New EU cybersecurity certification framework

The European Commission has recently recommended a common EU approach to the security of 5G networks.

Since its recommendation, 24 EU Member States have completed the first step and submitted the national risk assessment. The assessments will contribute to an EU-wide risk evaluation, with support of the European Commission and the European Union Agency for Cybersecurity (ENISA), which is estimated to be completed by October 1, 2019. On this basis, Member States within the NIS Cooperation Group will agree on a set of mitigating measures that can be used at a national and EU level. In other words, a certification framework. The EU cybersecurity certification framework is expected to provide EU-wide standards and assess levels of security of products or services classifying them into three categories of security assurance i.e. basic, substantial, high.

The European Commission and ENISA remain to agree on the mandate and scope of the certifications, which will be adopted by the European Commission through implementing acts. Given the relevance of trust and security for the functioning of the Digital Single Market, it will be necessary to monitor the upcoming EU-wide risk assessment as well as negotiations concerning a common EU approach to the security of 5G networks.