Open simonekman opened 3 years ago
For most medtech companies ENISA seems to be out of scope.
ENISA is relevant for "samhällsviktiga tjänster eller infrastruktur"
ENISA direktiv: Artikel 8 Marknad, cybersäkerhetscertifiering och standardisering
So this is a short summary of 4 hours of google searches.
The EU law “Cybersecurity Act” has enabled ENISA (EU agency for cybersecurity) to create a unified, EU wide, certification for ICT services, products and processes (Informations- och kommunikationsteknik). The certifications specific for Cloud is right now in draft state and is expected to be completed early 2022 (they have other certifications for 5G etc). There will be 3 levels of ENISA certification for “cloud”. It will be the work of the Swedish governmental agency “Försvarets materielverk” to make sure that the companies in Sweden, with the certification in place, follows the certification requirement.
The way I understand the Cybersecurity act is that it is relevant for all ICT products, ICT-services and ICT-processes. This means all users of Compliant Kubernetes fall under the cybersecurity act and that these certifications will be super relevant (when completed) to them when evaluating Kubernetes platforms and managed service providers in the future.
The only question will be if the need basic, substantial or high compliance.
Basic A European cybersecurity certificate or an EU statement of conformity referring to assurance level ‘basic’ provides assurance that the ITC products, services and processes meet the corresponding security requirements, including security functionalities, and that they have been evaluated at a level intended to minimise the known basic risks of cyberincidents and cyberattacks. The evaluation activities should include at least a review of the technical documentation or, failing that, substitute evaluation activities with equivalent effect.sentence or two describing this item.
SUBSTANTIAL A European cybersecurity certificate referring to assurance level ‘substantial’ provides assurance that the ITC products, services and processes meet the corresponding security requirements, including security functionalities, and that they have been evaluated at a level intended to minimise cybersecurity risks, cyberincidents and cyberattacks carried out by actors with limited skills and resources. The evaluation activities should include at least:a review to demonstrate the absence of known vulnerabilities;testing to demonstrate that the products, service or processes correctly implement the security functionalities;failing that, substitute evaluation activities with equivalent effect.
HIGH A European cybersecurity certificate referring to assurance level ‘high’ provides assurance that the ITC products, services and processes meet the corresponding security requirements, including security functionalities, and that they have been evaluated at a level intended to minimise the risk of state-of-the-art cyberattacks carried out by actors with significant skills and resources. The evaluation activities should include at least: a review to demonstrate the absence of known vulnerabilities;testing to demonstrate that the products, service or processes correctly implement the security functionalities;an assessment of their resistance to skilled attackers using penetration testing;failing
EUCS – Cloud Service candidate cybersecurity certification scheme (1).pdf that, substitute activities.
@cristiklein @tordsson we should investigate how well we mapp towards the requirements of basic, substantial and high in Annex A in order to see how well we are prepared for an ENISA certification (basic, substantial or high). The ISO27001 certification work will come in handy for sure.
@simonekman Is this issue still relevant?
I get mixed signals.
Toss a coin? :smile:
I'd say it's relevant, the questions is if we should prioritize it over other tasks that are also relevant. Let's discuss in next product strategy meeting?
It would be great if we had a section under "compliance" that describes how Compliant Kubernetes maps towards relevant parts of ENISA. Some EU companies have specifically asked for this.
ENISA contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and processes with cybersecurity certification schemes, cooperates with Member States and EU bodies, and helps Europe prepare for the cyber challenges of tomorrow.
ENISA's Regulation is the Regulation (EU) 2019/881 of the European Parliament and of the EU Council of 17 April 2019 (Cybersecurity Act) on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013.
https://www.enisa.europa.eu/ https://www.enisa.europa.eu/about-enisa/regulatory-framework
Also, is it relevant to look at the ENISA certification? https://www.enisa.europa.eu/topics/standards/certification