Page 25 - BIPAR Annual Report 2020_EN
P. 25
Cybersecurity
Background EU Cybersecurity Act & EU Cybersecurity Agency Other Cybersecurity Initiatives to the needs and characteristics of the relevant entities.
Furthermore, the ESAs propose to establish on a voluntary
The European Commission, the European Parliament and the Council of the ENISA’s tasks will be complemented by the new European basis an EU wide coherent testing framework together
In September 2017 the Commission EU reached an agreement on the final text of this Regulation in early 2019. Cybersecurity Industrial, Technology and Research Centre with other relevant authorities, taking into account existing
adopted a cyber security package The Regulation was published in the Official Journal of the EU and has started the activities of which should not duplicate those of ENISA. initiatives, and with a focus on Threat Led Penetration
to apply. The Commission’s proposal adopted in September 2018 Testing. In the long term, the ESAs aim to ensure a sufficient
containing a series of initiatives to
provides that the aim of this Centre will be to establish a top cyber maturity level of identified cross-sector entities.
further improve EU cyber-resilience, The Regulation sets up European cybersecurity certification schemes for knowledge base for cybersecurity. Its task will be to enhance
deterrence and defence. The package specific ICT (Information and Communication Technology) processes, the coordination of research and innovation in the field of Commission consultation on digital resilience
included the creation of an EU products, and services and it upgrades the current ENISA into a permanent cybersecurity. It will also be the EU’s main instrument to for financial services and crypto-assets
EU Agency for Cybersecurity. European cybersecurity certification schemes pool investment in cybersecurity research, technology and
Cybersecurity Agency based on the
are intended to help harmonise cybersecurity practices within the Union in industrial development. The Centre will be established for On 19 December 2019, the European Commission launched
existing European Agency for Network order to increase security against cyber threats. In particular: the period of 1 January 2021 to 31 December 2029. After two public consultations:
and Information Security (ENISA) and that date, it will be wound up, unless decided otherwise.
• The EU certification schemes will be adopted by the Commission 1. on the digital operational resilience in the area of financial
the implementation of a voluntary EU-
and implemented and supervised by national cybersecurity certification As a further step of reinforcing EU cybersecurity capability, services; and
wide certification scheme to ensure that authorities. Certification will be voluntary unless otherwise specified in EU the establishment of a Network of Cybersecurity 2. on an EU framework for markets in crypto-assets.
products and services are cyber secure law or Member States’ law. Competence Centres is envisaged. This network will consist
• Certificates issued under the schemes will attest that of National Coordination Centres designated by Member Considering that the financial sector is the largest user
a given ICT product/service/process has been evaluated for States. The national Centres will either possess or have of information and communications technology (ICT) in
compliance with specific security requirements and they will access to technological expertise in cybersecurity, for the world and that this dependence will further increase
be valid in all EU countries. The actual certification schemes will example, in areas such as cryptography, intrusion detection with the growing use of emerging models, concepts or
be built on what already exists at international, European and or human aspects of security. technologies, the operational resilience -and the cyber
national level. A third structure will be also created, the Cybersecurity resilience- of the sector hinges to a large extent on ICT, as
• Each European cybersecurity certificate might refer to one Competence Community, which will bring together the it may become vulnerable to cyber-attacks. Furthermore,
of the three different assurance levels: “basic”, “substantial” and main stakeholders (including, among others, industry, crypto-assets are one of the major applications of
“high”. The assurance levels would provide the corresponding academic and non-profit research organisations and public blockchain for finance. Crypto-assets are commonly
rigour and depth of the evaluation of the ICT product/service/ entities) to enhance and spread cybersecurity expertise defined as a type of private assets that depend primarily on
process (the level of evaluation, not the security of product across the EU. cryptography and distributed ledger technology as part of
concerned) and would be characterised by reference to their inherent value.
technical specifications and standards the purpose of which is ESAs Advice on the costs and benefits of a
to mitigate or prevent cyber incidents. coherent cyber resilience testing framework The aim of the consultation on digital operational resilience,
• Manufacturers or service providers are allowed to carry to which BIPAR contributed, is to inform the Commission
out conformity assessment themselves, but the EU statement As a follow-up to the European Commission in its March on the development of a potential EU cross-sectoral digital
of conformity (instead of a certificate) can only refer to the 2018 FinTech Action Plan, the ESAs published in April 2019 operational resilience framework in the area of financial
Mariya Gabriel, Commissioner for the “basic” assurance level. a Joint Advice on the costs and benefits of a coherent services. The Commission is now working to present a
Digital Economy and Society, said: cyber resilience testing framework for significant market legislative proposal in Q3 2020, to strengthen the digital
Furthermore, ENISA will be a centre of expertise on cybersecurity and will participants and infrastructures within the EU financial operational resilience of the EU financial sector entities.
“We need to build on the trust of our
have more human and financial resources. It will support EU policy on sector. The Commission’s intentions is to streamline and upgrade
citizens and businesses in the digital cybersecurity and play a central role in the establishment and maintenance existing rules and bringing in new requirements where
world, especially at a time when large- of certification schemes with the expert assistance and close cooperation The ESAs see clear benefits of such a framework. However, there are gaps.
of national certification authorities and industry. It will set up a website the ESAs assessment demonstrated the existence of
scale cyber-attacks are becoming
providing information on certificates and will organise regular EU-level fragmentation in the scope, granularity and specificity of The consultation on crypto-assets aims to inform the
more and more common. I want high cybersecurity exercises, including a large-scale comprehensive exercise once ICT and security/cyber security provisions across the EU Commission’s ongoing work in this respect: (i) for crypto-
cyber security standards to become every two years. financial services legislation. In the short term, the ESAs assets that are covered by EU rules by virtue of qualifying
the new competitive advantage of our advised the Commission to focus on achieving a minimum as financial instruments under the MiFID II - or as electronic
level of cyber-resilience across the sectors, proportionate money/e-money under the Electronic Money Directive, the
companies.”
24 25
