EU Cybersecurity Act: Implications for Electronics Manufacturing Industry

The Cybersecurity Act (Regulation (EU) 2019/881), Europe’s first consolidated cybersecurity certification framework, took effect on 28 June 2019 to establish information and communication technology (ICT) product security certification standards for the European Union (EU).

The Act establishes EU Cybersecurity Certification Schemes intended to enhance the cyber resilience of ICT products, defined as an element or a group of network and information systems. The European Network and Information Security Agency (ENISA), for its part, will coordinate the preparation and submission of cybersecurity certification schemes for adoption by the European Commission.

Under the Act, cybersecurity certification will be voluntary unless specified otherwise by law. Companies can submit a self-certification statement of conformity for recognition of their products in all EU Member States. Cybersecurity certifications of products offered in one Member State will be valid across the EU. Products can be certified under one of three assurance levels – basic, substantial, or high – that corresponds to their ability to withstand cybersecurity attacks. Approved cybersecurity certification authorities will assess products and assign the level of security assurance.

ENISA is tasked as the responsible body to develop a categorized list of products to allow businesses, national government agencies and national standardization bodies to prepare for the future European cybersecurity certification schemes. The first list, scheduled for publication on 28 June, 2020, will be updated at least once every three years. In some areas, it could be necessary in the future to impose specific cybersecurity requirements and mandate certification of certain products.

The Cybersecurity Act in EU’s digital ecosystem

A substantial component of the EU’s overall digital policy, the Act aims to increase product safety in the single market. The Act will become part of a legislative framework that now includes the Directive on Security of Network and Information systems and the General Data Protection Regulation. In addition, the Act will take into account current international cybersecurity standards (e.g. ISO 27001, PCI-DSS, CSA Cloud Control Matrix or NIST 800-53) to help develop a globally harmonized framework underpinning interoperability.

SEMI’s role in advancing cybersecurity

SEMI welcomes the adoption of the resolution and commends the European Union’s commitment to address product cybersecurity as vital to a secure industry and society. With the Cybersecurity Act in force, Europe sets an important example by forming the building blocks for stronger cybersecurity and cyber-resilience in the global supply chain. Upholding Single Market principles, the Cybersecurity Act is a key milestone in SEMI’s work to bolster the manufacturing industry’s participation in cybersecurity policy. SEMI will maintain discourse with key public and private stakeholders, closely monitoring related policy developments as they unfold.

SEMI is involved in advancing the state of cybersecurity on a number of fronts including:

• At SEMICON Europa, 15-19 November 2019, SEMI will continue to connect the electronics design and manufacturing supply chain to pave the way for future cybersecurity applications.
• MADEin4 is a new ECSEL project that brings together nearly 50 organizations, including SEMI, to develop secure cyber-physical systems through a novel approach of combining metrology data analysis with machine learning methodologies and digital twinning. 
• SEMI Smart Manufacturing initiative is designed to promote collaboration to solve problems in business-critical areas such as cybersecurity across the electronics manufacturing and design supply chain.
• SEMI Cybersecurity Standards efforts include work of the Fab and Equipment Information Security Task Force to develop a suite of equipment and fab information security management standards to protect equipment and other fab resources against cyberattacks from both inside and outside the fab.
• SEMI’s new EU-funded initiative MicroElectronics Training, Industry and Skills (METIS) will educate the future electronics workforce about cybersecurity.
• SEMI Global Advocacy meets with policymakers worldwide to promote industry-government cooperation in developing cybersecurity policies.
• The information security subgroup of the SEMI Information Technology Leadership (ITL), a community of CIOs and other IT leads serving at high-tech manufacturing and engineering companies, meets semi-annually to review new cybersecurity threats, countermeasures and corporate approaches to security from an IT perspective.

Emir Demircan is Director of Public Policy and Marek Kysela is EU Policy and Project Coordinator at SEMI Europe.