope) called for a European ICT security framework to be built, as much as possible, on internationally recognized standards for cybersecurity certification; and

·As the smart meters industry is exposed to many national ICT certification requirements, the presenter from the trade association (ESMIG) offered to become pilot industry in the context of the development of an EU-wide approach to ICT security certification.

19.3.Results of the ENISA Survey on ICT security certification in the EU

This targeted survey took place from 5 until 19 May 2017. It has been broadly publicised within the confined certification community. Total number of participants: 33.

Respondents, who addressed questions related to certification, included national authorities/agencies (14); manufacturer / provider of ICT of ICT products and services (9); User / Customer / Consumer of ICT products and services (3); security certification laboratory (1); other (6).

This survey aimed to consult these stakeholders on the issue of security certification and labelling and seek structured feedback against set policy options such as:

Option 0 - Do nothing: No EU policy initiative or action – baseline scenario

Option 1 - Soft law approach: The Commission to encourage and support national or industry initiatives

Option 2 - Extension of SOGIS agreement: Legislative proposal making MS participation to the SOG-IS agreement mandatory

Option 3 - European certification framework: EU-wide framework with its own scope, functioning and governance rules.

Main results:

·57%, (19) is aware of multiple existing ICT security certification schemes across EU Member States for the same product or service

·37%, (12) indicated that they were not aware of multiple ICT security schemes across EU, but they expressed their preparedness to accept one

·the respondents indicated that the main problems they have encountered when dealing with security certification include:

o72% (24) Cost

o57% (19) Duration of process

o51% (17) Lack of mutual recognition of certificates across Member States

o45% (15) Lack of a dedicated scheme to cyber -certify a specific product/service

o39 (13) Lack of certification support for the lifecycle of the product (e.g., incremental certification for software and hardware changes/updates)

o36% (12) Lack of transparency

·90% (30) agreed that mutual recognition of ICT security certification schemes is desirable at European level.

·81% (27) agreed also that certification and labelling can be effective tools to increase transparency about the level of security assurances of ICT products/services, and enhance trust across the Digital Single Market.

oHowever, it has been noted that a ranking of assurance levels with clear information is required as oversimplifying could introduce additional risks. In addition, certification and labelling should denote only baseline security requirements and should not deferment innovation or increase complexity.

·66% (22) agreed on the need for greater efforts to promote ICT security certification

·21% (7) stated that ICT security certification is a pure market issue and there is no need for additional support.

·75% (25) identified the need for ICT security and labelling in the Internet of Things-domain, due to imminent ubiquity of IoT, issues of vulnerabilities and the required interoperability across different platforms.

·66% (22) identified the need for ICT security certification in the Industrial Control System (ICS)-domain, due to the criticality of processes they support and the level of cyber threats they are exposed to.

Policy Options

·33% (11) have seen favourably a generic European certification framework, laying down essential rules for mutual recognition of certificates issued.

·18% (6) favoured the “Soft law approach", encouraging, supporting and to the extent possible coordinating the adoption and use of certification initiatives at European level

·12% (4) were in favour of extending the SOG-IS MRA to all Member States and make it mandatory.

·12% (4) opted for regulating the security of I CT products and services and specify essential security requirements for such products to be placed on the market. T

·The remaining respondents indicated that a mixed approach, from all the aforementioned options, should be the preferred path of action instead. They argued that mutual recognition of existing certification schemes and labelling programs can promote a robust Digital Single Market and support EU digital economy while an entirely new certification framework would not be able to scale with the changing security landscape and consider the state-of-the-art

·45% (15) were in favour of exploiting the current SOG-IS MRA as the basis to build an EU-wide certification Framework, while 21% (7) stated otherwise and 34% (11) did not answer either positive or negative on the role of SOG-IS MRA.

·66% (22) agreed that self-certification schemes could be considered a viable option to boost the level of cyber-security for selected product’ domains, especially for low assurance level products and should be considered as an integral part of the future EU certification framework, drawing also experience from existing market driven initiatives. Nevertheless, 24% (8) of the respondents disagree that self-certification should be considered, as it does not provide any assurance, there is no control and it is not sufficient unless there is a third party validating conformance

·90% (30) indicated that the processes and tools used for security certification should be improved to ensure the required flexibility by allowing different level of assurance.

·66% (22) were in favour of the introduction of a common label across the EU. Such label will indicate that the products have been certified within a certification scheme in accordance with EU rules and visualize that the characteristics of the products and services comply withspecific requirements. Nevertheless, the respondents who were not in favour of a common label (8), proposed a specific sectoral labelling or consider that it could be difficult for complex systems and/or it could also result in a false sense of security

·78% (26) envisage a role for existing EU Commission's bodies and agencies (e.g. JRC, ENISA, ACER) in a possible future EU certification and labelling security framework. Among the respondents who did not see a role for existing EU Commission's bodies and agencies (4), supporting actions such as determining a minimum level of security per category of technology, issuing voluntary guidelines for both industry and consumers, were envisioned, without identifying the key EU body or agency.

19.4.Results of the SME survey on ICT security certification

The survey was carried out in June 2017 134 . As of 23 June 2017, 46 respondents have answered the survey. Below are the main preliminary results. Please note that the submission to the Regulatory Scrutiny Board took place on 28 June 2017 while the survey was still ongoing.

Main preliminary results:

·40 out of 46 respondents think that ICT security certification is a valuable tool to reduce cyber vulnerabilities of ICT products or services (4 replied "no", 2 replied "I don't know").

·35 out of 46 respondents believe that the creation of an EU-wide ICT certification framework based on mutual recognition could facilitate SMEs' access to public procurements across Member States (4 replied "no", 7 replied "I don't know").

·39 out of 46 respondents would be in favour of a common label for certified ICT products (3 replied "no", 4 replied "I don't know").

·35 out of 46 respondents consider that creating a European certification general framework laying down the essential rules for mutual recognition of certificates is an appropriate action to achieve the objective of reducing internal market fragmentation and improving trust in the security of ICT products and services in the EU (multiple answers question).

·24 out of 46 respondents consider that regulating the security of ICT products and services, specifying essential security requirements for such products to be placed on the market is an appropriate action to achieve the objective of reducing internal market fragmentation and improving trust in the security of ICT products and services in the EU (multiple answers question).

·20 out of 46 respondents see the emergence of multiple national or sectorial certification schemes as a likely scenario in the future, especially in view of the growing cybersecurity risks (8 replied "no", 12 replied "I don't know").

·Two-thirds (30 out of 46) respondents think that a mutual recognition mechanism of certificates across all Member States can be useful to simplify procedures and cut administrative burdens for them (multiple answers question).

·Two-thirds (30 out of 46 respondents) think that a mutual recognition mechanism of certificates across all Member States could be useful to reduce cost of compliance for them (multiple answers question).

·More than half (25 out of 46 respondents) believe that self-certification schemes are NOT a viable option to boost the level of cybersecurity for selected product' domains (17 replied "yes", and 4 replied "I don't know").

·37 out of 46 respondents think that the processes and tools used for ICT security certification should be sufficiently flexible and take into account different levels of assurances according to market needs (6 replied "no" and 3 replied "I don't know").

·34 out of 46 respondents are of the opinion that a labelling scheme underlying the level of security and privacy an IoT device encompasses would help them increase trust in IoT products and services (4 replied "no", 8 replied "I don't know").

·34 out of 46 respondents identified the cost of current ICT security certification procedures as a problem they encountered (multiple answers question).

·28 out of 46 respondents identified the duration of the process of current ICT security certification procedures as a problem they encountered (multiple answers question).

·18 out of 46 respondents believe that the current existence of multiple ICT certification schemes represents a barrier to market entry for them because they are too costly and therefore not affordable for SMEs (most respondents left question 6 blank, 6 replied "lack of reference levels").

·25 out of 46 respondents said that the main reason that makes them reluctant to buy emerging digital technology products and services is that they are afraid of the cybersecurity risks and consequent damages that may be brought to them (multiple answers question).

·25 out of 46 respondents feel comfortable installing any software updates needed for the proper functioning of their connected device themselves (multiple answers question).

·24 out of 46 respondents estimate the cost for certifying an ICT service or product to be between 10,000 and 100,000. 15 out of 46 estimated the cost to be between 100,000 and 1,000,000.

·18 out of 46 respondents believe ENISA should promote certification schemes and identify the common standards (most didn't reply, 2 replied "ENISA should make sure competition is respected and that the market remains open").

The table below provides information on the total EU financial contribution to 32 decentralised EU agencies, as well as their authorised establishment plans (i.e. staff) in 2017. The information derives from the "Draft General Budget of the EU for the financial year 2018 – Working Document Part III – Bodies set up by having legal personality and Public-Private Partnership" 135 , unless otherwise stated.