LIVE FROM GSMA MOBILE 360 SERIES – PRIVACY & SECURITY: The European Commission (EC) remains confident it will enact new cybersecurity legislation by the year-end, clearing the way for the first standardised certification programmes to commence in early 2019.

In a keynote panel session, Nikolaos Isaris, deputy head of the EC’s DG Connect (pictured, second from right), explained a lot of progress had been made since he talked about the draft Cybersecurity Act at this event twelve months ago. At the time people were concerned about over-regulation by the Commission in terms of placing so-called trust labels on the IoT, but following feedback from stakeholders and a host of European regulatory bodies, the department today has a clear view of what the proposed act aims to achieve and is ready to move the certification programme forward.

Addressing concerns the legislation is taking too long to become a reality, Isaris explained the goal is to make it technology neutral rather than trying to keep up with the fast pace of technology evolution: “You don’t legislate on the technology…We have to be legislating on the principles and not the specifics of the technologies”.

Business and accountability
Fellow panellist Harm Jan Arendshorst (pictured, second from left), CEO of iLabs Technologies and a founder of the Alliance for IoT Innovation (AIOTI), said the cybersecurity legislation comes amid an “avalanche of regulations” including GDPR and PSD2 rules for the financial sector, but said the EC’s move is necessary: “We need to be more proactive, we need to be accountable for the security on a day-to-day basis in a more dynamic way.”

The Act provides “a framework that is key for standards to be defined for sector and preferably less fragmented, more horizontal focused and aligned with international” standards.

Francois Zamora, a security expert with operator Orange (pictured, far left), picked up on the global harmonisation theme, but noted there is an inherent contradiction in the term self-certification.

“You cannot be judge and party: you cannot be your own assessor and be your own certifier,” he said.

The main goal of certification is to establish trust and so “deliver real business not illusion”.

(Also pictured: Robert Heerekop, consultant with IoTC360, far right)