Highlights of the Cybersecurity Standardisation Conference

The 2021 edition of the Conference presented the developments and upcoming challenges in European standardisation under the Cybersecurity Act.

The European Standards Organisations, CEN, CENELEC and ETSI, joined forces with ENISA, the European Union Agency for Cybersecurity, to organise its annual conference virtually this year. The event, which took place from 2nd to 4th February, attracted over 2000 participants from the EU and from around the world.

The conference addressed standardisation in relation to the Radio Equipment Directive (RED) and certification under the provisions of the Cybersecurity Act (CSA).

Objectives of the conference

The purpose of the conference was twofold. The event presented the current developments in the areas. It was also intended to foster a dialogue among policymakers, industry, research, standardisation and certification organisations, including all of those involved in the development of the ICT certification framework in Europe. The ultimate objective of the exercise is to implement the Cybersecurity Act in the most effective way.

The objectives of the presentations and key topics addressed by the conference panels were the following:

Cybersecurity requirements and standardisation activities under the scope of the Radio Equipment Directive:

The presentation focussed on the cybersecurity requirements of the Directive. The European Commission is preparing delegated acts as well as a request for standardisation to CEN-CENELEC and ETSI. The panel highlighted the connection between the European regulatory requirements and explored how standardisation can align with the EU policy goals in a global context. The participants were invited to discuss the link between the requirements of the RED and those associated with the Cybersecurity Act.

Standardisation supporting the Cybersecurity Act

This part of the conference introduced the current state of play in cybersecurity standardisation. The purpose of the discussion was also to draw attention to the gaps identified that need to the bridged. Each panellist was given the floor to present updates from their organisations.

Developments on standardisation in the area of Consumer IoT:

The panel addressed the situation of standardisation in this area in relation to the general security standard active since last year.

The attention was drawn on sectorial standards and whether standards for smart homes, the automotive or house appliance for instance would be relevant ones to address. Interesting questions came up to liven the debate on the subsequent steps of certification, on how certification will impact end user behaviour or how to promote certified products.

Standardisation of 5G, next steps foreseen:

The panel engaged in a discussion on the progress made so far on the standardisation of 5G. As preparations for a cybersecurity certification scheme for 5G networks are now beginning, important aspects needed to be addressed. It was important to stress the potential of certification given the number of initiatives already launched in the area and identify prospects for the future.

Cybersecurity Certification

Securing EU’s Vision on 5G: Cybersecurity Certification

The last panel closed the conference on a discussion focussed on the future of cybersecurity certification in general. It comes as the European Commission requested ENISA to prepare a candidate cybersecurity certification scheme on 5G networks on 3rd February 2021.

How should the standardisation activities be prepared? How should these activities match with and help achieve the goals of the Union rolling work programme? Such questions remain to be answered in a comprehensive way.

As evidenced by the high number of participants such questions obviously stimulate the interest of a very large audience showing how crucial it is to open the debate as widely as possible to respond to these challenges adequately. Therefore, the audience of the conference and the public at large are most likely to expect a follow-up edition to take place in early 2022.

Background

Article 8 of the Cybersecurity Act gives mandate to the European Union Agency for Cybersecurity to monitor developments in the area of standardisation. The work of the Agency builds on the on-going standardisation work of the European Standardisation Organisations: CEN, CENELEC, ETSI, as well as the Cybersecurity Coordination Group (CSCG). ENISA engages its expertise to support these organisations, the European Commission and all other relevant stakeholders. In addition, ENISA is also cooperating with the Standard Developing Organisations (SDOs), namely ISO SC27 (Liaison), ETSI (Memorandum of Understanding) and CEN CENELEC (Collaboration agreement).

Further Information

The slides presented during the conference will be made available within the next few weeks on the website of the Cybersecurity Standardisation Conference

ENISA website – Standards Topic

European Committee for Standardization (CEN)

European Committee for Electronical Standardization (CENELEC)

ETSI

Radio Equipment Directive (RED)

Cybersecurity Act (CSA)

EU Cybersecurity Strategy for the Digital Decade

Securing EU’s Vision on 5G: Cybersecurity Certification