Cookies on Pinsent Masons website

Our website uses cookies and similar technologies to allow us to promote our services and enhance your browsing experience. If you continue to use our website you agree to our use of cookies.

To understand more about how we use cookies, or for information on how to change your cookie settings, please see our Cookie Policy.

Cybersecurity certification framework backed by EU law makers

Manufacturers of connected cars and medical devices will be among the businesses able to obtain an EU-wide certificate that their products conform to cybersecurity standards under new laws that have been proposed.08 Jun 2018

The plans (116-page / 871KB PDF), backed by EU law makers at the Council of Ministers, envisage a three tier system of voluntary cybersecurity certification for IT products and services. Certifications would be recognised across all EU member states.

According to the proposals new European cybersecurity certification schemes would allow IT products to be evaluated in accordance with cybersecurity standards to provide for a 'basic', 'substantial', or 'high' assurance rating.

Manufacturers of IT products and services would be able to given themselves a 'basic' rating on the basis of a self-assessment.

The Council said: "Conformity assessment and certification cannot guarantee per se that certified ICT products and services are cyber secure. It is rather a procedure and technical methodology to attest that ICT products and services have been tested and that they comply with certain cybersecurity requirements laid down elsewhere, for example as specified in technical standards. The choice, by the users of certificates, of the appropriate level of certification and associated security requirements should be based on a risk analysis on the use of the ICT process, product or service. The level of assurance should be thus commensurate with the level of the risk associated with the intended use of an ICT process, product or service."

The Council's proposals represent its negotiating position ahead of future talks with the European Parliament over the final wording of the new laws. MEPs have been considering including provisions which would require device manufacturers selling in or exporting from the EU to abide by "clear and mandatory baseline IT security requirements".