European Cybersecurity Certification Schemes and cybersecurity in the EU internal market

Abstract

The principal question addressed by this paper is: how adequate are the minimum security objectives of the European Union Cybersecurity Act (Regulation (EU) 2019/881) in assisting organisations in the European Union internal market with resisting and recovering from cyber threats? The question is answered by first identifying the scope of the minimum security objectives. Scope identification, performed through legislative interpretation, reveals an integrated system of security objectives with significant gaps. Second, the minimum security objectives are evaluated within a model of cyber attacks from attack reconnaissance to legal proceedings to reveal further significant gaps. Finally, the minimum security objectives are evaluated within five cyber attack scenarios, reflecting the highest ranking cyber threats to the internal market. The simulation analysis accentuates the findings of the model analysis and identifies further significant gaps. In conclusion, the minimum security objectives are found to be largely inadequate in assisting organisations in the European Union internal market with resisting and recovering from cyber threats. The analysis of the adequacy of the minimum security objectives is timely, as the first European cybersecurity certification schemes are currently being designed.