Page 24 - BIPAR Annual Report 2020_EN short
P. 24

Cybersecurity














                         Background            EU Cybersecurity Act & EU Cybersecurity Agency                                      Other Cybersecurity Initiatives                     to  the  needs  and  characteristics  of  the  relevant  entities.
                                                                                                                                                                                       Furthermore, the ESAs propose to establish on a voluntary
                                               The European Commission, the European Parliament and the Council of the             ENISA’s tasks will be complemented by the new European   basis an EU wide coherent testing framework together
             In September 2017 the Commission   EU reached an agreement on the final text of this Regulation in early 2019.        Cybersecurity Industrial, Technology and Research Centre   with other relevant authorities, taking into account existing
               adopted a cyber security package   The Regulation was published in the Official Journal of the EU and has started   the activities of which should not duplicate those of ENISA.   initiatives, and with a focus on Threat Led Penetration
                                               to apply.                                                                           The Commission’s proposal adopted in September 2018   Testing. In the long term, the ESAs aim to ensure a sufficient
               containing a series of initiatives to
                                                                                                                                   provides that the aim of this Centre will be to establish a top   cyber maturity level of identified cross-sector entities.
             further improve EU cyber-resilience,   The  Regulation  sets  up  European  cybersecurity  certification  schemes  for   knowledge base for cybersecurity. Its task will be to enhance
            deterrence and defence. The package   specific  ICT  (Information  and  Communication  Technology)  processes,         the coordination of research and innovation in the field of   Commission  consultation  on  digital  resilience
                  included the creation of an EU   products, and services and it upgrades the current ENISA into a permanent       cybersecurity. It will also be the EU’s main instrument to   for financial services and crypto-assets
                                               EU Agency for Cybersecurity. European cybersecurity certification schemes           pool investment in cybersecurity research, technology and
              Cybersecurity Agency based on the
                                               are intended to help harmonise cybersecurity practices within the Union in          industrial development.  The Centre will be established for   On 19 December 2019, the European Commission launched
           existing European Agency for Network   order to increase security against cyber threats. In particular:                 the period of 1 January 2021 to 31 December 2029. After   two public consultations:
            and Information Security (ENISA) and                                                                                   that date, it will be wound up, unless decided otherwise.
                                               •      The EU certification schemes will be adopted by the Commission                                                                   1. on the digital operational resilience in the area of financial
            the implementation of a voluntary EU-
                                               and  implemented  and  supervised  by  national  cybersecurity  certification       As a further step of reinforcing EU cybersecurity capability,   services; and
          wide certification scheme to ensure that   authorities. Certification will be voluntary unless otherwise specified in EU   the establishment of a Network of Cybersecurity   2. on an EU framework for markets in crypto-assets.

           products and services are cyber secure  law or Member States’ law.                                                      Competence Centres is envisaged. This network will consist
                                                         •   Certificates  issued  under  the  schemes  will  attest  that         of National Coordination Centres designated by Member   Considering  that  the  financial  sector  is  the  largest  user
                                                         a  given  ICT  product/service/process  has  been  evaluated  for         States. The national Centres will either possess or have   of information and communications technology (ICT) in
                                                         compliance  with  specific  security  requirements  and  they  will       access  to technological  expertise  in  cybersecurity, for   the world and that this dependence will further increase
                                                         be valid in all EU countries. The actual certification schemes will       example, in areas such as cryptography, intrusion detection   with the growing use of emerging models, concepts or
                                                         be built on what already exists at international, European and            or human aspects of security.                       technologies, the operational resilience -and the cyber
                                                         national level.                                                           A  third  structure  will  be  also  created,  the  Cybersecurity   resilience- of the sector hinges to a large extent on ICT, as
                                                         •   Each European cybersecurity certificate might refer to one            Competence  Community,  which  will  bring  together  the   it may become vulnerable to cyber-attacks. Furthermore,
                                                         of the three different assurance levels: “basic”, “substantial” and       main  stakeholders  (including,  among  others,  industry,   crypto-assets  are  one  of  the  major  applications  of
                                                         “high”. The assurance levels would provide the corresponding              academic and non-profit research organisations and public   blockchain  for  finance.  Crypto-assets  are  commonly
                                                         rigour and depth of the evaluation of the ICT product/service/            entities) to enhance and spread cybersecurity expertise   defined as a type of private assets that depend primarily on
                                                         process  (the  level  of  evaluation,  not  the  security  of  product    across the EU.                                      cryptography and distributed ledger technology as part of
                                                         concerned) and would be characterised by reference to                                                                         their inherent value.
                                                         technical specifications and standards the purpose of which is            ESAs  Advice  on  the  costs  and  benefits  of  a
                                                         to mitigate or prevent cyber incidents.                                   coherent cyber resilience testing framework         The aim of the consultation on digital operational resilience,
                                                         •   Manufacturers or service providers are allowed to carry                                                                   to which BIPAR contributed, is to inform the Commission
                                                         out conformity assessment themselves, but the EU statement                As a follow-up to the European Commission in its March   on the development of a potential EU cross-sectoral digital
                                                         of  conformity  (instead  of  a  certificate)  can  only  refer  to  the   2018 FinTech Action Plan, the ESAs published in April 2019   operational  resilience  framework  in  the  area  of  financial
           Mariya Gabriel, Commissioner for the   “basic” assurance level.                                                         a  Joint  Advice  on  the  costs  and  benefits  of  a  coherent   services. The Commission is now working to present a
              Digital Economy and Society, said:                                                                                   cyber  resilience  testing  framework  for  significant  market   legislative  proposal  in  Q3  2020,  to  strengthen  the  digital
                                               Furthermore, ENISA will be a centre of expertise on cybersecurity and will          participants  and  infrastructures  within  the  EU  financial   operational  resilience  of  the  EU  financial  sector  entities.
            “We need to build on the trust of our
                                               have  more  human  and  financial  resources.  It  will  support  EU  policy  on    sector.                                             The Commission’s intentions is to streamline and upgrade
            citizens and businesses in the digital   cybersecurity and play a central role in the establishment and maintenance                                                        existing  rules  and bringing  in  new  requirements  where
          world, especially at a time when large-  of certification schemes with the expert assistance and close cooperation       The ESAs see clear benefits of such a framework. However,   there are gaps.
                                               of  national  certification  authorities  and  industry.  It  will  set  up  a  website   the  ESAs  assessment  demonstrated  the  existence  of
              scale cyber-attacks are becoming
                                               providing  information  on  certificates  and  will  organise  regular  EU-level    fragmentation in the scope, granularity and specificity of   The consultation on crypto-assets aims to inform the
            more and more common. I want high   cybersecurity exercises, including a large-scale comprehensive exercise once       ICT and security/cyber security provisions across the EU   Commission’s ongoing work in this respect: (i) for crypto-
            cyber security standards to become   every two years.                                                                  financial  services  legislation.  In  the  short  term,  the  ESAs   assets that are covered by EU rules by virtue of qualifying
           the new competitive advantage of our                                                                                    advised the Commission to focus on achieving a minimum   as financial instruments under the MiFID II - or as electronic
                                                                                                                                   level of cyber-resilience across the sectors, proportionate   money/e-money under the Electronic Money Directive, the
                                companies.”


                                                            24                                                                                                                     25
   19   20   21   22   23   24   25   26   27   28   29