EU digital chief Andrus Ansip wants to set up a new office to certify the cybersecurity level of technology products — which would make them more competitive globally — as part of an overhaul of the bloc’s rules in September.
A network of new cybersecurity offices spread across the Union would be “even better” than only one centre, the European Commission vice-president said on Thursday (20 July).
The so-called centre of excellence would focus on certifying the strength of tech products’ cybersecurity safeguards.
“European products and cybersecurity products are not able, only some of them are able, to compete in the world market. We have to pay much more attention to this,” Ansip said.
Ansip will announce several new measures on cybersecurity certification in September, including a system to grade products based on their security features. He did not specify whether the system will be voluntary or legally binding—like the mandatory EU labelling method that grades products based on how energy efficient they are.
During a trip to Estonia earlier this month, Ansip visited NATO’s cybersecurity centre based in Tallinn. “More centres of excellence needed,” he tweeted on 13 July.
Ansip said an EU cybersecurity centre would focus on products, separating its work from the NATO office’s focus on defence and legal issues.
NATO’s centre organises cybersecurity and defence exercises to test its members’ ability to react to attacks. It also gathers research on cybersecurity that feeds into NATO’s work. Last year, the EU brokered an agreement to step up cooperation between the bloc’s institutions and the alliance, including by exchanging information on cybersecurity attacks and threats.
In addition to the certification system, Ansip’s announcements in September will include an updated EU cybersecurity strategy and a new legal basis for ENISA, the bloc’s Athens-based cybersecurity agency. ENISA’s directors have argued for a budget increase so they can hire more staff members and better coordinate how national cybersecurity authorities share information, especially if an urgent attack hits on a weekend or during the night.
A new EU centre working on cybersecurity could create competition for ENISA.
Steve Purser, ENISA’s director of operations, told EURACTIV in a recent interview there is already a lot of competition between EU offices tasked with managing cybersecurity. EASA, the EU aviation agency, recently created its own new unit to deal with cybersecurity in aerospace.
“When it comes to collaborating with each other in an effective way, it does make sense to have hundreds of people at the European level, but not hundreds of organisations,” Purser said.
Ansip said the updated EU cybersecurity strategy should bolster the bloc’s ability to respond to attacks.
When the WannaCry ransomware attack affected companies across Europe in May, “there were a lot of member states who asked for some help from the European Union,” Ansip said.
EU police agency Europol and CERT-EU, the network of national cybersecurity authorities, helped to coordinate the response to WannaCry, Ansip added.
Most EU countries don’t have the manpower or resources to stop cybersecurity breaches once they’re attacked. “Just in five EU member states we have 24/7 capabilities when we are talking about national CERTs,” Ansip said, referring to the countries’ cybersecurity agencies.