Access to European Union law
<a href="https://eur-lex.europa.eu/content/help/eurlex-content/experimental-features.html" target="_blank">More about the experimental features corner</a>
Choose the experimental features you want to try
EUR-Lex
Access to European Union law

This document is an excerpt from the EUR-Lex website

You are here
Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search

Document Ares(2017)3436811

Proposal for a Regulation revising ENISA Regulation (No 526/2013) and laying down a European ICT security certification and labelling framework

INCEPTION IMPACT ASSESSMENT

Title of the initiative

Proposal for a Regulation revising ENISA Regulation (No 526/2013) and laying down a European ICT security certification and labelling framework.

Lead DG – responsible unit – AP Number

CONNECT – Cybersecurity and Digital Privacy (H1)

Date of roadmap

09/06/2017

Likely Type of initiative

Legislative

Indicative Planning

September 2017

Additional Information

This Inception Impact Assessment aims to inform stakeholders about the Commission's work in order to allow them to provide feedback on the intended initiative and to participate effectively in future consultation activities. Stakeholders are in particular invited to provide views on the Commission's understanding of the problem and possible solutions and to make available any relevant information that they may have, including on possible impacts of the different options. The Inception Impact Assessment is provided for information purposes only and its content may change. This Inception Impact Assessment does not prejudge the final decision of the Commission on whether this initiative will be pursued or on its final content.

A. Context, Problem definition and Subsidiarity Check

Context

Since 2013, when the EU Cybersecurity Strategy was adopted and the Regulation (EU) No 526/2013 set out the current mandate and tasks for ENISA, the challenges related to network and information security have evolved alongside with technology and market developments. In spite of positive EU achievements in the field, in particular with reference to the recent adoption of the first EU-wide cybersecurity legislation (Directive on Security of Network and Information Systems - the 'NIS Directive'), the EU remains highly vulnerable to both small and large-scale cyber threats, which increasingly present cross-border and cross-sector dimensions. Against this background, in the 2016 cybersecurity Communication the Commission announced that it would: i) bring forward both the evaluation of ENISA – required by ENISA's Regulation by June 2018 and currently ongoing – and the review of its mandate, which will come to an end in 2020 (included in the Commission 2017 Work Programme); and ii) develop a proposal for an European ICT security certification framework to be presented in 2017.

Problem the initiative aims to tackle

Ever increasing digital connectivity makes cyberspace more vulnerable and exposes the economy and society to cyber threats. According to recent studies, 80% of European companies have experienced at least one cybersecurity incident in 2015. Such incidents cause major economic damage to European businesses, undermine the trust of citizens and enterprises in the digital society and affect citizens’ fundamental rights.

The EU has taken important steps to strengthen its cyber resilience and to build trust in the digital technologies – for example by supporting cooperation, reinforcing its cybersecurity industry and encouraging market-oriented measures such as certification schemes designed to enhance the level of assurance of the security of ICT products and services. In spite of these efforts, today the EU still faces fragmentation of national policies and approaches and lack of coordination with regard to the implementation of EU policies in Member States regarding key cybersecurity issues.

Two dimensions of the issue of fragmentation are here addressed. On the institutional side, ENISA is involved in addressing existing fragmentation at national, European level and to support cooperation and harmonisation of approaches but its current set-up does not allow the agency to guarantee the adequate level of support that Member States, EU institutions and business communities need in order to respond to the present and future cybersecurity challenges. On the market side, the lack of a common EU-wide approach with regard to ICT security certification and the proliferation of national initiatives translate into significant burdens for ICT vendors, which might need to undergo several certification processes across different Member States. This creates barriers to the internal market and hampers cross border trust. A fragmented approach to such critical issues reduces the collective cyber resilience of the Union undermines the trust of citizens and businesses in the Digital Single Market.

Subsidiarity check (and legal basis)

The legal basis of the initiative will be Article 114 of the Treaty on the Functioning of the European Union (TFEU) 1 .

The subsidiarity of the current ENISA Regulation has been recognised by the EU legislation when adopting it. The subsidiarity has been further confirmed by the Union co-legislators when adopting the NIS Directive, when they recognised that the objective of achieving a high common level of security of network and information systems in the Union cannot be sufficiently achieved by the Member States but can rather be better achieved at Union level. In fact, due to the frequency, scale and cross-border nature of cyber threats, MS cannot successfully handle them in isolation: a coordinated approach at EU level is an essential condition for a successful cybersecurity strategy. At the same time, ICT security certification schemes solely at national and not EU–wide level represent an obstacle for the full development of internal market and a barrier to the free movement of goods and services. An appropriate degree of coordination and cooperation at EU level is therefore essential to ensure that cyber risks can effectively be managed and to reduce or eliminate the costs that enterprises incur to apply for multiple certifications in the across Member States.

B. Objectives and Policy options

The general objective is to contribute to the definition of a more coherent EU institutional framework to strengthen the common resilience of the EU and reinforce trust in the Digital Single Market. This is declined in two specific objectives: 1. Make available an instrument/EU body that would support the cybersecurity needs of Member States, EU institutions and the EU at large with a view to achieving cybersecurity resilience; 2. Remove barriers to the DSM caused by the coexistence of different certification schemes and increase cross-border trust.

Preliminary policy options – ENISA

Option 0 – Baseline scenario (status quo): preservation of the existing objectives, mandate and tasks of ENISA, simply by the extension of the duration of its mandate and ensuring consistency with other legal instruments.

Option 1: No policy intervention (termination of the agency), which would lead to the termination of ENISA at the end of its mandate (June 2020) and possibly to a redistribution of competences/activities at EU and/or national level.

Option 2 – Enhanced ENISA: Redefine ENISA's role, competences and functioning tackling issues such as the scope as well as the duration of the mandate and the reinforcement of the synergies with other EU agencies and bodies. The new mandate would be more precise and mostly revert around: a strong advisory role on EU policy implementation, including  facilitating the exchange of best practices and providing high levels strategic and aggregated analysis on threats; knowledge and information hub, acting as one stop shop for information and advice for both public and private sectors; organisation and running of EU cyber exercises, and possibly linking them to the international dimension; capabilities to support the prevention of cyber incidents; support to Member States cooperation, notably in the context of the Computer Security Incident Response Teams (CSIRTs) Network, and, building on the expertise deriving from cyber exercises facilitating cooperation in the context of possible cross-border large scale cyber incidents. ENISA would also have a role in the implementation of a EU framework for ICT products and services security certification (see below). The new mandate would formalise the role that the NIS Directive has granted to the Agency.

Option 3 – EU cybersecurity agency with full operational capabilities: Reform ENISA reinforcing its capabilities by bringing together three key functions adapted to the EU-level dimension: strong policy advisory role, information and knowledge hub, full operational capabilities to support Member States in preventing, detecting and responding to cyber incidents. This option would include mostly the same change in the scope as above in option 2 but adding the operational capabilities linked to prevention, detection, mitigation and response to cyber incidents. This might also imply restructuring the relations with other EU bodies, for example sharing some specific functions for incident detection, mitigation and response.

Preliminary policy options – Certification

In any policy option chosen, European standards should be compatible with or based on international standards, whenever that is possible. In case a policy option establishing a certification framework is chosen, such framework should not stifle innovation and competition, and should be within reach of small and medium enterprises (SMEs). The options will also take into account, to the extent possible, the external impact.

Baseline scenario: Various security certification schemes for ICT products are in place in Member States and further sectorial certification initiatives will be developed thus leading to further market fragmentation.

Option 1: Encourage more Member States to join Senior Officials Group – Information Systems Security (SOG-IS) and actively promote/support its activities; support voluntary sector-specific industry-led initiatives. A possible role for ENISA would be to contribute with technical expertise to the development of technical specifications and standards relevant to ICT security certification.

Option 2: Propose a European institutional framework for ICT certification and labelling through a legislative instrument, without however introducing new ICT security requirements for specific products and services. This framework will be built on existing ICT certification mechanisms, such as Senior Officials Group – Information Systems Security Mutual Recognition Agreement (SOG-IS MRA) and will be governed by a newly-established Board. ENISA would run the secretariat of the European framework. In case the preliminary policy option 2 related to ENISA is chosen (i.e., ENISA ceases to exist), the Secretariat would be fulfilled by a different body, possibly the European Commission. The European framework will be composed of multiple schemes that, once approved by the Board, become 'European' with the effect that certificates related to this scheme are valid across the EU. In addition, each scheme should be associated with a specific level of assurance (high, medium, low). 

Option 3: Propose an ICT security legislation based on the 2008 New Legislative Framework 2 . This would require the adoption of a new legislative instrument setting out mandatory harmonised requirements and conformity assessment mechanisms to ensure ICT security of specific products and services. Compliance with harmonised standards published in the Official Journal of the EU would give presumption of conformity with the security requirements set out in the legislative instrument. ENISA would cooperate with standardisation bodies in developing these standards that are in line with the state-of the art in the field of ICT security. 

C. Preliminary Assessment of Expected Impacts [max 20 lines]

Likely economic impacts

A thorough assessment of the economic impact, including the budgetary implications for the EU budget, of the policy options will be addressed in detail in the impact assessment report.

ENISA

The policy option of terminating the Agency could imply the need for restructuring competences at EU and national level that could result or not in a new EU entity. In case some activities were to be redistributed at national level, this could affect public and private finances and possibly generate duplications of efforts across Member States. The modernisation of ENISA (Options 2 and 3) is expected to have a clear economic impact, depending on whether the scope of the mandate is refocused or expanded, the range of financing options becomes wider and possible synergies could be achieved with other EU agencies and bodies. The sign and amount of these financial implications would need to be estimated. On one hand this could generate an increase of the EU contribution to the Agency but on the other hand economies of scale in collecting relevant information on risks, threats and vulnerabilities and possibly in stronger operational cooperation at EU level could be envisaged.

Certification

Option 1 would imply some administrative costs as the Commission and Member States will need to invest in encouraging the development and use of certification schemes at EU level. At the same time, fewer resources for ensuring enforcement are needed. Businesses will incur costs for participating in sector-specific certification schemes across Member States. Option 2 would imply administrative costs necessary to create an EU certification framework, including the costs for setting up and financing the Certification Board and ENISA involvement within it. However, by creating mutual recognition of certificates this Option significantly simplifies procedures for ICT certification, reduces the time and cost of deployment of ICT products and services for which certification will be required and facilitate cross-border trade and competition. In addition to administrative costs, Option 3, implies a much stronger economic impact on market players, as ICT manufacturers and vendors would be required to ensure compliance with essential security requirements and follow conformity assessment procedures and the related market surveillance.  

Likely social impacts

The ultimate aim of the revision of ENISA's Regulation is to positively impact the social sphere by supporting increased security and consequently trust of EU citizens and businesses in the digital society. This is in particular relevant for the protection of access to essential services as well as the security of personal data.

In addition, certification enhances the level of assurance of ICT products and services available on the market and helps maintain a chain of trust among various stakeholders, from the manufacturer to the operator up to the final end-user (public authorities, citizens). This is a prerequisite for a fully-fledged Digital Single Market. The lack of transparent information regarding the level of cybersecurity of products and services is a further factor that hampers trust among stakeholders and cross borders. Through a European labelling framework, users will be able to visualise the different level of ICT assurance a product or a service can guarantee.

Likely environmental impacts

No specific or major impact on the environment is expected at this stage of the analysis.

Likely impacts on fundamental rights

By reducing, maintaining or strengthening ENISA's expertise and support to EU policy makers and national authorities in the fields of cybersecurity, personal data and privacy, the revision of ENISA's Regulation is likely to have an impact on the safeguard of information-related rights enshrined in the Charter of Fundamental Rights, particularly the right to the protection of personal data and private life.

Likely impacts on simplification and/or administrative burden

Simplification and possible reduction of administrative burden, in particular for national authorities, will be explored in each policy option. The harmonisation of national certification schemes would simplify legislation in the EU and reduce administrative burden connected with fragmentation. Except Option 3 relating to certification, none of the options foresee new obligations for businesses, as recourse to certification will remain voluntary or regulated in other sector-specific legislation.

D. Data Collection and Better Regulation Instruments

Impact assessment

An impact assessment is being prepared to support the preparation of this initiative and to inform the Commission's decision.

Data collection

The following information and data already exists:

Existing planning and monitoring provisions for ENISA, including its annual work programmes and the Annual activity reports, the External Evaluations carried out by a contractor on behalf of the Agency, the Commission Opinions on the work programmes, the European Parliament decisions and resolutions in the context of the budget discharge procedures.

Commission Communication on Strengthening Europe's Cybersecurity Resilience System and Fostering Competitive and Innovative Cybersecurity Industry 3

Commission Staff Working Document, Contractual Public Private Partnership & Accompanying Measures 4  

Public consultation on the Contractual Public Private Partnership. The questionnaire included specific questions on cyber-security ICT certification and labelling.

ENISA, Challenges of Security in Emerging ICT environments, December 2016

Findings of 2 workshops with Member States authorities and ENISA on the topic of certification

The following additional evidence supports the initiative:

External study, covering in particular the past and current performances of ENISA, the analysis of the cybersecurity community needs and the possible gaps with the current objectives, mandate and tasks of ENISA. This study feeds both into the ongoing evaluation, whose results will be presented in a Commission Staff Working Document accompanying the proposal, and into the review of ENISA.

External study on evaluation of EU certification landscape and impact assessment

Stakeholders' consultations (see next section).

Joint Research Centre (JRC) Study on Certification and Labelling in cybersecurity

ENISA working papers on ICT testing laboratories in the EU

ENISA survey of national authorities and private stakeholders

Consultation strategy [max 10 lines]

In line with the Better Regulation Guidelines, the Commission wishes to consult stakeholders as widely as possible. Therefore, the consultation strategy aims at involving a broad set of stakeholders that include national authorities, industry, EU institutions and bodies, consumers associations and others.

Depending on the stakeholder group identified, different tools and methods will be used in order to conduct the consultation.

During a 4-week period, all interested stakeholders have been able to provide feedback on the ENISA evaluation roadmap.

Public Consultation: a 12 week online public consultation was carried out to seek views from the wider public (from 18 January 2017 to 12 April 2017) on ENISA evaluation and review. This includes also questions on the future needs and priorities in the area of cybersecurity, including the topic of certification.

Survey to ENISA staff and management, Management Board, Executive Board, Permanent Stakeholder Group, Network of Liaison Officers to cover more in-depth issues related to the efficiency and the effectiveness of the Agency and to its governance and organisation.

Survey on ENISA to the Computer Security Incident Response Teams Network (CSIRTs), for which the agency provides the secretariat according to the NIS Directive.

In-depth interviews, with approximatively 50 key players in the cybersecurity community on the ENISA review, including on its role in certification.

Stakeholder workshops: 3 workshops on the topic of certification with national authorities and industry have already taken place (2 in 2016 and 1 in 2017). A workshop on the ENISA review took place in 2017.

ENISA will carry-out for the Commission wide surveys of national authorities and other stakeholders. 

Targeted consultations of the main EU bodies concerned by the initiative, ENISA, SOG-IS, ECSO (European Cybersecurity Organisation).

Direct dialogue with individual stakeholders reaching out to the Commission on ENISA review and certification.

Will an Implementation plan be established?

Yes. The plan will list the various actions which are needed to implement the legislative act and identify the main implementation challenges in terms of compliance, technical challenges and timing. Specific mechanisms for Commission and MS support action will be devised.

(1) This legal basis for ENISA was also confirmed by the Court of Justice (judgment 2 May 2006)
(2)  This Framework is composed of Regulation (EC) No 765/2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93; Decision (EC) 768/2008 on a common framework for the marketing of products, . In effect, it is a template for future product harmonisation legislation; Regulation (EC) 764/2008 laying down procedures relating to the application of certain national technical rules to products lawfully marketed in another Member State and repealing Decision No 3052/95/EC
(3)  COM(2016) 410.
(4)  (SWD(2016) 215).
Top