Increasing Regulation and Standardization Driving EU as a Cybersecurity Powerhouse

On June 26, 2024, the European Union Agency for Cybersecurity (ENISA) launched a public consultation on the specifications related to the Embedded Universal Integrated Circuit Card (eUICC). Various stakeholders are requested to respond with their feedback, notably: eUICC manufacturers, eUICC users (Mobile Network Operators (MNOs) and European Union Digital Identity (EUDI) Wallet service providers), eUICC Conformity Assessment Bodies, National Cybersecurity Certification Authority, and other organizations responsible for eUICC specifications (GSMA, GP and Eurosmart, ETSI, CEN-CENELEC, Java Card Platform, etc.). Stakeholders have 2 months to review the specifications and respond to the consultation questionnaire.

The specification comes under the EUCC (i.e., the EU cybersecurity certification scheme on Common Criteria), which is part of the broader European Union (EU) cybersecurity certification framework, mandated by the 2019 Cybersecurity Act (Regulation (EU) 2019/881).  The EUCC was the first official scheme to be published (in January 2024) under the certification framework. Aligned with the popular SOG-IS Common Criteria evaluation framework, it is currently a voluntary scheme that is expected to gradually replace EU member states’ national certification schemes that were previously held under the SOG-IS agreement. Therefore, the voluntary nature of the scheme as it stands today is going to become a de facto requirement in due course.

The scheme covers all Information and Communications Technology (ICT) products, from components to hardware and software. Smart cards and secure Integrated Circuits (ICs) form a part of that, and thus the relevance of the consultation on the eUICC specification. The specification also falls under the umbrella of the second scheme that ENISA is working on for 5G security, the EU5G. The third scheme under the framework will target cloud security (EUCS). There are further schemes in discussion that aim to cover Artificial Intelligence (AI) and electronic IDentification, Authentication and trust Services (eIDAS).

The EU cybersecurity certification framework is just one fast-developing component of a much larger machine that has been put in place in the EU. The Network and Information Security directive (NIS2) on measures for a high common level of cybersecurity across the EU replaced its first iteration in January 2023, and will fully apply in October this year. With new industries caught by its articles, as well as new product types (digital services), NIS2 has not only wider reach, but also stricter penalties (liability of senior management and fines up to €10 million or 2% of total global turnover).

The Digital Operational Resilience Act (DORA)—aimed at the financial and banking sector—has also come into force and will apply fully in January 2025. Coupled with the (soon to come into effect) Cyber Resilience Act (CRA), aimed at strengthening the security of digital products, and the General Data Protection Regulations (GDPR), this slew of legislation is set to define the EU as a leader in cybersecurity legislation. The GDPR has been applicable for only 6 years, but its effect has reached beyond EU borders. Compliance with GDPR has become a globally accepted standard for most companies dealing in personal data processing.

The CRA, DORA, NIS2, and GDPR together offer a formidable regulatory tetrad in cybersecurity, which the rest of the world will find difficult to ignore. The upcoming cybersecurity certification schemes will reinforce the applicability of the regulations and directives through common security specifications and harmonize security design and development of ICT products across the EU (and likely beyond it).

Participation by industry stakeholders in ENISA’s public consultations will be important if they want their voices heard. The consultation provides a platform from which both manufacturers and users can provide direct input, either with suggestions for improvement, or to voice objections. Ultimately, the final decision rests with ENISA, but the body admits readily enough that collaboration is crucial and it is keen to involve all relevant stakeholders in its processes. To its credit, industry collaboration is one of the strengths of the EU legislative machine.

What is clear is that the EU is not holding back on regulation. Other parallel, but relevant, regulatory instruments include the eIDAS regulation, the Digital Services Act and Digital Markets Act, the EU Chips Act, the Radio Equipment Directive, and the AI Act. All have an element of safety, security or trust to them. Ultimately, the goal is to create a level playing field across the EU, sectors, and technologies, and to create a trusted base for the development and lifecycle of ICTs. Certainly, there are plenty of arguments that too much regulation can also lead to too much complexity, and navigating them becomes a costly headache. Nonetheless, no regulation not only increases opportunities for threat actors, but also threatens users’ fundamental rights and their security. Finding that balance is a delicate matter, but it cannot be done unilaterally. Industry participation and engagement in legislative developments is key; not just in setting the foundation for a sane ecosystem of regulation, but also in ensuring that it does not become an undue burden.