Council calls for transparency around ENISA cybersecurity certification schemes

The Council of the European Union is calling for increased transparency around EU cybersecurity certification schemes developed by the EU Agency for Cybersecurity, according to draft conclusions seen by Euractiv.

This article is exceptionally available for free! Want access to more exclusive content like this? Discover all the benefits of Euractiv Pro.

Request a trial
Content-Type:

News Based on facts, either observed and verified directly by the reporter, or reported and verified from knowledgeable sources.

The draft urges the Commission to "find ways" to have a "more transparent" approach to the development of EU cybersecurity certification schemes. [European Council of the EU]

Eliza Gkritsi Euractiv 01-10-2024 19:30 3 min. read Content type: News Euractiv is part of the Trust Project

The Council of the European Union is calling for increased transparency around EU cybersecurity certification schemes developed by the EU Agency for Cybersecurity (ENISA), according to draft conclusions seen by Euractiv.

The draft, dated 26 September, urges the Commission to "find ways" to have a "more transparent" approach to the development of EU cybersecurity certification schemes, stressing the role of member states in the process, and calls on ENISA to consult relevant stakeholders in a "timely manner" through a "formal, open, transparent, and inclusive process."

A version of the conclusions of the Council's Working Party on Cyber Issues, dated 9 September, called on the Commission to speed up the process.

One such certification scheme in particular has received signficant attention in the past few months - and has been subject to significant delays.

The EU-wide cloud cybersecurity certification scheme (EUCS) aims to set criteria for certifying cloud providers over their security attributes. These certifications would then help governments and companies in the bloc to determine the cybersecurity attributes of any given cloud provider when shopping for such services.

The addition of so-called sovereignty requirements, which could add company attributes like country of domicile or the nationality of its main shareholders, has been the subject of debate.

The latest draft of the scheme is unlikely to include such requirements, leaving it up to member states to add their own, leading to industry criticism about the lack of a harmonised scheme.

Discussions around the scheme, expected to be finalised by the end of the year, have faced delays. ENISA's ad-hoc group on the scheme is supposed to deliver a draft to the European Cybersecurity Certification Group (ECCG), comprised of member states' cybersecurity authorities under the wing of the Commission. Once ECCG approves it, it has to go through the Commission's comitology process before it is finally rubber stamped.

But the matter was scrapped from the ECCG meeting agenda on 18 June. Expectations were that it would reappear shortly thereafter, but there appears to have been no movement to date.

The Council is also "urging" the Commission and ENISA to figure out how to optimise the existing EU cybersecurity framework, inviting the Commission to use the evaluation of the Cybersecurity Act in particular to examine how to simplify the "complex cyber landscape."

Budget

At the same time, the draft conclusions added a reference to increasing the agency's financial resources, on top of previous mentions to more human and technical ones.

The agency's role has broadened with the adoption of new cybersecurity regulations in the past mandate, but its resources haven't grown correspondingly.

The Commission allocated an additional €15 million to ENISA to beef up support and reporting of cybersecurity incidents, earlier in September.

The Council also added a call on the Commission to prioritise tasks related to supporting member states and their cooperation, the development and implementation of EU regulations, when drafting the next budget.

While the draft stresses the need for more resources to be distributed to ENISA, it also calls on the Commission to make sure its mandate is "focused" and "clearly defined."

[Edited by Owen Morgan]

Subscribe to our newsletters

Subscribe