The plans (116-page / 871KB PDF), backed by EU law makers at the Council of Ministers, envisage a three tier system of voluntary cybersecurity certification for IT products and services. Certifications would be recognised across all EU member states.
According to the proposals new European cybersecurity certification schemes would allow IT products to be evaluated in accordance with cybersecurity standards to provide for a 'basic', 'substantial', or 'high' assurance rating.
Manufacturers of IT products and services would be able to given themselves a 'basic' rating on the basis of a self-assessment.
The Council said: "Conformity assessment and certification cannot guarantee per se that certified ICT products and services are cyber secure. It is rather a procedure and technical methodology to attest that ICT products and services have been tested and that they comply with certain cybersecurity requirements laid down elsewhere, for example as specified in technical standards. The choice, by the users of certificates, of the appropriate level of certification and associated security requirements should be based on a risk analysis on the use of the ICT process, product or service. The level of assurance should be thus commensurate with the level of the risk associated with the intended use of an ICT process, product or service."
The Council's proposals represent its negotiating position ahead of future talks with the European Parliament over the final wording of the new laws. MEPs have been considering including provisions which would require device manufacturers selling in or exporting from the EU to abide by "clear and mandatory baseline IT security requirements".