As Head of ENISA’s Market Certification and Standardization Unit, Andreas Mitrakas is at the center of EU efforts to strengthen cybersecurity and boost the bloc’s digital single market. On the occasion of his participation in AmChamGR’s Digital Sustainability Forum, “Strengthening Cybersecurity: The New EU Framework of Standards and Certification,” on March 31, Business Partners reached out to talk about ENISA, the EU Cybersecurity Act, and Greece’s role as an emerging ICT hub.
You joined ENISA, the European Union Agency for Cybersecurity, in 2005, shortly after its establishment. Tell us a bit about ENISA and the ever-growing relevance and significance of its work.
While ENISA started out as a center of excellence in the internal market with the aim to foster EU policy in the area of cybersecurity (aka network and information security), it soon became clear that a more comprehensive approach would allow for better coordination across the EU Member States to prepare and respond to cyberattacks. EU cybersecurity policy thus followed a broader pattern to include discreet activities across law enforcement, defense, prevention and response, culminating in the efforts of EU institutions and agencies, guided as they are by the European Commission, the European Parliament and the Council.
The American-Hellenic Chamber of Commerce took up an important initiative to present the evolving cybersecurity certification framework and ENISA has responded in recognition of the public interest that was vested therein.
As ENISA gradually acquired a policy coordination role to match its knowledge prowess, various vertical cybersecurity application areas were also developed by other competent EU institutions and agencies across various areas including personal data, civil aviation, power networks, and financial services. Over time, ENISA leveraged its soft-law competences in the EU to gradually mobilize stakeholder communities and individuals alike, by means of recommendations, advice, joint exercises, and challenges as well as guidance on policy and standards in cybersecurity. Currently, ENISA successfully supports the European Commission in relation to its cybersecurity certification policy, which is a new legislative as well as a policy instrument aiming at enhancing the level of trust in the digital single market.
The EU Cybersecurity Act aims to create a wide-ranging independent European body of cybersecurity regulation within the context of the digital single market goal. What can you tell us about cybersecurity certification schemes and ENISA’s role in them?
Building trust in electronic transactions has gradually become a measurable activity; the cybersecurity certification framework lays down the conditions to achieve that. Cybersecurity certification schemes are composed of security controls across three different assurance levels (basic, substantial and high) that are used by designated conformity assessment bodies to test products and services. ENISA presents the Commission with a candidate of a cybersecurity certification scheme that it develops in full cooperation with area experts and public authorities in the Member States; at the last stage, a scheme is adopted in a committee of Member States to become part of EU Law. ENISA continually provides guidance to the stakeholders to implement the cybersecurity certification framework, it seeks international interoperability and compliance with international standards, and it assists public authorities in the Member States as well as the Commission.
The Cybersecurity Act grants ENISA a permanent mandate and a host of new resources and tasks. What are some of the areas in which ENISA will be working to help public and private parties navigate cybersecurity issues?
ENISA has developed a range of centers to concentrate efforts across various policy areas. ENISA has built a concrete case for EU policy in the area of cybersecurity, because at an early stage, it responded to policy prompts emerging in the aftermath of the dot com boom and bust in the early 2000s. That was the time when the EU policy had leaped from Electronic Data Interchange (EDI) electronic signatures and personal data protection, developed in the 1990s, and shifted to a more comprehensive framework concerning, telecommunications, privacy, electronic commerce as well as important applications such as electronic procurement and electronic invoicing. Network and information security was the next logical policy step, and ENISA in its early stages successfully supported the development of public CSIRTS, risk management methodologies, awareness raising, network and information security policies, information security tools and architectures. Much of it was discontinued for a while or it was rolled to application areas as resilience took hold and large scale exercises and competitions became important priorities.
These are effectively the guiding lines for ENISA policy as it currently brings together all the above-mentioned areas, as well as the next level of protection for critical information infrastructure, electronic identification, cybersecurity measures for personal data protection, a host of application areas, hands-on cooperation at CSIRT level as well as with law enforcement agencies, research and knowledge management. Closer to home, ENISA continues full throttle in terms of cybersecurity certification schemes in key industry areas that include common criteria, cloud services, soon 5G and more, EU cybersecurity market analysis, and cybersecurity standardization. This all is quite a tall bill for what remains a modest sized agency that has learned to remain fit for purpose and prove its value to stakeholders and the taxpayer alike.
Considering the significant investments that global tech heavyweights have recently made in Greece, as well as efforts to push through with digital transformation and establish the country as a major ICT hub in the region, how do you see Greece’s role in all this unfolding over the coming years?
It is broadly recognized that smaller economies can remain competitive by developing their competitive niche advantages. Greece has considerable human capital, proximity to capital centers, and reasonable infrastructure that can all be put to good use in the context of the EU digital single market and as a unique and promising EU Member State model. Technology and innovation present an important opportunity for Greece to fuel growth beyond the typical staples that have dominated its economy in the past; several very smart people have worked very hard to bring this vision to fruition. Perhaps a challenging aspect concerns the management of expectations and risk on Greece’s business culture; eventually success for Greece will be determined by its ability to further draw on the mass of small and medium sized enterprises that will be attracted by the choice that the tech heavyweights, as you call them, have made. The role of the American-Hellenic Chamber of Commerce is likely to be critical in this respect, i.e. to spread the word on rewarding technology investment in Greece and continue sharing successful case studies of leading technology service providers in the country.