View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
July 12, 2018updated 08 Jul 2022 11:28am

EU Committee Votes for Cybersecurity Labelling Scheme

It will be voluntary though, outside critical infrastructure...

By CBR Staff Writer

A European parliamentary committee has voted overwhelmingly in favour of giving more power and a greater budget to EU cybersecurity agency ENISA.

The 84-strong agency is based in Athens and Crete and is one of the EU’s smallest, with an annual budget of approximately £9.7 million.

It provides expertise rather than direct operational support. Amendments to initial European Commission proposals would see it add “regular independent IT security audits of critical cross-border infrastructures” to its remit.

The European Parliament’s Industry Committee (ITRE) also passed proposals in the draft bill to establish an EU-wide cybersecurity labelling scheme, which ENISA would lead, highlighting a fragmented standards market.

“The Agency shall promote the use of certification with a view to avoiding fragmentation in the internal market and improving its functioning, including by contributing to the establishment and maintenance of a cybersecurity certification framework at Union level,” the proposed bill reads.

“This Product Contains Elevated Numbers of 0days that may be Bad for your Blood Pressure”

That proposal was first floated by the European Commission in September 2017. It would introduce a traffic light system similar to that used in food labelling.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Ed Williams, of cybersecurity specialists SpiderLabs at Trustwave, told Computer Business Review in an emailed statement: “I welcome any initiative to increase the security and assurance of ICT products; given the current climate this legislation is welcome.”

He added that the proposal, which would be voluntary except for critical infrastructure technology, could be tightened up.

See also: BAE System Proposes a New Collaborative Approach to Cybersecurity

“Ensuring that security is baked in could, initially, be difficult but is clearly the correct thing to do – secure by design is a must in 2018 and moving forward.”

“I have some reservations around the certification framework… assurance will be broken down into different categories, basic, substantial and high; where basic “provides a limited degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service”, I’d prefer all my ICT products to have high levels of assurance, I don’t think that’s too much to ask for?”

Fifty-six MEPs voted in favour of the legislation, five against, with one abstention.

The ITRE voted for measures that make the certification mandatory for critical infrastructure, including energy grids, water and energy supplies and banking systems; these were not originally included in the EC’s initial proposal.

It emphasised a lack of standardised security practices across the Internet of Things.

“There seems to be no coherent and holistic approach with regard to horizontal cybersecurity issues, for instance in the field of the Internet of Things. Existing schemes present significant shortcomings and differences in terms of product coverage, levels of assurance, substantive criteria and actual utilisation. A risk-based approach is required whilst acknowledging that a one-size-fits-all approach is not possible.”


Among ENISA’s recent exercises was a Europe-wide cybersecurity exercise that involved 900 specialists from 30 countries role-playing a response to a major hack on an airport.

The two-day exercise in early June was orchestrated by ENISA at its headquarters in Athens and controlled via its Cyber Exercise Platform (CEP), which provided a ‘virtual universe’ (integrated environment) for the simulated world.

ENISA said: “The scenario contained real life-inspired technical and non-technical incidents that required network and malware analysis, forensics, and steganography. The incidents in the scenario were designed to escalate into a crisis at all possible levels: organisational, local, national and European.”

The organisation wants the budget to operate around the clock and also have a team in Brussels. A compromise agreement on the bill will now need to be thrashed out by the EC, European Parliament and member states.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.