Over the last three years, EU institutions have incrementally increased their focus on the question of cybersecurity and cybersecurity requirements. This process culminated this year with the adoption of the Cybersecurity Act. This piece of legislation aimed at further empowering ENISA as the EU Cybersecurity Agency, and at starting the process of establishing a risk-based cybersecurity framework which would enable the creation of EU certification schemes.

The Commission consequently adopted a Recommendation which identified a number of actions to ensure an EU-wide approach to 5G networks and resulted in a report released by the NIS Cooperation Group, composed by EU member states' cybersecurity experts, in cooperation with the European Commission and ENISA. This report identifies the main cyber threats and actors, the most sensitive assets, as well as key vulnerabilities and strategic risks and it will be used as a basis to create an EU toolbox of possible measures for risk mitigation.

The reasons behind this regulatory and policy dash are multiple and encompass several overarching features of cybersecurity. First of all, the speed of innovation, as well as its scope and expected impacts at the European and international level have valuably increased, with special regard to the prospect of a mass use of 5G technologies. In addition, the very nature of information and communication technology is evolving swiftly, as 5G will not only increase the speed and responsiveness of wireless networks, but it will also mark a further shift from a hardware to a software-centred technology with multiple layers of possible patching and interaction. Moreover, European Institutions have been concerned with both the recent evolutions of the international arena and the European industry struggle to keep pace with the innovation of mobile network operators and their suppliers worldwide, as well as with manufacturers of connected devices and related service providers.
 
Against this background, the debate at a European level is increasingly focused on the question of cybersecurity certification as a primary tool of cyber-risk mitigation. Indeed, in accordance with the Cybersecurity Act, the related Commission’s recommendation indicates “third-party certification for hardware, software or services, formal hardware and software tests or conformity checks, processes to ensure access controls exist and are enforced, identifying products, services or suppliers that are considered potentially not secure” as primary measures to secure the EU cyberspace. Experts and commentators are divided about the very issue as while some have pointed at certification as an effective measure to bring about high-level common standards both across the EU and internationally, others have highlighted the risks of adopting a policy approach which would not allow to keep the pace of innovation. Furthermore, other concerns were raised regarding the continuation of fragmentation, as member states are, according to the current legal setting, ultimately responsible for national security and cybersecurity information exchange, as well as regarding the lack of diplomatic willingness to reach a global consensus on cybersecurity requirements.Evening of discussion was held on 19 November in Bruxelles on the question of EU cybersecurity certification as a primary tool to mitigate cyber risks in Europe with speakers Mr Jean-François Junger, Deputy Head of Unit, Cybersecurity Technology and Capacity Building, European Commission, Ms Tamara Tafra, Counsellor, Cyber Issues, Permanent Representation of Croatia, Mr Jon France, Head of Industry Security, Technology, GSMA and Professor Chris Mitchell, Department of Information Security, Royal Holloway, University of London.
Dr Boutheina Chetali, Security and Certification Senior Expert, Huawei, held an introductory speech.
The debate was moderated by Mr Paolo Grassia, Director of Public Policy, ETNO.