EU Cybersecurity Act

Regulation 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity)

General

The Cybersecurity Act encompasses two important things: a reinforcement of the mandate, responsibilities, powers and resources of the European Agency for Cybersecurity (‘ENISA’) and the creation of a cybersecurity certification framework. This framework will be established by different schemes for specific ICT products or services, which will be prepared by ENISA (and accepted by the European Commission).

The cybersecurity certification network

The need for a cybersecurity certification framework that is common to all the Member States is high. There are currently certain national cybersecurity certification schemes, such as the Commercial Product Assurance developed in the UK, la Certification Sécuritaire de Premier Niveau in France, and the Dutch Baseline Product Assessment. These national cybersecurity certification schemes are operating but not mutually recognised and therefore, they lack effectiveness (European Union, 2017).

The idea of the Commission is thus to create a degree of trust in the eyes of the general public that ICT products and services contain a certain level of cybersecurity. Electronic medical devices are used as an example in the Regulation of a sector in which certification is already widely used (recital 65 Regulation 2019/881).

The certification schemes drawn up by ENISA and accepted by the Commission will be voluntary unless future EU legislation proscribes a certification scheme as necessary to comply with a certain cybersecurity need.

The ENISA Report and existing standards

ENISA already issued a report on the possibilities for certification in the healthcare sector (ENISA, 2018). The report divides three different areas that must be assessed separately in the form of segregated schemes that are linked to other schemes. These are due to the different requirements that EU legislation imposes for each area. The first area are semiconductors. These are small chips that are used in medical equipment. A second area are medical devices: they can be sophisticated or simple but connected to the Healthcare information networks. These are often referred to as the Internet of Medical Things. The third area are the electronic systems, which are the healthcare IT systems and services, such as portals and clouds, used by healthcare settings. These may include for example the electronic medical/health records of the patient; patient healthcare records (which allows the patient to check his/her medical and/or health records online); scheduling systems; e-Prescription mechanisms; and the health information systems, i.e. the core IT system of healthcare settings that allows the management of every day operations and that is interconnected with the other systems that are listed (ENISA, 2018).

Even if ENISA envisages a more specific certifications scheme for the three areas described, there are already existing standards and standards in the make for ICT security in the healthcare sector. In its report, ENISA lists the Standard Developing Organisations bodies that are recognised by Regulation 1025/2012 on European standardisation (ENISA, 2018):

ISO (International Standards Organisation): The Technical Committee ISO/TC 215 focuses on the facilitation of the capture/ use and interchangeability of health data;
CEN-CENELEC: There are several technical committees that are dealing with the safety measures of specific medical devices. In addition, technical committee TC 251 ‘Health Informatics’ manages the International Patient Summary project, funded by the European Commission that wants to publish an EU standard for patient summaries in cross-border care (CEN-CENELEC, 2019);
ETSI: The ETSI Project (EP) eHealth is a project that looks at existing ETSI standards that are also applicable to eHealth and the gaps within the standards (ETSI, 2007 and ETSI, 2009);
ITU (International Telecommunication Union): The Study Group 16 (‘Multimedia coding, systems and applications’) is currently working and accelerating the development of standards for eHealth and other fast developing areas (such as Internet of Things) (ITU, 2019);
IEC (International Electrotechnical Commission): They already have the series IEC 80001 on the application of risk management within IT-networks incorporating medical devices and are currently working on the second version of the series, that are scheduled to come out in December 2020.

SOURCES

European Union, European Parliament and Council. (2019). Regulation 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity). Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32019R0881&from=EN.

CEN-CENELEC. (n.d.). Work Programme 2019. Retrieved from https://www.cen.eu/news/brochures/brochures/CEN-CENELEC_WP_2019.pdf.

ENISA. (2018, December). ICT Security Certification opportunities in the healthcare sector. Retrieved from file:///C:/Users/User01/Downloads/WP2018%20O.2.1.1%20Healthcare%20certification.pdf.

ETSI. (2009, February). eHealth: Architecture, Analysis of user service models technologies and applications supporting eHealth. Retrieved from https://www.etsi.org/deliver/etsi_tr/102700_102799/102764/01.01.01_60/tr_102764v010101p.pdf.

ETSI. (2007, May). Applicability of existing ETSI and ETSI 3/GPP deliverables to eHealth. Retrieved from https://www.etsi.org/deliver/etsi_sr/002500_002599/002564/02.00.00_60/sr_002564v020000p.pdf.

Independent High-Level Expert Group on Artificial Intelligence. (2019, April 8). Ethic Guidelines for Trustworthy Artificial Intelligence. Retrieved from file:///C:/Users/User01/Downloads/AIHLEG_EthicsGuidelinesforTrustworthyAI-ENpdf.pdf.

ITU. (2019). Study Group 16 at a glance. Retrieved from https://www.itu.int/en/ITU-T/about/groups/Pages/sg16.aspx.