deliverable d 2.1: report on security standards and ......bsi (gb) british standards institution cac...

Project acronym: CRISP

Project title: Evaluation and Certification Schemes for Security Products

Grant number: 607941

Programme: Seventh Framework Programme for Security

Objective: Topic SEC-2013.5.4-1 Evaluation and certification schemes for secu-rity products

Contract type: Capability project

Start date of project: 01 April 2014

Duration: 36 months

Website: www.crispproject.eu

Deliverable D 2.1: Report on security standards and certification

in Europe - A historical/evolutionary perspective

Author(s): Contributor:

Dr. Simone Wurster, Dr. Tim Pohlmann and Dr. Patrick Mur-phy (TU Berlin), Dr. Florian Fritz, Roger von Laufenberg (IRKS Research), Jolien van Zetten (NEN), Cristina Pauner, Artemi Rallo (UJI) and Rosario García Mahamut (UJI), Rosamunde van Brakel, Alessia Tanas (VUB) Trilateral Research and Consulting

Dissemination level: Public

Deliverable type: Final

Version: 1

Submission date: 30 August 2014

http://www.crispproject.eu/

D2.1: Report on security standards and certification in Europe CRISP project

of 170

TABLE OF CONTENTS List of figures ............................................................................................................................. 5

List of selected abbreviations ..................................................................................................... 7

1. Introduction .............................................................................................................. 9

2. State of the art in research on conformity assessment, standardisation and accreditation .......................................................................................................... 10

2.1. Introduction ............................................................................................................ 10

2.2. Conformity assessment systems and their elements .............................................. 10

2.3. Standards as part of conformity assessment systems ............................................. 12

2.3.1. Introduction ............................................................................................................ 12

2.3.2. Characteristics and types of standards .................................................................. 13

2.3.3. Standards used for conformity assessment ............................................................ 15

2.4. Economic benefit of conformity assessments ........................................................ 16

2.5. Economic benefits of standards and their use for conformity assessments ........... 20

2.5.1. General benefits ..................................................................................................... 20

2.5.2. Usability of different deliverables for conformity assessment ............................... 21

2.5.3. Examples of the use of standards for conformity assessment ................................ 21

2.5.4. Examples of conformity assessment without using standards ............................... 22

2.5.5. Advantages of using standards for conformity assessment.................................... 23

2.6. Economic benefit of mutual recognition of security-related conformity assessments ............................................................................................................ 25

3. General framework conditions in Europe .............................................................. 27

3.1. General framework for certification and accreditation in Europe ......................... 27

3.1.1. Conformity assessment and accreditation in the Voluntary Section ..................... 27

3.1.2. Conformity assessment and accreditation in the Law Regulated Section ............. 29

3.1.3. Conformity assessment and accreditation in the “Sovereignty” Section .............. 33

3.1.4. The European co-operation for Accredition and the Multilateral Agreement ...... 33

3.2. General framework for standardisation in Europe ................................................. 34

3.2.1. Main features of the European standardisation policy .......................................... 34

3.2.2. Multinational collaborations in standards development ....................................... 39

3.3. Security standardisation and certification in Europe ............................................. 40

3.3.1. Introduction ............................................................................................................ 40

3.3.2. European efforts towards security-related CAC solutions .................................... 42

3.3.2.1. The ESRIF report ................................................................................................... 42

3.3.2.2. The European Security Research and Innovation Agenda .................................... 43

3.3.2.3. Communication on reaction to ESRIF ................................................................... 45

3.3.2.4. Communication towards an increased contribution from standardisation to innovation in Europe ............................................................................................. 46


of 170

3.3.2.5. Stockholm Programme ........................................................................................... 47

3.3.2.6. Mandate M/487 ...................................................................................................... 48

3.3.2.7. Action Plan for an innovative and competitive Security Industry ......................... 49

3.3.3. Regulations and directives in selected security areas ........................................... 50

3.3.3.1. Overview ................................................................................................................ 50

3.3.3.2. Documents related to privacy and data protection ................................................ 51

3.3.4. Links between standards, certification and pre-commercial procurement ........... 54

3.3.5. Summary and conclusions ...................................................................................... 54

4. State of the art in security standards in different sectors ....................................... 56

4.1. Work of European standardisation organisations .................................................. 56

4.1.1. Introduction ............................................................................................................ 56

4.1.2. Analysis of different standardisation organisations and their security-related standards ............................................................................................................... 58

4.1.2.1. European Committee for Standardisation (CEN) .................................................. 58

4.1.2.2. European Committee for Electrotechnical Standardisation (CENELEC) ............. 62

4.1.2.3. European Telecommunications Standards Institute (ETSI) ................................... 64

4.2. Work of international standardisation organisations ............................................. 67

4.2.1. International organisation for standardisation (ISO) ........................................... 67

4.2.2. International Electrotechnical Commission (IEC) ................................................ 69

4.2.3. International Telecommunication Union (ITU) ..................................................... 70

4.3. Work of specific technical committees .................................................................. 72

4.3.1. Introduction ............................................................................................................ 72

4.3.2. CEN/CLC/TC 4 PC Services for fire safety and security systems ......................... 73

4.3.3. CEN/TC 224 Personal identification, electronic signature, cards and their related systems and operations ............................................................................. 75

4.3.4. CEN/TC 278 Road transport and traffic telematics .............................................. 80

4.3.5. CEN/TC 325 Crime prevention by urban planning and building design .............. 82

4.3.6. CEN/TC 379 PC - Supply chain security ............................................................... 83

4.3.7. CEN/TC 388 Perimeter protection ........................................................................ 84

4.3.8. CEN/TC 391 Societal and citizen security ............................................................. 86

4.3.9. CEN/TC 417 Maritime and port security services ................................................. 88

4.3.10. CEN/TC 419 Forensic science services ................................................................. 89

4.3.11. CLC/TC 79 Alarm systems ..................................................................................... 91

4.3.12. Other security-related TCs .................................................................................... 92

4.3.13. Summary ................................................................................................................ 95

4.4. Correlate the general security areas and standardisation activities ........................ 99

4.5. Correlate CRISP’s WP1 matrix of security areas and standards ......................... 102

4.6. Need for standards ............................................................................................... 108


of 170

5. Fields where the availability of open standards should be restricted ................... 110

6. State of harmonisation and mutual recognition ................................................... 116

6.1. National certification organisations in the security field ..................................... 116

6.2. General findings regarding the state of harmonization ........................................ 118

6.3. The situation in different security sectors ............................................................ 120

6.3.1. CBRNE ................................................................................................................. 120

6.3.2. Airport screening equipment ................................................................................ 122

6.3.3. Air cargo .............................................................................................................. 124

6.3.4. Alarm systems ...................................................................................................... 124

6.3.4.1. Alarm systems in general ..................................................................................... 124

6.3.4.2. Fire alarm systems ............................................................................................... 125

6.3.5. Security services ................................................................................................... 126

6.3.6. Need for action ..................................................................................................... 126

6.4. Certification bodies and schemes ......................................................................... 127

6.4.1. Introduction .......................................................................................................... 127

6.4.2. Common Criteria Certification ............................................................................ 128

6.4.3. SOG-IS ................................................................................................................. 130

6.4.4. Evaluation according to ITSEC ........................................................................... 131

6.4.5. ECAC ................................................................................................................... 131

6.4.6. CertAlarm ............................................................................................................ 132

6.4.7. EFSG .................................................................................................................... 132

6.5. Current activities .................................................................................................. 140

6.5.1. National activities ................................................................................................ 140

6.5.2. European activities .............................................................................................. 140

7. Summary .............................................................................................................. 142

References ............................................................................................................................. 147

Annex 1: Examples of European regulations in different security-related Areas .................. 164

Annex 2: CRISP’s guideline for interviews at CEN and CLC TCs ....................................... 169

Annex 3: Topics of emails to selected TCs at CEN and CLC ............................................... 170


of 170

LIST OF FIGURES Figure 1: The elements of conformity assessment systems and quality infrastructure ............ 11

Figure 2: Kinds of standards in hierarchical order ................................................................... 14

Figure 3: Overview of deliverables at CEN and CENELEC ................................................... 16

Figure 4: Sections of conformity assessment systems ............................................................. 18

Figure 5: Possible forms of internalization of market imperfections ....................................... 18

Figure 6: Positive effects of different kinds of standards......................................................... 20

Figure 7: Selected reasons for certification .............................................................................. 22

Figure 8: Selected advantages of standards .............................................................................. 23

Figure 9: Modules of conformity assessment according to European Commission (2008) ....................................................................................................................... 31

Figure 10: EN 45000 standards with requirements on conformity assessment bodies ............ 32

Figure 11: Relevance of the EN 45000 series in European conformity assessment ................ 32

Figure 12: Relevant areas of ESRIF for CRISP’s activities ..................................................... 43

Figure 13: Clusters of ESRIA .................................................................................................. 44

Figure 14: Relevant items of COM (2008) 133 ....................................................................... 47

Figure 15: Objectives of Mandate M/487 ................................................................................ 49

Figure 16: Security areas based on Mandate M/487 ................................................................ 49

Figure 17: Selected elements of the action plan for the European security industry ............... 50

Figure 18: Year of establishment and published standards by security related CEN/CLC/TCs ....................................................................................................... 57

Figure 19: Establishment of security-related TCs at CEN and CENELEC ............................. 58

Figure 20: Overview of the work of selected CEN TCs in the security field .......................... 61

Figure 21: Overview of the work of selected CLC/TCs in the security field .......................... 63

Figure 22: Overview of the work of selected TCs in ETSI’s security cluster ......................... 66

Figure 23: Overview of the work of selected ISO TCs in the security field ............................ 68

Figure 24: Interrelation between CEN/CLC/TC 4 and the European certification landscape ................................................................................................................ 75

Figure 25: Interrelation between CEN/TC 224 and the European certification landscape ................................................................................................................ 79







of 170



Figure 33: Interrelation between additional security-related CEN TCs and the European certification landscape............................................................................ 94

Figure 34: Summarized interrelation between selected security-related CEN/CLC/TCs and the European certification landscape ..................................... 98

Figure 35: Links between security sectors and the work of CEN and CENELEC ................ 101

Figure 36: Correlate of CRISP’s WP1 matrix of security areas and standards ...................... 105

Figure 37: Examples of security-related certification bodies in European Member States .................................................................................................................... 118

Figure 38: Perceived lack of harmonised certification procedures in Europe ....................... 119

Figure 39: Options for an EU wide harmonized certification system for airport screening equipment ............................................................................................. 123

Figure 40: European collaborations of VdS ........................................................................... 126

Figure 41: Collaborations of VdS with the U.S. .................................................................... 126

Figure 42: Multilateral recognition agreements in Europe in the security field .................... 127

Figure 43: German example of the CC certification process ................................................. 129

Figure 44: The quality marks of the EFSG System ............................................................... 133

Figure 45: The EFSG process ................................................................................................ 135

Figure 46: Examples for the nomination of test laboratories by a certifier of the EFSG group .......................................................................................................... 135

Figure 47: Parts of the EFSG agreement on components of intruder alarm systems -1- ....... 136

Figure 48: Parts of the EFSG agreement on components of intruder alarm systems -2- ....... 137

Figure 49: Exemplary test protocol of the EFSG partner CNPP ............................................ 138


of 170

LIST OF SELECTED ABBREVIATIONS AFNOR Association Française de Normalisation BSI (D) Bundesamt für Sicherheit in der Informationstechnik BSI (GB) British Standards Institution CAC Conformity Assessments and Certifications CBRN Chemical, Biological, Radiological and Nuclear CBRNE Chemical, Biological, Radiological, Nuclear and Explosive CC Common Criteria CCTV Closed-circuit television CEN Comité Européen de Normalisation CLC CENELEC CENELEC Comité Européen de Normalisation Electrotechnique CEOC International Confederation of Inspection and Certification

Organisations COM Communication CREATIF Network of Testing Facilities for CBRNE detection equip-

ment CWA CEN Workshop Agreement DIN Deutsches Institut für Normung EA European co-operation for Accredition ECAC European Civil Aviation Conference EEA European Economic Area EFAC European Federation of Associations of Certification bodies EFSG European Fire and Security Group EFTA European Free Trade Association EN European Norm ENISA European Union Agency for Network and Information

Security EOTC European Organisation for Testing & Certification ESOs European Standardisation Organisations ESRIA European Security Research and Innovation Agenda ESRIF European Security Research and Innovation Forum ETSI European Telecommunications Standards Institute IAF International Accreditation Forum ICT Information and communications technology IEC International Electrotechnical Commission IIOC Independent International Organisation for Certification ILAC International Laboratory Accreditation Cooperation ISO International Organization for Standardisation IT Information Technology ITSEC Information Technology Security Evaluation Criteria ITU International Telecommunication Union IWA Internationale Workshop Agreement JTC Joint Technical Committee MRA Mutual Recognition Agreement NSB National Standardisation Body


of 170

NEN NEderlandse Norm (National Standardisation Body of the Netherlands)

PSS products, systems and services prEN project of European Norm SC Sub Committee SMEs Small- and Medium-sized Enterprises SOG-IS Senior Officials Group Information System Security TC Technical Committee TR Technical Report TS Technical Specification WTO World Trade Organisation


of 170

1. INTRODUCTION Building on security-related definitions of the glossary and taxonomies in CRISP’s Delivera-bles 1.1 (Glossary of security products and systems) and 1.2 (Taxonomy of security products, systems and services), this report provides a literature review and a historical perspective of security standards and certification in Europe. It introduces the rationale and need for stand-ards and certification and outlines what is certified. Examples of standards and certification schemes in different security sectors covering different areas of certification are illustrated. In addition, opportunities to link standards and certification in the future are shown. This docu-ment consists of seven chapters: Chapter 2 reflects the state of the art in reasearch on conformity assessment, certification, standardisation and accreditation. Specific emphasis is put on the security field. In particular advantages of using standards in certification processes are shown. Chapter 3 describes general framework conditions in Europe and specific European docu-ments related to security standardisation and certification. Chapter 4 gives detailed insight into the state of the art in European security standards in different sectors, standardisation organisations, technical committees and working groups and offers an overview of specific standards documents. Chapter 5 provides information on security fields where standards for certain security appli-cations should only be made available to entities which have the required security clearances. A detailed analysis of the state of harmonisation and mutual recognition in Europe is given in Chapter 6. All findings are summarized in Chapter 7. This report is conceived of as a living document. This means that after this first submission, an extended version will be prepared which is benefited by additional information gained from other work packages, and in particular the preparation of Deliverable 2.2 (Consolidated report on security standards, certification and accreditation – best practice and lessons learnt).


of 170

2. STATE OF THE ART IN RESEARCH ON CONFORMITY ASSESSMENT, STANDARDISATION

AND ACCREDITATION 2.1. INTRODUCTION In the context of European harmonization, conformity assessment permits proof of compli-ance with laws, technical specifications or criteria.1 This chapter provides an overview of most relevant academic theories, principles and findings addressing conformity assessment and certification as well as standardisation and accreditation. 2.2. CONFORMITY ASSESSMENT SYSTEMS AND THEIR ELEMENTS Conformity assessment refers to the acknowledgement that a product, a system, a person or a board fulfils a set of fixed requirements (EN ISO/IEC 17000:2005).2 There are various con-formity assessment bodies, such as test laboratories, calibration units, and inspection units in addition to certification and verification bodies. All confirm that the needed requirements are achieved. Those requirements are usually set through standards, laws, specifications and vol-untary agreements among parties. On this basis, obtaining a certificate is proof that a product complies to (or “conforms with”) specific legislation or other technical specifications or crite-ria.3 Active conformity assessments play an important role for both international trade and the pur-suit of a European single market. With the expansion of international trade, there have been great efforts to reduce and eliminate tariff barriers. As a result of the success of these efforts, the focus is now on non-tariff barriers. Through conformity assessments, trust among trading partners concerning quality and security can be protected and strengthened. The conformity assessment system offers structures and consistency and promotes mutual trust. To achieve a continuous and comparable quality of the assessment results, an independent board can assess and validate the competency of the conformity bodies. Those competency validations are specific for each sector. The independent board can either be set up by the state or be a completely independent accreditation body. To ensure the competency of the independent board, there are various possibilities. In case of the state having set up the board, the competency is assumed until proven otherwise. If the board is set up by an independent accreditation body, a system of continuous rotating assessment among those bodies can be established. Accreditation is defined by ISO/IEC 17011 as “third-party attestation related to a conformity assessment body conveying formal demonstration of its competence to carry out specific con-formity assessment tasks”.

4 With those definitions as a basis, we now define three main ele-ments which make up the conformity assessment system:

1 See Ensthaler, Jürgen, Kai Strübbe and Leonie Bock, Zertifizierung und Akkreditierung technischer Produkte, Ein Hand-lungsleitfaden für Unternehmen, Berlin, 2007. 2 See Teichler, Thomas, Florian Berger, Thomas Heimer, James Stroyan and Inga Schlüter, Entwicklungsperspektiven der Konformitätsbewertung und Akkreditierung in Deutschland, Studie im Auftrag des Bundesministeriums für Wirtschaft und Technologie, 2013, pp. 16-23. 3 See Ensthaler, et al., op. cit., 2007. 4 See ISO/IEC, ISO/IEC 17011. Conformity assessment - General requirements for accreditation bodies accrediting conformity assessment bodies. Switzerland, 15. February 2005.


of 170

Establishing the requirements for products, services, systems, etc. which can be set through standards or agreements, for example.

Conformity assessment through conformity assessment bodies, such as certification bodies

Validation of the competence of the conformity assessment bodies

From this listing it should be apparent that certification, standards and accreditation are part of the conformity assessment system. Furthermore the conformity assessment system is itself part of the quality infrastructure of a nation when combined with metrology (measurement systems).5 Figure 1 shows the hierarchy and components of the quality infrastructure and of the conformity assessment system.

Source: Own figure based on Teichler et al., 2013 and Frenz & Lambert, 2013 Figure 1: The elements of conformity assessment systems and quality infrastructure

In this analysis we will only focus on the conformity assessment system on its own, and not as part of a bigger infrastructure. In this system, the establishing requirements and conformity assessment are carried out by private actors. Public actors may be involved, but as partners or contributors with equal or less influence. In contrast, competency validation is usually carried out by public actors such as the state or through a (sovereignty-granted) accreditation body. For the rest of this report, a distinction will be made between two markets. The first market, referred to as the “basic market,” is the market for security products, technologies, services

5 See Frenz, Marion and Ray Lambert, The Economics of Accreditation. London: Birkbeck, University of London March 2013. http://www.ukas.com/Library/Media-Centre/News/News-Archive/2013/Economics%20of%20Accreditation%20Final%20Report.pdf


of 170

and systems. The second market is the conformity market around the specific security solu-tion. This distinction is necessary for two reasons. The first is that it helps clarify which ac-tors, systems, dynamics, etc. are being referred to. The second is that through this distinction we can differentiate between various intervention mechanisms. This is particularly important, as it allows us now to examine market imperfections and how the conformity assessment system can be used to eliminate them. According to Chapter 2.4, the market imperfections are located in the basic market and are being mitigated through the conformity market. 2.3. STANDARDS AS PART OF CONFORMITY ASSESSMENT SYSTEMS 2.3.1. INTRODUCTION

European standardisation is a key instrument for the consolidation of the single market and for strengthening the competitiveness of European companies, thereby creating the conditions for economic growth.6 According to CENs and CENELECs formal definition, a standard is a “document, established

by consensus decision making and approved by a recognized body that provides, for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context”.

7 Standardisation takes place on three different levels. Worldwide standards are developed by ISO (International Organization for Standardisation), IEC (International Electrotechnical Committee) and ITU (International Telecommunication Union). European standards are de-veloped by CEN (European Committee for Standardisation), CENELEC (European Commit-tee for Electrotechnical Standardisation) and ETSI (European Telecommunications Standards Institute), also called the three “European Standardisation Organisations” (ESOs). Throughout this document, whenever ISO is mentioned, this also included IEC and whenever CEN is mentioned, this also included CENELEC. The third level of standardisation is the national level. Most countries in the world and all European countries have one National Standardisation Body (NSB). Differences in standards and technical regulations between countries, “even when justified, may sometimes create technical barriers to trade”.

8 On the other hand, a number of empirical studies highlight the positive effect of harmonized national standards on trade.9 Members of CEN and CENELEC are the NSBs from every EU Member State, the Former Yugoslav Republic of Macedonia, Turkey and the three countries of the European Free Trade Association (EFTA) – Iceland, Norway and Switzerland. The case of ETSI is different how-ever. In ETSI Committees individuals, user groups and especially corporate organizations are members and not national representatives.

6 See CEN/CENELEC, “European Standardisation”, no date. http://www.cencenelec.eu/standards/Pages/default.aspx 7 See CEN/CENELEC, “What is a European Standard (EN)?”, no date. http://www.cencenelec.eu/standards/DefEN 8 See Guasch, J. Luis, Jean-Louis Racine, Isabel Sánchez and Makhtar Diop, Quality Systems and Standards for a Competi-tive Edge, The World Bank, Washington, DC, 2007, p. 81. 9 See Guasch et al., op. cit., 2007, p. 37 for an overview as well as Blind, Knut and Andre Jungmittag, “Trade and the Impact of Innovations and Standards: The Case of Germany and the UK”, Applied Economics, Vol. 37, pp. 1385–1398.


of 170

A summarized description of the nature of standardisation in Europe is given by CEN/CENELEC.10 According to CEN/CENELEC, the main goal of standardisation is to agree upon common specifications and/or procedures that respond to the needs of business and meet consumer expectations. In addition, standards are part of the knowledge economy that underpins European industry and society. They facilitate innovation and promote the adoption of new technologies.11 Before explaining standards in more detail, it is important to clarify some of the main rules related to the status and adoption of standards within Europe. All ISO standards are voluntary in use and in adoption. It is up to the NSBs to decide whether or not they adopt an ISO standard as a national standard. If the NSB decides to do so, the document will be published, for example as DIN-ISO in Germany or NEN-ISO in the Nether-lands. If the NSB decides not to adopt the standard, it will only be published as an ISO stand-ard in that country. Furthermore, NSB's have the possibility to develop and publish standards about a subject that is also standardised by an ISO standard. On a European level, CEN can decide to adopt an ISO standard and make it an EN-ISO. Conversely, ISO can decide to adopt an EN as well. The rules for adopting European standards on a national level differ from the rules for ISO standards. The European standardisation system is unique in the world. After the publication of a European Standard, each national standards body or committee is obliged to withdraw any national standard which conflicts with the new European Standard. Hence, one European Standard becomes the national standard in all the 33 member countries of CEN and/or CENELEC.12 As soon as CEN decides to adopt an ISO standard as an EN, this document au-tomatically has to be adopted by the member countries as well and becomes, for example, DIN-EN-ISO. A majority of European Standards are initiated by business and developed in partnership with other stakeholders. Around 30% are mandated by the European Commission in the frame-work of EU legislation. 2.3.2. CHARACTERISTICS AND TYPES OF STANDARDS Standards are developed and defined through a process of sharing knowledge and building consensus among technical experts nominated by interested parties and other stakeholders - including businesses, consumers and environmental groups, among others. A standard is not written by one expert, but reflects the input and knowledge of all parties concerned. Application fields of standards include the improvement of safety and performance, raising levels of energy efficiency as well as the protection of consumers, workers and the environ-ment. According to CEN/CENELEC, they complement European and national policies in these areas, and make it easier for companies and other actors to respect relevant legislation.13

10 See CEN/CENELEC, “European Standardisation”, no date. 11 See CEN/CENELEC, “European Standardisation”, no date 12 See CEN/CENELEC, “What is a European Standard (EN)?”, no date. 13 See CEN/CENELEC, “European Standardisation”, no date.


of 170

European Standards are regarded as a valuable tool for facilitating cross-border trade – both within Europe’s single market and with the rest of the world because they reduce unnecessary

costs for both suppliers and purchasers of products and services.14 There are several types of standards. CEN and ISO make a distinction between standards which include requirements and/or recommendations in relation to products, systems, pro-cesses and services. They also distinguish between standards which describe a measurement or test method or establish a common terminology within a specific sector.15 Another way of defining different types of standards is explained by the CREATIF consortium in its report “The future of testing security related products.”

16 This report distinguishes four kinds of standards, according to Figure 2:

Source: Own figure Figure 2: Kinds of standards in hierarchical order

A fundamental standard is, for example, a terminology standard. Analysis and trial standards specify aspects such as measurement protocols and test conditions. Performance standards include laboratory, operational and human factors standards, e.g. regarding human-machine interfaces, while standard ISO 9001 Quality management systems 17 is an example of an or-ganizational standard. Information on the importance of these standards in the security field of protection against Chemical, Biological, Radiological, Nuclear and Explosive (CBRNE) threats is given in Chapter 6.3.1.

14 See CEN/CENELEC, “European Standardisation”, no date. 15 See CEN/CENELEC, “European Standardisation”, no date 16 See Myers, P., F. Strebl, A. Plecis, R. Olivier and P. Wästerby, The future of testing security related products, D5.1 CRE-ATIF Project, July 2011, pp 16-17. 17 See ISO, ISO 9001:2008 Quality management systems, 15 November 2008


of 170

2.3.3. STANDARDS USED FOR CONFORMITY ASSESSMENT Certification bodies use standards as the basis for their processes. It is the job of these bodies to confirm that a product, system, process or service meets the requirements that are set by standards. They have to meet certain requirements which are documented in conformity as-sessment standards like ISO 1702518 and ISO 17065.19 The standardisation process can lead to different types of deliverables where the usability for certification differs. Below are the most used European deliverables. Besides general descriptions, further descriptions of their usability for certification are provided. Deliverable Characteristics Standard (EN) Is the most commonly known deliverable in the standards context

Is a normative document, which means that if parties decide to use the standard, they have to follow all the requirements set out in the standard

Usually sets requirements to a product, system, process or service Can also provide terminology Is made available in at least the three official CEN languages

(English, French, German) Does not conflict with the content of any other EN standard Its value derives from the main characteristics of its development:

full consensus among the member countries, standstill (no national standards being developed in the same field), and obligatory implementation by member countries

May form the basis for certification if it sets requirements Technical Specification (TS)

Like an EN a normative document Main differences in its development process: no public consultation

is needed, can be approved by the committee developing it Is usually established for specifications in evolving technologies and

experimental markets May also be developed when there is insufficient support for public

enquiry or no consensus before the formal voting procedure among the Member States exists

Technical Report (TR)

Is an informal document which is developed to inform on the technical content of standardisation work

Does not set requirements Can therefore not be used as a basis for certification

CEN Workshop Agreement (CWA)

Is developed through a different process than the deliverables mentioned above (which are developed in TCs consisting of representatives of NSBs)

Is developed by workshops consisting of stakeholders (both individuals and organisations)

Stakeholders only give their own input (not a national point of view)

18 See ISO/IEC, ISO/IEC 17025:2005 General requirements for the competence of testing and calibration laboratories, 15 May 2005 19 See ISO/IEC, ISO/IEC 17065:2012 Conformity assessment – Requirements for bodies certifying products, processes and services, 15 September 2012

(figure continues)


of 170

CEN Workshop Agreement (CWA)

Is approved by the workshop, does not have to go through public voting procedures

Has a durability of three years Is less useful as a basis of certification due to its limited lifetime

Source: Own figure Figure 3: Overview of deliverables at CEN and CENELEC

As mentioned in Figure 3, CWAs are developed in specific processes and compared with ENs, they are characterized by a shorter developing period. CEN members do not have to adopt or publish CWA's, but can do so if they want to. After its expiration, a CWA can be confirmed for one more period of three years, or has to be withdrawn or put forward to a technical committee (TC) to be developed into another type of deliverable (EN/TS). 2.4. ECONOMIC BENEFIT OF CONFORMITY ASSESSMENTS As described before, the main value of conformity assessment systems is their contribution to overcome market imperfections. Dynamic markets can easily fall prey to market imperfec-tions which can have tremendous negative effects upon the market.20 Conformity assessment systems and accreditation can be used to negate, or at least to minimize, those negative ef-fects. This aspect of the conformity assessment system is part of the strongest arguments for its implementation. In the continuation of this section four different cases of market imperfec-tions will be described as well as the effects of a conformity assessment system.21

1. Information Asymmetry refers to the lack of equally distributed knowledge in a market among the various market actors.22 This asymmetry causes the actors with lesser information to run the risk of making the wrong choices based on this incom-plete information.

Conformity assessments can even out those information asymmetries. This can be achieved for example by setting obligations to share certain information or through assessments by third parties.

2. Adverse Selection refers to situations where a negative selection accrues due to asymmetric information between buyer and seller. The consequence of this effect is that low quality products are more likely to be selected, since buyers have no means to proof good quality and are thus not willing to pay higher prices. Conformity assess-ments can make such situations more equitable by setting mandatory quality certifi-cates that confirm good quality of products and thus allow the acceptance of higher prices.

20 See Akerlof, George A., “The Market for "Lemons": Quality Uncertainty and the Market Mechanism”, The Quarterly Journal of Economics, Vol. 84, No. 3, 1970, pp. 488-500. http://links.jstor.org/sici?sici=0033-5533%28197008%2984%3A3%3C488%3ATMF%22QU%3E2.0.CO%3B2-6 21 See Teichler et al., op. cit., 2013, pp. 19ff. 22 See Stiglitz, Joseph E., “The contributions of the economics of information to twentieth century economics”. The Quarterly Journal of Economics, Vol. 115, No. 4, pp. 1441-1478. http://ricardo.ecn.wfu.edu/~cottrell/papers/stiglitz.pdf


of 170

3. External Effects are (economic) consequences of actions and decisions of one market actor onto others without those consequences being compensated or taken into consid-eration by the market actors.23

There are positive and negative external effects. An example for an external effect in the sec-tor of civil security would be a new connection to the internet or of two servers that used to be independent. While some individual might profit from the new connection, the general securi-ty can suffer (hackers could now have access to before secure data). Conformity assessments can help internalize external effects and make them become part of the decision making pro-cess. One possibility would be through defining clear requirements and organizing regular checkins to ensure a high level of implementation.

4. Natural Monopoly is a state of a product or service market which is brought forward by very high fixed costs, low marginal costs and economies of scales.24 Through this monopoly, the market loses its selective mechanisms and allows for a continuous low-ering of quality from the monopolist.

Conformity assessments can reestablish a competition market situation in ways such as by setting high quality demands which limit the possibility of the monopolist.

5. Public Goods are goods which are not excludable, meaning their use and/or access is not limited to one person.25 This lack of excludability can be the result of technology (i.e., radio waves are available to everyone) or political. It can also result in a loss of quality and subsequently low costs.

Conformity assessments can help here in the same way as with the natural monopoly, by set-ting certain quality levels as requirements and by their use for regular re-examinations. The internalization of market imperfections through conformity assessments offers certain advantages,26 including:

Preservation of quality High product safety Avoidance of damage and injuries Reduction of risks Higher specialization effect (which increases competition capabilities)27

There are three ways to internalize market imperfections through conformity assessment and accreditation. These differences depend on which role the state plays. From these differ-ences we identify three sections within the conformity assessment system (Figure 4).

23 See Mankiw, N. Gregory, Principles of Economics. Forth Worth, Texas: Dryden Press, 1998. 24 See Stocker, Ferry, Moderne Volkswirtschaftslehre. Oldenbourg: Oldenbourg Wissenschaftsverlag, 2009. 25 See Donges, Juergen B. and Klaus-Werner Schatz, Staatliche Interventionen in der Bundesrepublik Deutschland: Umfang, Struktur, Wirkungen. Leibniz: Kieler Diskussionsbeiträge, No. 119/120, 1986. http://hdl.handle.net/10419/48101 26 See Jahn, Gabriele, Matthias Schramm and Achim Spiller, Zur Glaubwürdigkeit von Zertifizierungssystemen: Eine ökonomische Analyse der Kontrollvalidität. Göttingen: Institut für Agrarökonomie Georg-August Universität, 2003. http://www.uni-goettingen.de/de/sh/download/69d421644c49352d9b303174aedd84ca.pdf/Diskussionsbeitrag0304.pdf. 27 See Ernst, Dieter, America's voluntary standards system: a "best practice" for innovation policy? Honolulu: East-West Center, 2012. http://www.eastwestcenter.org/publications/americas-voluntary-standards-system-best-practice-model-asian- innovation-policies


of 170

Section Description Voluntary Section Conformity happens on a purely voluntary level and is both initiated

and implement by private actors. The state plays no major role and if, is a participant like all the others.

Law Regulated Section

Conformity is initiated by laws which are brought forward by the state. It is still implemented by private actors but according to the state. The state here “regulates” all three elements of the conformity

assessment system “Sovereignty”

Section Conformity is a pure state business. It is responsible for everything from setting definitions and requirements up to the implementation and surveillance. Private actors are no longer present. The state the “agent” responsible for the conformity assessment system.

Source: Own figure based on Teichler et al. (2013) Figure 4: Sections of conformity assessment systems

Figure 5 summarizes the three possible ways to internalize market imperfections, varying de-pending on the different roles taken by the state.28

Source: Own figure based on Teichler et al. (2013) Figure 5: Possible forms of internalization of market imperfections

28 Ensthaler et al., op. cit., 2007 provide a detailed overview of the general possibilities of certification and accreditation in the public and private sectors as well as on the European accreditation systems, too. However, their work does not have a special focus on the “Sovereignty“ section and security.


of 170

In Chapter 3 each of the three methods to internalize market imperfections will be described individually and in more detail. The practical economic benefit of conformity assessment is shown in numerous studies. Guash et al.29 for example list 14 studies – 11 studies indicated a positive impact of conformi-ty assessment on firm performance while 3 failed to demonstrate such effects. Additional evi-dence is offered by BMWFJ.30 According to an IAF survey,31 certification (as part of the conformatity assessment) adds val-ue and increases trust. Around 80% of the participants agree or strongly agree on a relevant statement that certification adds value. 25% state that it significantly increases sales and 37% state that a minor increase in sales. The OECD32 has also published a study on conformity assessment bodies. The results hint at a strong tendency in which the exports profit from the conformity assessment, especially in terms of reducing information asymmetries. In addition, certification has a signaling function to proof quality. In a number of security are-as selling products is not possible without the relevant certificates. At the same time, there are also negative effects which arise from using the conformity as-sessment system. Those mainly revolved around “freezing” the status quo, sometimes even

leading up to “lock-ins”.33 Conformity assessments set up requirements which can stop new

and innovative solutions from spreading in case they do not match those requirements (yet). The optimal rate of standard replacement thus strikes a balance between the costs of standard-isation and standard adoption on the one hand, and the opportunity cost of using an outdated technology on the other hand. The rate can deviate from the social optimum in both direc-tions, yielding either excessive inertia (insufficient rate of standard replacement) or excessive momentum (excessive rate of standard replacement). In a similar way, conformity assessments can also create barriers to entry and therefore harm competition.34 While those negative effects are known they do not outweigh the positive ef-fects in the least.35 Moreover, we will describe advanced certification solutions for innovative products, and will demonstrate the advantages of certification in innovative areas at the end of this document.

29 See Guash et al., op. cit., 2007, p. 108. 30 See BMWFJ, ‘Akkreditierung. Studie zur wirtschaftlichen Bedeutung der Akkreditierung für die österreichische Wirt-schaft’, no date. https://www.bmwfw.gv.at/TechnikUndVermessung/Akkreditierung/Documents/Endbericht%20KMU-

Akkreditierungsstudie.pdf. 31 See Frenz et al., op. cit., 2013. 32 See Fliess, Barbara and Raymond Schonfeld, Trends in Conformity Assessment Practices and Barriers to Trade: Final Report on Survey of Cabs and Exporters, Trade Directorate 2006. http://www.oecd.org/officialdocuments/publicdisplaydocumentpdf/?doclanguage=en&cote=td/ tc/wp%282006%296/final, see also Teichler, et al., op. cit., 2013. 33 See Arthur, William Brian, “Competing Technologies, Increasing Returns, and Lock-In by Historical Events”, The Economic Journal, Vol. 99(No. 394), S. 116-131, March 1989. http://www.jstor.org/stable/2234208 34 See Baumol, William J., Elizabeth E. Bailey, John C. Panzar, Robert D. Willing, Edward Zajac, Baumol, Panzar, and Willig’s Theory of Contestable Markets and Industry Structure: A Summary of Reactions. Harcourt Brace Jovanovich, 1982. http://mpra.ub.uni-muenchen.de/41974/1/MPRA_paper_41974.pdf 35 See Teichler et al., op. cit., 2013, p. 21 and the quoted sources there.


of 170

2.5. ECONOMIC BENEFITS OF STANDARDS AND THEIR USE FOR CONFORMITY ASSESSMENTS 2.5.1. GENERAL BENEFITS Standardisation is an important catalyst for innovation and modern societies’ need to include new knowledge from the research field in standards, promoting innovation and competitive-ness.36 Based on their functions, four kinds of standards are distinguished: compatibil-ity/interface standards, minimum quality/safety standards, standards for variety reduction and information standards.37 General positive effects of standards are shown in Figure 6. Kinds of standards Positive effects Compatibility/interface standards

network externalities, avoidance of lock-ins, increased variety of systems products

Minimum quality/ safety standards

correction for adverse selection, reduced transaction costs, correction for negative externalities

Standards for variety reduction

economies of scale, building focus and critical mass

Information standards facilitate trade, reduce transaction costs

Source: Blind (2004) Figure 6: Positive effects of different kinds of standards

A detailed description of the potential role of standardisation to accelerate the sustainable growth of the European economy is given by European Commission (2011).38 To stimulate lead markets for security-related technologies and services, standards and speci-fications may provide knowledge and technology transfer, connect relevant stakeholders, fos-ter innovative demand, provide innovation-enhancing regulatory frameworks, intensify com-petition and increase exportability (see Blind, 200839). Certification can be based on standards developed by standardisation organizations. It is also possible to develop a certification system without using standards. Therefore, the main ques-tion is what advantages arise from using standards instead of other documents as a basis for certification? Answers will be provided in the next sections.

36 See Blind, Knut, ‘Standardisation: a catalyst for innovation‘, Inaugural Address Series. Research in Management, Eras-mus Universiteit, 2009. http://repub.eur.nl/res/pub/17558/EIA-2009-039-LIS.pdf, EXPRESS [Expert Panel for the Review of the European Standardisation System], ‘Standardisation for a competitive and innovative Europe: a vision for 2020,’ Report delivered to the European Commission in February 2010. http://ec.europa.eu/enterprise/policies/european-standards/files/express/exp_384_express_report_final_distrib_en.pdf CEN‐CENELEC STAIR, ‘The Operationalisation of the Integrated Approach’, Submission of STAIR to the Consultation of

the Green Paper “From Challenges to Opportunities: Towards a Common Strategic Framework for EU Research and Innova-tion funding”, 2011. http://ec.europa.eu/research/horizon2020/pdf/contributions/post/european_organisations/ -cen-elec_stair_joint_strategic_working_group.pdf. 37 See Blind, Knut, “The Economics of Standards: Theory”, Evidence, Policy. Cheltenham, 2004, pp. 14ff. 38 See European Commission, A strategic vision for European standards: Moving forward to enhance and accelerate the sustainable growth of the European economy by 2020, Communication from the Commission to the European Parliament, the Council and the European Economic and Social Committee, COM (2011)311 final, Brussels, 1.6.2011. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2011:0311:FIN:EN:PDF 39 See Blind, Knut, Standardisation and Standards in Security Research and Emerging Security Markets. Fraunhofer Symposium ‘Future Security’, 3rd Security Research Conference Karlsruhe, 10th - 11th September 2008, pp. 63-72.


of 170

2.5.2. USABILITY OF DIFFERENT DELIVERABLES FOR CONFORMITY ASSESSMENT As described in Chapter 2.3.3, certification bodies certify a product, system, process or ser-vice against requirements set out in a document. EN's (or ISO standards, ‘ISO's’) are the most suitable to be used as a basis for certification for the following reason: Certification is based on requirements. Technical Reports cannot set requirements and are therefore not suitable for certification. CWAs have a limited lifetime. They can be used for certification, but since a CWA usually exists for three years (with possible extension to six), it is not a preferable option. If a CWA is transferred into an EN after three or six years, the content of the document has to go through public voting and more/different/further stakeholders can give their input. This often leads to major changes in the content of the document. If the CWA was the basis for certification, this transfer from CWA to EN may lead to major changes in the certification practice as well. In contrast, Technical Specifications can be the basis for certification, since they can contain requirements. For a certification system to be successful, it is important that stakeholders trust in the certifi-cation system as well as the requirements that are being certified. The one main distinctive feature of an EN is that the requirements which it sets are agreed upon by a very large com-munity of interested parties. Often, the parties who have interest in the certification process (i.e. manufacturers, end-users) are involved in the development of the EN which makes it eas-ier to value the requirements as well the quality of the document. When using a standard as the basis for certification, a certification scheme is needed. The standard sets the requirements and the certification scheme explains the steps to be taken in the certification process. A certification body can develop its own certification scheme for each standard it wants to certify. This means that each certification body may have its own certification scheme. From the point of comparability, transparency and efficiency, certifica-tion bodies may decide to bundle their forces and develop a harmonized certification scheme together. 2.5.3. EXAMPLES OF THE USE OF STANDARDS FOR CONFORMITY ASSESSMENT To illustrate the use of standards for certification, this sub-chapter gives two examples con-sisting of management systems standards and the ISO standard ISO 15408. Management systems standards

Organizations and companies often want to get certified to ISO’s management system stand-ards (for example ISO 900140, ISO 1400141, ISO 3100042) although certification is not a re-quirement. The best reason for wanting to implement these standards is to improve the effi-ciency and effectiveness of company operations. According to Figure 7, a company may de-cide to seek certification for many reasons:

40 See ISO, op. cit., 2008 41 See ISO, ISO 14001:2004 Environmental management systems – Requirements with guidance for use, 15 November 2004 42 See ISO, ISO 31000:2009 Risk Management – Principles and guidelines, 15 November 2009


of 170

Contractual or regulatory requirements

Necessity to meet customer preferences

Signaling competence

Falling within the context of a risk management programme

Helping motivate staff by setting a clear goal for the development of its management system

Source: Own figure Figure 7: Selected reasons for certification

According to ISO43, ISO 9001:2008 sets out the criteria for a quality management system and is the only standard in its standards family that can be certified to. It can be used by any or-ganization and is implemented by over one million companies and organizations in over 170 countries. The standard is based on a number of quality management principles including a strong customer focus, the motivation and implication of top management, the process ap-proach and continual improvement. Using the standard helps ensure that customers get con-sistent, good quality products and services. Checking that the system works is a vital part of ISO 9001:2008. An organization must perform internal audits to check how its quality man-agement system is working. An organization may decide to invite an independent certification body to verify that it is in conformity to the standard. Alternatively, it might invite its clients to audit the quality system for themselves. ISO 1540844

The concepts, principles and requirements for IT security are established in the three parts of ISO 15408. This standard is accompanied by ISO 18045,45 which was written specifically for evaluators and certifiers. ISO 18045 defines the minimum action to be performed by an eval-uator in order to conduct an ISO 15408 evaluation. By setting these minimum actions in a standard, ISO ensures that evaluators work at least in a comparable way on the level of the minimum actions. More examples for the use of standards for certification will be provided in Chapter 6. 2.5.4. EXAMPLES OF CONFORMITY ASSESSMENT WITHOUT USING STANDARDS Certification is always based on a set of requirements. These requirements can be documented in a standard, but do not have to be. Certification without the use of standards is one of the practices in professional certification. In professional certification, a person is certified to be capable of completing a task or job, usually by passing an exam. The requirements for profes-sional certification are often documented in documents from the school, the organization of-fering the exam or a sector organization.

43

See ISO, ISO 9000 - Quality management, no date. http://www.iso.org/iso/home/standards/management-standards/iso_9000.htm 44 See ISO/IEC, ISO/IEC 15408-1:2010 Information technology – Security techniques – Evaluation criteria for IT security – Part 1: Introduction and general model, 15 December 2009 45 See ISO/IEC, ISO/IEC 18045:2008 Information technologies – Security techniques – Methodology for IT security evalua-tion, 15 August 2008


of 170

A second type of certification without using standards is the certification based on sector re-quirements. Commonly known examples of these are the FSC46 certificates for wood and sus-tainability labeling. In most of the cases of certification within a sector, the sector defines its own requirements and sometimes quality levels. Both in the case of professional certification and certification based on sector requirements, the certification itself can still be carried out by independent certification bodies. In addition there are fields in the software area in which no European standard exist and alter-native documents are used for certification. This is in harmony with Regulation (EC) No 1025/2012 which lays down new rules for technical ICT specifications and highlights that ICT technical specifications are not adopted by the ESOs, international standardisation organ-isations or national standardisation bodies. Furthermore Rodrigues et al. (2014)47 provide an overview of different privacy seals which are based on standards and other documents. More examples are given in Chapter 5. 2.5.5. ADVANTAGES OF USING STANDARDS FOR CONFORMITY ASSESSMENT An important difference between certification with standards and certification without stand-ards lies in the fact that when using standards as a basis, it is known that the requirements have been agreed on by all parties concerned. This leads to transparent requirements and pre-vents any suspicion of partiality. According to Figure 8 and the following list, the use of standards offers four additional advantages:

Source: Own figure Figure 8: Selected advantages of standards

Trust and transparency

An often heard comment about certification systems which are based on sector internal re-quirements is that manufacturers/providers set the requirements for their own product or ser-vice. The end-users, who have a very large interest in the quality level, do not always have a 46 See Forest Stewardship Council, "FSC Certification", no date. https://ic.fsc.org/certification.4.htm 47 See Rodrigues, Rowena, David Barnard-Wills, David Wright, Paul De Hert and Vagelis Papakonstantinou, EU privacy seals project. Inventory and analysis of privacy certification schemes. Final Report Study Deliverable 1.4, 2014. http://bookshop.europa.eu/en/eu-privacy-seals-project-pbLBNA26190/


of 170

say in the requirements. This fact may decrease the level of trust in the system and the value of the certificate. If standards are being used as the basis for certification, all parties concerned, including end-users, have set the requirements alltogether. This leads to an increased trust in the certification system and the value of the certificate. Blind48 summarizes this principle as follows: “In com-plex product and service markets, where conformity with a performance standard for the in-ter-operability of systems is not transparent to the consumers, the certification of conformity by independent testing institutions presents a dimension of quality competition among suppli-ers which has positive impacts on consumers’ surplus”. Comparability

By using standards as the basis for certification, the market can certify against the same set of requirements. This is a key prerequisite for comparable certificates: it is clear that certificates from different certification bodies have the same status, since they are all based on the same set of requirements. In contradiction, if within sectors different sets of requirements are estab-lished, the certificates are less comparable. This might also lead to a decrease in trusting cer-tificates by the market players. Interchangeability

If certification bodies all certify against the same set of requirements, manufacturers/providers are not bound to one certification body and can change from one certification body to another. Furthermore, if a standard set of requirements is used all over the EU, there is no need to cer-tify a product or service in every country. Economic impact

As mentioned above, the use of one set of standardised requirements as the basis for certifica-tion leads to interchangeability within the European market. This leads to a cost reduction for the manufacturers/providers. Furthermore, once a product or service has been certified, the step to enter the market in another European country will be easier since there is no need for another certification process. From an economic point of view, it will ease the international trade for manufacturers/providers and will make it easier for end users to buy prod-ucts/services from abroad. Altogether, this leads to a more open European market and a de-crease of the barriers to trade. With regard to the security field, the European Commission summarizes the advantages of using standards for certification as follows: “Complementary to industrial standards is the need for more consistency in the regulation and certification of security-related equipment and services.This would provide certainty of technical reference for a wide range of stake-holders, from industry and technology innovators to end-users, regulators and policy mak-ers. And it would go a long way toward helping create a single market and, above all, anchor-ing the conditions for interoperability of equipment across borders. “

49 The following sub-chapters will describe the economic impact of conformity assessment.

48 See Blind, op. cit., 2004, p.42. 49 See European Commission, Regulatory & certification issues, 05.02.2013, http://ec.europa.eu/enterprise/policies/security/industrial-policy/issues/index_en.htm


of 170

2.6. ECONOMIC BENEFIT OF MUTUAL RECOGNITION OF SECURITY-RELATED CONFORMITY

ASSESSMENTS Mutual recognition of conformity assessments is a specific issue of international trade. Guasch et al. (2007) describe the need for such arrangements as follows: “Demonstrating

compliance through conformity assessment is itself only useful if the testing and certification requirements are similar in the exporting country and the importing country. If testing labora-tories are not recognized abroad, tests on products carried out in the exporting country have to be repeated by a recognized laboratory in each of the importing countries. An adverse test report in the importing country can result in the rejection of an entire shipment. Likewise, if certification in one country is not recognized abroad, domestic firms requiring quality system and environmental management certification for export purposes need to be certified by or-ganizations in each of the importing countries. Conformity assessment procedures vary wide-ly across countries and in many cases constitute a large barrier to market entry. Nonrecogni-tion or nonharmonization of conformity assessment procedures do not persist due to inherent national differences, but because conformity assessment is particularly vulnerable to misuse if bureaucratic procedures are not transparent.”50 The specific extent of the economic benefits of mutual recognition and conformity assessment depends on the specific security field. This sub-chapter gives an impression of these ad-vantages by presenting numbers from two market segments as examples. In the following, the markets for alarm systems and airport scanners are investigated.51 Currently companies that market security alarm systems need to apply for 10-15 certificates from different Member States to supply the products throughout Europe. The costs of certifi-cation of a system are on average at the level of € 200-300,000 for full access to Europe. Alternatively, the estimated cost for obtaining a mutually recognised certificate would amount to € 40-60,000 according to analyses of the European Commission.52 Therefore, it is expected that the total savings based on a common EU scheme for conformity assessment and certifica-tion would amount to € 160-240,000.53 The total certification cost in the specific field of intruder alarm systems is estimated to range between € 6.2 million and € 13.2 million per year. It is assumed that a single European con-formity assessment system reduces the cost by 75%. This would suggest a saving of € 4.7

million to € 9.9 million per year from certification of all intruder alarm systems.54

50 See Guasch et al, op. cit., 2007, p. 82. 51 The following explanations are based on European Commission, Commission Staff Working Paper Security Industrial Policy Accompanying the document Communication from the Commission to the European Parliament, the Council and the European Economic and Social Committee Security Industrial Policy Action Plan for an innovative and competitive Security Industry {COM(2012) 417 final}, SWD(2012) 233 final, Brussels, 26.7.2012. 52 See European Commission (2012), Commission Staff Working Paper Security Industrial Policy Accompanying the docu-ment Communication from the Commission to the European Parliament, the Council and the European Economic and Social Committee Security Industrial Policy Action Plan for an innovative and competitive Security Industry {COM(2012) 417 final}, SWD(2012) 233 final, Brussels, 26.07.2012. 53 See European Commission, op. cit., 2012 describes the calculation in more detail based on AFNOR-CNPP, „Certification

rules Electronic Security Equipment: Intrusion Detection, Access Control Management Systems”

HTTP://WWW.CNPP.COM/FR/MEDIATHEQUE/AUTRES-DOCUMENTS/CERTIFIERIMAGE/H58/REFERENTIEL-NF324-H58-VERSION-ANGLAISE-OCTOBRE-2010 54 See European Commission, op. cit., 2012, p. 99.


of 170

With regard to the Explosive Detection System (EDS), the EU refers to an expert who esti-mated that the cost of a single test could be in the region of € 65 thousand and for a liquid explosive system (LAGS) in a range between € 30 and € 75 thousand. These figures do not take into account any repeated testing that may be required. Certification costs of larger sys-tems are estimated to be up to €700,000. They include estimated €100,000 for an “imaging test” for a cargo scanner as well as €500,000 for a biometric identity card model. A harmonisation of the certification of testing procedures for airport scanners would facilitate a cost reduction to € 3 million (30 products * € 100.000). Based on a comparision with the current cost of € 22 million, this implies cost savings to approximately € 19 million per year.

55 Both examples show that harmonized solutions would provide the European security industry with substantial cost savings and consequently advantages to compete in the international market. The issue will be analized in more detail in CRISP WP 3.

55 See European Commission, op. cit., 2012, p. 102.


of 170

3. GENERAL FRAMEWORK CONDITIONS IN EUROPE This chapter provides a historical perspective of the general framework in European standard-isation and certification and analyzes the legislative background of security standardisation and certification in depth. 3.1. GENERAL FRAMEWORK FOR CERTIFICATION AND ACCREDITATION IN EUROPE According to Chapter 2, conformity assessment consists of three sections: the Voluntary section, the Law Regulated section and the Sovereignty section.56 3.1.1. CONFORMITY ASSESSMENT AND ACCREDITATION IN THE VOLUNTARY SECTION Conformity assessments are implemented on a voluntary basis (without any regulatory en-forcement) for a large part of the trade market. The idea behind this principle is that operators will accept and rely upon a conformity assessment made by an independent body without hav-ing to review the assessments themselves. These conformity assessments could be for securi-ty, quality, products or services. Through such structure the economic relationships are strengthened and the market process is accelerated. Furthermore, through the use of a con-formity assessment system, market imperfections can be internalized, reducing risks and costs as well as creating a differentiation possibility facilitating competition. Certificates are the best example. Certificates are used to inform the consumer about the characteristics of the products or ser-vices. They can also communicate that certain minimal requirements are being respected, for example in the fields of safety and security. To increase the credibility of the conformity as-sessments, the conformity assessment bodies can make use of accreditations, offered by an independent and neutral institution or body. Accreditation systems will be set up according to international standards and requirements, and are transparent in their criteria.

The basis for the accreditation is the fulfilment of international standards. These not only cover requirements for the basic markets, they also set the requirements of the conformity assessment system. The accreditation increases the trust in the results of the conformity assessment bodies and the quality of their tested products and services.

The accreditation is, mainly in the voluntary section, aimed at manufactures and their clients and not state institutions.

Here the key function of the accreditation is here of an economical nature. The accreditation is and can be used as a differentiation or marketing tool in a market with high competition. There are also cases where such accreditations are unspoken requirements to enter the markets (for example in China or India). In cases of the accreditation failing, never taking place or being delayed, it results in high costs and losses for firms. Therefore there is an emphasis on a well-organized, quick and reliable accreditation system.

The expectations towards the accreditation are not only those previously mentioned, but also that the relevant organisation offers a capable management of the evaluation process with clear steps (applying, assessment, accreditation, monitoring).57

56 See Teichler et al., op. cit., 2013, pp. 23ff. 57 See Teichler et al., op. cit., 2013, pp. 23ff.


of 170

As mentioned, the state acts as participant only. The requirements are set by and for private actors without any law enforcement. The state can be part of the procedure and formulate de-mands, in the same way all participants can. The rules for the conformity assessments are laid down by and are implemented by private actors. The state is a consumer of the assess-ment bodies like all others. The use of accreditation is voluntary a means to prove competen-cy or to achieve higher recognition. Directive 1999/93/EC58 on a Community Framework for Electronic Signatures offers an early example for the definition of European framework conditions for certification and voluntary accreditation in a specific technological field. In particular, Article 4 ‘internal market princi-ples’ and Article 11 ‘notification’ are important. At the beginning of the document several prerequisites for the establishment of the framework are defined which offer interesting examples for dealing with these certification and accredita-tion issues. The most important passages for this analysis are:

Certification service providers should be free to provide their services without prior authorisation; “prior authorization” includes not only any permission whereby the rel-evant certification service provider has to obtain a decision by national authorities be-fore being allowed to provide its certification services, but also any other measures having the same effect;

Voluntary accreditation schemes aiming at an enhanced level of service-provision may offer certification service providers the appropriate framework for developing their services further;

Certification service providers should be free to adhere to and benefit from such ac-creditation schemes; and

Certification services can be offered either by a public entity or a legal or natural per-son, when it is established in accordance with the national law; whereas Member States should not prohibit certification service providers from operating outside volun-tary accreditation schemes; it should be ensured that such accreditation schemes do not reduce competition for certification services.59

Parts of the relevant articles are shown below. Article 4 - Internal market principles

Member States may not restrict the provision of certification-services originating in another Member State in the fields covered by the Directive.

Member States shall ensure that electronic-signature products which comply with the Directive are permitted to circulate freely in the internal market.

Article 11 – Notification

Member States shall notify to the Commission and the other Member States the following:

58 See European Parliament and the Council, ‘Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures’, 13 December 1999, 1999. http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31999L0093&from=EN 59 See European Parliament and the Council, op. cit. 1999


of 170

information on national voluntary accreditation schemes, including any additional re-quirements pursuant to Article 3(7);

the names and addresses of the national bodies responsible for accreditation and su-pervision as well as of the bodies referred to in Article 3(4);

the names and addresses of all accredited national certification service providers. In addition, Article 7 ‘International Aspects / Accreditation’ specifies aspects of similar activ-ities outside Europe. 3.1.2. CONFORMITY ASSESSMENT AND ACCREDITATION IN THE LAW REGULATED SECTION With the growing use of accreditation to increase trust and quality by private actors, it also was increasingly implemented by the state. The prime focus in this case is the elimination of dangers to humans, the environment or society which may come up through for example fake products too low quality. To ensure a high quality and safety level, the state uses a combina-tion of market access control and market monitoring. With the creation of the European single market, the EU has developed to be the central au-thority for laws touching upon conformity and accreditation. In 1985 the “New Approach”

was established with the goals to tackle technical barriers and to ensure a common (high) lev-el of safety for products. This is an important framework for the current regulatory instru-ments in the EU. On the basis of a Council Decision of May 1985, it creates a clear division of responsibilities of European lawmakers and standards bodies to facilitate a free movement of goods. EU directives thereby define the essential requirements to be fulfilled by goods and the European standards bodies have the task of creating the relevant technical specifications by adapting the essential requirements of the directives.60 Chapter 3.2 describes the New Ap-proach in more detail. The New Approach was expanded in 2008 with the “New Legislative Framework” (NLF),61 which applied the New Approach principles to further fields and sectors of the European sin-gle market. It includes specific measures aiming at removing the remaining obstacles to the free circulation of products and providing a major boost for trade among the EU Member States. To increase confidence in conformity assessment and certification facilities, the in-strument of accreditation was developed. Specific accreditation organizations were founded to certify the auditing competence of such entities.62 The Regulation (EC) No 765/2008 states that the use of accreditation should be the preferred method to give proof of the competency of such notified bodies. With the changes made to the accreditation laws in 2010, this has also been widely put into practice (with exception of the medical sector63). A further decision of the Regulation (EC) No 768/2008 deals with the 60 See Blind, Knut, “Deutschlands Standardisierungsstrategien hin zum Leitmarkt "Sicherheit": Potenziale und Herausforde-rungen”, in: Rolf Stober (ed.), Jahrbuch des Sicherheitsgewerberechts, Hamburg, Verlag Dr. Kovac (Schriften aus der For-schungsstelle Sicherheitsgewerbe 5), 2008, pp. 183-212. 61 The relevant regulation is “Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93” 62 See Blind, Knut and Axel Mangelsdorf, The Trade Impact of ISO 9000 Certifications and International Cooperation in Accreditation, 2012, Proceedings of the 17th EURAS Annual Standardisation Conference - Standards and Innovation-, pp. 21-34. 63 See Teichler et al., op. cit., 2013, p. 37.


of 170

“presumption of conformity.” It declares that if the notified bodies are accredited for ful-filling the European standards then it can be assumed that they are also fulfilling the require-ments of the regulations and directives. Of course, in case of deviation of the requirements set by the standards and the regulations or directives, further examinations are necessary. Such deviations are expected in certain sectors, especially in the medical sector. In those cases the laws have priorities and those requirements have to be upheld. Further, specific requirements for the accreditation are to be tested separately. It is declared by Regulation (EC) No 765/2008 that the CE marking is the only making which declares conformity with harmonized Community regulations. According to the regulation, Member States shall ensure the correct implementation of the regime governing the CE mark-ing and take appropriate action in the event of improper use of the marking. Other marking (which is has specific relevance in CRISP’s context) may be applied onto products if they provide additional information, value or cover a domain outside the Community regulations. The NLF creates trust across the borders of the Member States of the EU and in their con-formity assessment bodies. Since the requirements are coming from harmonized European standards, they are shared by all members and allow products and services to be imported without an addition national test being necessary at the border. At the same time, the require-ments for the accreditation of the conformity assessment bodies are also set by the European standards and increase the trust in the results of the conformity assessment bodies of the other Member States.64 With regards to the accreditation system in the law regulated section we can summarize as following:

The basis of the competency validations are in the section of the European laws and standards. Accreditation may be, but is not mandatory, used to prove this competency;

The accreditation can be found, when used, in the law regulated section, targeted to official institutions and governments of the Member States of the EU;

The key function of the accreditation is to prove the competency of the conformity assessment bodies to the Member States of the EU; and

The expectations towards the accreditation are, taking into account its key function, to preserve and test a level of competency dictated not only by the European standards but also by the laws and regulations.

In law regulated section, the state is especially a regulator. The characteristic feature of this section is that the state creates the conformity assessment system by legislation. This can be done at all three levels of influence:

Defining the requirements for products and services, e.g. by harmonized standard; Defining the conformity assessment by law, e.g. by a legal duty to carry out a

conformity assessment and/or by statutory provisions of the nature and method of conformity assessment; and

Confirming competence of the conformity assessment bodies.65

64 See Röhl, Hans Christian and Yvonne Schreiber, Konformitätsbewertung in Deutschland. Konstanz: Universität Konstanz Fachbereich Rechtwissenschaft, 2006. http://nbn-resolving.de/urn:nbn:de:bsz:352-opus-19333 65 See Teichler et al., op. cit., 2013, p. 29.


of 170

According to the European Parliament and the Council (2008)66 and based on the specifc so-lutions of the companies concerned, conformity assessment procedures in the law regulated sector include 16 modules which are shown in Figure 9.

Source: Own figure Figure 9: Modules of conformity assessment according to European Commission (2008)67

Although the modules address production and products, CRISP’s emphasis is put on product-related assessments. According to the document, EC-type examination, for example, is the part of a conformity assessment procedure in which a notified body examines the technical design of a product and verifies and attests that the technical design of the product meets the requirements of the legislative instruments that apply to it. Based on this module, the manu-facturer submits the following to the relevant notified body:

Technical documentation; Supporting evidence for the adequacy of the technical design solution; and Specimen(s), representative of the production envisaged, as required.

Whereas the notified body:

66 See European Commission, Decision European Commission No 768/2008/European Commission of the European Par-liament and of the Council of 9 July 2008 on a common framework for the marketing of products, and repealing Council Decision 93/465/EEC, Brussels, 13.08.2008. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32008D0768&from=EN 67 See European Commission, op. cit., 2008.

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32008D0768&from=EN


of 170

Ascertains conformity with essential requirements; Examines technical documentation and supporting evidence to assess adequacy of the

technical design for specimen(s): carries out tests, if necessary; and Issues EC-type examination certificate.

Technical requirements on Notified Bodies are outlined by European Commission (1997).68 According to the document, notified bodies that can prove their conformity with the harmo-nised EN 45000 standards series by submitting an accreditation certificate or other documen-tary evidence are presumed to conform to the requirements of the directives. The EN 45000 series includes, for example, the following five standards describing requirements on the con-formity assessment bodies (Figure 10). Figure 11 shows the relevance of these standards for the conformity assessment modules described in Figure 9.

EN 45001 General criteria for the operation of testing laboratories

EN 45004 General criteria for the operation of various types of bodies performing inspec-tion

EN 45011 General requirements for bodies operating product certification systems

EN 45012 General requirements for bodies operating assessment and certifica-tion/registration of quality system

EN 45013 General requirements for bodies operating certification of personnel

Source: Own figure based on European Commission (1997) Figure 10: EN 45000 standards with requirements on conformity assessment bodies

Aa B HS not applied: EN 45004 HS applied: EN 45011 (observe relevant requirements in EN 45001 and/or EN 45004 for testing, examinations required) or EN 45004

G HS not applied: 45004 HS applied: EN 45011

H EN 45012 (+product knowledge) Hbis EN 45004

1st option EN 45001 (+ ability to decide on conformity) or EN 45004 2nd option EN 45001 (+ ability to decide on conformity) or EN 45004

C st option EN 45001 (+ ability to decide on conformity) or EN 45004 2nd option EN 45001 (+ ability to decide on conformity) or EN 45004

D EN 45012 (+product knowledge)

E EN 45012 (+product knowledge)

F EN 45001 or EN 45004

Source: CERTIF 97/5 EN Figure 11: Relevance of the EN 45000 series in European conformity assessment

68 See European Commission, The EN 45000 Series of Standards and the Conformity Assessment. Procedures of the Global Approach, Working Document, CERTIF 97/5 EN, Brussels, 15 September 1997. http://ec.europa.eu/enterprise/policies/single-market-goods/files/mra/certif_97_5_en.pdf


of 170

3.1.3. CONFORMITY ASSESSMENT AND ACCREDITATION IN THE “SOVEREIGNTY” SECTION The state has a long history of internalizing market imperfections by taking over the whole process of conformity assessment and then only allowing a product or service to enter the market. The actual conformity assessment system with private actors is not involved. The state takes over all three steps of the system. It formulates the requirements with precise de-tails, as was previously done under the “Old Approach”. It specifies how the competency

should be evaluated and finally does the evaluation itself. This situation is usually referred to as “State Conformity Assessment”. Examples are metal detectors and scanners at airports for both passengers and luggage. The requirements are set by the EU and international laws. The detectors and scanners are tested by the state institutions according to international laws and any additional existing national laws. The decisive argument for the state conformity assessment is the possibility to keep re-quirements and test procedures confidential. In addition, it allows for a concentration of testing areas with an efficient implementation of new methods. Even then, the state conformity assessment brings also negative effects, especially on an in-ternational market. Since the requirements are confidential, a producer has to let its products or services undergo testing in each new country. In addition, this approach re-quires a high amount of resources from the state, too. A key characteristic of the sovereignty section is that the state does not use the conformity assessment system but instead implements everything on its own, using its own personnel. In this case the competency of the assessment bodies is never really tested or confirmed. Ac-creditation is not used. 3.1.4. THE EUROPEAN CO-OPERATION FOR ACCREDITION AND THE MULTILATERAL

AGREEMENT Facilitated by the EU Treaty for the European single market in the civilian sector, conformity assessment and accreditation in the law regulated section allowes for specific inter-European collaborations to reduce barriers to trade. The European co-operation for Accredition (EA) is an important institution in this regards. It is “appointed by the European Commission to manage the accreditation infrastructure within the EU, EFTA and candidate countries. Established in 1997, the organisation is a non-profit association of nationally recognised accreditation bodies”

69. Being responsible for harmonising accreditation within Europe, it coordinates and leads the European accreditation infrastructure “to allow the results of

conformity assessment services in one country to be accepted by regulators and the marketplace in another country without further examination"70. A key instrument used by EA is the EA Multilateral Agreement (EA-MLA) which is a signed agreement “whereby the signatories recognise and accept

69 See EA [European co-operation for Accreditation], “Accreditation in Europe”, 2013. Facilitating regulatory compliance

and international trade. http://www.european-accreditation.org/brochure/ea-accreditation-in-europe 70 See EA, “EA’s mission”, 2014a, http://www.european-accreditation.org/mission.


of 170

the equivalence of the accreditation systems operated by the signing members, and also

the reliability of the conformity assessment results provided by conformity assessment bodies accredited by the signing members“

71. The participation of National Accreditation Bodies requires compliance with ISO/IEC 17011 Conformity assessment – General requirements for accreditation bodies accrediting conformi-ty assessment bodies.72 The Multilateral Agreement complies fully with the World Trade Organisation (WTO) agreement on technical barriers to trade, which strongly encourages countries to recognise the results of other countries’ conformity assessments. Certificates provided by organisations accredited by EA MLA signatories are also recognized by the signatories of the International Laboratory Accreditation Cooperation (ILAC), and the International Accreditation Forum (IAF) multilateral agreements.73 Although the EU Treaty for the European single market exists, obstacles for trading security solutions in the sovereignty section exist as mentioned briefly in Chapter 3.1.3. The specific situation in this field is described in Chapter 6. 3.2. GENERAL FRAMEWORK FOR STANDARDISATION IN EUROPE

3.2.1. MAIN FEATURES OF THE EUROPEAN STANDARDISATION POLICY From the “old” to the “new” approach to technical harmonization in Europe

Standardisation in the EU contributes "in a significant way to the functioning of the single market, the protection of health and safety, the competitiveness of industry and the promotion of international trade, and has been supporting an increasing range of community policies"74.

When attempts started for the development of technical regulations applicable to the markets of Member States in the early 1970s, it quickly became evident that legislation was not the right instrument for the elaboration of common technical rules. An ad hoc “method” for the

establishment of harmonized technical requirements for products in specific trade areas had to be designed.75

In May 1985, the Council of Ministers adopted a resolution introducing this method under the form of the “New Approach to technical harmonization and standards”.

76 The “New Ap-proach” moved away from the “Old Approach,” which tended to include detailed technical

requirements into community legislation. Amongst other innovations, the “New Approach”

limited legislative activities to requirements of a “general” nature inspired in particular by

71 See EA, “The MLA”, 2014b. http://www.european-accreditation.org/the-mla 72 See EA, op. cit., 2013. 73 See EA, op. cit., 2013. 74 See Council of Ministers, Resolution of 28 October 1999 on the role of standardisation in Europe, OJ C 141/1, 19.05.2000, [point 5]. 75

See European Commission, Standardisation and the Directive 98/34/EC Historical background, Vademecum on European Standardisation, Part I, General Framework, Chapter 1.1, 15 November 2003, p. 2. 76 See Council of Ministers, Resolution of 7 May 1985 on a New Approach to technical harmonization and standards, OJ C 136, 04/06/1985.


of 170

health and safety principles. This implied that technical elements for product specification were covered in “harmonized European standards” that had to be developed by the ESOs and that were not disciplined by the legislation itself.77 Responsibility for working on technical rules at the European level was therefore delegated to the standard organizations whilst public authorities committed themselves to not approve technical contents and standards even if such aspects were subject to regulation previously.78

The set-up of a mechanism for information exchange in the field of technical regulations

The “New Approach” established procedural conditions under which the European legislator

“monitored” the role of standardisation organizations in the development of standards. This

led to the adoption of the - so called - “Transparency Directive”, Directive 98/34/EC, which

laid down a procedure for the exchange of information in the field of technical standards and regulations. More specifically, by consolidating and rationalizing an already existing proce-dure,79 this Directive imposed the obligation upon Member States to notify to the Commission information on all draft technical regulations concerning products and information-society services before they were adopted into national law.80 The procedure aimed at providing transparency with regard to these regulations. The Directive has partly been amended by Reg-ulation 1025/201281 which is currently the latest and most comprehensive act adopted by the European legislator in the field of standardisation.

The non-binding and voluntary nature of standards

Standardisation is a form of “self-regulation”. Interested parties agree voluntarily on technical

matters and decide whether or not to abide by these agreements.82 The voluntary cooperation among stakeholders from industry, consumers, social and environmental organisations and public authorities takes place in the framework of the standardisation organisations.

The role of the EU in coordinating standards’ development in support of the Union’s

legislation

At the EU level, standardisation is handled by the three ESOs. They carry out their activities in particular in cooperation with the National Standardisation Bodies of the Member States and the European Commission.

A standard can be developed under the initiative of one of the ESOs. However, the European Commission can also mandate the ESOs to draw up a standard related to products or services

77 See European Commission, Efficiency and Accountability in European Standardisation under the New Approach, Report from the Commission to the Council and the European Parliament, COM( 1998) 291 final, Brussels, 13.05.1998, p. 2. 78 See European Commission, op. cit., 1998, p. 3. 79 In the field of standardisation, Directive 94/10/EC of the European Parliament and the Council of 23 March 1994 amend-ing for the second time Directive 83/189/EEC, already simplified considerably the procedure for the provision of information in the field of technical standards and regulations previously laid down in Directive 83/189/EEC. These texts were consoli-dated by Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations. 80 In particular, the information procedure for standards established by Articles 2 to 7 of Directive 98/34/EC provided for the national standardisation bodies to notify the Commission, the ESOs and the other national standardisation bodies of any new subjects for which they had decided to prepare or amend a standard. 81 See European Parliament and the Council, Regulation (EC) No 1025/2012 of 25 October 2012, on European standardisa-tion, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and re-pealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council, OJ L 316/12, 14.11.2012. 82 See European Commission, European Standardisation in support of European Policies, Standardisation Setting and Gov-ernance, Vademecum on European Standardisation, Part II, Chapter 1, Brussels, 15 November 2003, p. 2.


of 170

or ask for a standard to be developed in a specific area when it believes this would be useful for the application of Union legislation on harmonisation.83 The ESOs are therefore asked to meet requirements set in legislation in order to develop those standards which – apart from having an economic nature – also have a public interest dimension.84 This is a direct conse-quence of the “New Approach” described above.

Accountability and efficiency of the standardisation process

The need to balance accountability and efficiency criteria in the standardisation processes has been a constant objective of European Institutions over the past two decades. On the one hand, fulfilling accountability criteria – namely, an adequate level of openness, transparency and consensus amongst stakeholders - implies that there is a minimum amount of time needed for the development of standards. On the other hand the ever-decreasing product life cycles and rapid development of new technologies demand an increasingly efficient process for standards production.85

In its conclusions on standardisation and innovation of 25 September 2008, the Council point-ed out that the acceleration desired of the standardisation process is not necessarily detrime-netal to the principles of quality, transparency and consensus among all interested parties.86

Accountability in European standardisation entails that the system is open and transparent, that the standard meets the consensus of all major interested parties and that it is applied in a uniform way throughout the territory of Member States.87 Accountability is also associated to the standard organization which develops the standard and the effective involvement of inter-est groups in the process. In particular, the European Commission has already maintained in the past that the participation of societal stakeholders (those representing consumer, health, safety and environmental interests) in the standardisation process has “a strong and important

dimension of accountability. It reinforces the quality of the consensus and makes the stand-ards more representative”

88.

Moreover, in its conclusions on standardisation and innovation of 2008, the Council asked European and national standardisation bodies to further facilitate participation in standardisa-tion by all interested parties, in particular representatives of small and medium-sized enter-prises, consumers, trade unions and bodies representing societal interests. A number of Euro-pean programmes already provided for the possibility to financially support European organi-sations representing small and medium-sized enterprises (SMEs), consumers and environmen-tal interests in standardisation, while specific grants were paid to European organisations rep-resenting social interests in standardisation.89 Regulation 1025/2012 has partly repealed and

83 See European Commission, European standardisation in support of European policies - Role and preparation of mandates - Vademecum on European Standardisation, Part II, Chapter 4.1, 15 October 2009, p. 3. 84 See European Commission, op. cit., 1998, p. 3. 85 See European Commission, op. cit., 2003, p. 9. 86 See Council of the European Union, Conclusions on standardisation and innovation, Brussels, 25 September 2008, [point 24, p. 4]. 87

Principles of accountability have for the first time been laid down in the General Guidelines for Co-operation between CEN and CENELEC and the European Commission, adopted in 1984 and in the Council Resolution of 18 June 1992 on the role of European standardisation in the European economy, OJ C 173 of 9.7.1992. 88 See European Commission, The challenges for European standardisation, Staff Working Document, 18 October 2004, p. 5. 89 Such Programmes where included in Decision No 1639/2006/EC of the European Parliament and of the Council of 24 October 2006 establishing a Competitiveness and Innovation Framework Programme from 2007 to 2013, Decision No 1926/2006/EC of the European Parliament and of the Council of 18 December 2006 establishing a programme of Community


of 170

rationalized those programmes and established that the Commission should be in a position to continue providing grants to those organizations.90

Regarding efficiency, Regulation 1025/2012 sets the framework for effective cooperation among standardisation bodies. Recital 18 of the regulation reads that “In order to speed up the

decision-making process, national standardisation bodies and European standardisation organ-isations should facilitate accessible information on their activities through the promotion of the use of information and communication technologies (ICT) in their respective standardisa-tion systems, for example by providing to all relevant stakeholders an easy-to-use online con-sultation mechanism for the submission of comments on draft standards and by organising virtual meetings, including by means of web conferencing or video conferencing, of technical committees”

91.

The international dimension of standardisation

In a staff working paper titled “European Policy Principles on International Standardisation”

issued in 2001, the Commission maintained that “Europe has an interest in international standardisation because of its potential to eliminate technical barriers to trade and increase market access for all. International standardisation also offers the possibility to promote and disseminate technologies on a peer basis with others”.

92

The EU aims at playing a proactive role in international standardisation. Recital 19 of Regula-tion (EC) No 1025/2012 explains that by “driving the development of European or interna-tional standards for goods and technologies in the expanding markets in (major societal) are-as, the Union could create a competitive advantage for its enterprises and facilitate trade, in particular for SMEs, which account for a large part of European enterprises”.

The union’s core international commitments in standardisation are expressed through the WTO agreement on technical barriers to trade. This agreement establishes the principle that technical regulations “shall not be more trade-restrictive than necessary to fulfil a legitimate objective”.

93 It also recommends the recourse to international standards wherever possible while drafting technical regulation.94

In line with this recommendation, the European Commission and the ESOs act in coordina-tion with the outcomes of international standardisation bodies, namely the ISO, IEC and ITU when developing standards. International standardisation activities also receive EU support through ad hoc programmes relating to the technical assistance to, and cooperation with, third countries.95

action in the field of consumer policy from 2007 to 2013 and Regulation (EC) No 614/2007 of the European Parliament and of the Council of 23 May 2007 concerning the Financial Instrument for the Environment (LIFE+). 90 See recital 41 of Regulation (EC) No 1025/2012 of 25 October 2012, on European standardisation, OJ L 316/12, 14.11.2012. 91 See recital (18) of Regulation (EC) No 1025/2012 of 25 October 2012, on European standardisation, OJ L 316/12, 14.11.2012. 92 See European Commission, European Policy Principles on International Standardisation, Staff Working Paper, SEC(2001) 1296, Brussels, 26.07.2001, p. 4. 93 See Art. 2.2 of WTO Agreement on Technical Barriers to Trade. According to this article, such legitimate objectives are, inter alia: national security requirements; the prevention of deceptive practices; protection of human health or safety, animal or plant life or health, or the environment. 94 See Art. 2.4 of WTO Agreement on Technical Barriers to Trade. 95 See recital (42) of Regulation (EC) No 1025/2012 of 25 October 2012, on European standardisation, OJ L 316/12, 14.11.2012.


of 170

EU financing of standardisation activities

European standardisation is largely financed by industry and private undertakings. However, the European Commission also grants financial contributions to the ESOs and other actors involved in the process of developing standards in support of Union’s legislation. This is a way to ensure that participation of small medium enterprises and societal stakeholders, which is important for accountability, is not hampered by a lack of resources.

The European legislator has provided for an ad hoc framework allowing the Union to finance standardisation activities that are required to implement its policies. Decision 1673/2006/EC on the financing of European standardisation was the first compilation of rules establishing such a framework. This decision was repealed by Regulation 1025/2012, which lays down the rules that are currently in force in this area.

The regulation establishes the legal basis for the financial support provided by the union to the European standardisation system (Articles 15, 16 and 17). Union financing can be granted to the ESOs, NSBs or other bodies cooperating with the ESOs and to stakeholder organiza-tions meeting the eligibility criteria for union’s financing set out in the Annex III of the regu-lation itself. Financial support mainly consists of grants. Regulation (EC) No 1025/2012 and its main innovation

As mentioned above, Regulation (EC) No 1025/2012 currently provides a general and over-arching regulatory framework for European standardisation. This regulation lays down the rules governing the cooperation between national and European standardisation bodies and the European Commission and it also stipulates how stakeholders from business, industry and representatives of consumers, environmental or social organisations should be involved in developing standards.

Apart from the provisions already mentioned in this paper, the regulation lays down new rules for technical ICT specifications. It is also designed to encourage wider use of standards in the services sector. It addresses ICT technical specifications because such specifications are not adopted by European standardisation organizations, International Standardisation Organisa-tions or national standardisation bodies; they are developed by other standards development organizations and do not fall in any of the categories of standards and approvals laid down in Union’s public procurement legislation.96 As a consequence, the regulation lays down a pro-cedure for the identification of selected ICT technical specifications eligible for referencing in public procurement (Article 13). According to recital 31 of the Regulation, “the requirements

for the identification of ICT technical specifications should ensure that public policy objec-tives and societal needs are respected (…)”.

Compared to past rules, the regulation also introduces innovations regarding standards related to service. It covers the means by which voluntary standards for services in areas such as health care, social and social security services may be drawn up and adopted by Member States. Summary

Standardisation in the EU contributes in a significant way to the functioning of the single market. When attempts began for the development of technical regulations applicable to the markets of Member States in the early 1970s, it quickly became evident that legislation was

96 ETSI produces a large number of technical specification of which only some are accreditated as an ES.


of 170

not the right instrument for the elaboration of common technical rules. An ad hoc “method”

for the establishment of such rules had to be designed. In May 1985, the Council of Ministers introduced such a method, which became famous under the name of “New Approach to tech-nical harmonization and standards”. The “New Approach” marked a major turning point in the evolution of standardisation policies and rules in the EU. This is principally because it moved away from the “Old Approach,” which tended to include detailed technical require-ments into legislation. As a consequence, responsibility for working on technical rules at the EU level was delegated to the ESOs. Therefore, ESOs can receive from the European Com-mission mandates to develop standards based on EU legislation. This means that apart from having an economic nature, such standards have a public interest dimension. The following section provides a general overview on major policy and regulatory developments in the field of standardisation in the EU since early 1970s. It also focuses on the reasons why the need to balance accountability and efficiency criteria in the standardisation processes has been a con-stant objective of European Institutions. Finally, this section deals with some of the main pro-visions of Regulation (EC) No 1025/2012 that currently represents the most extensive and overarching regulatory text on standardisation in Europe. 3.2.2. MULTINATIONAL COLLABORATIONS IN STANDARDS DEVELOPMENT According to Chapter 2.3.1, multinational collaboration in standardisation has priority on both a national and a European level. An example for national principles is given by Germany and the German standardisation organization DIN. After receiving an application for the imple-mentation of a standardisation project, the DIN clarifies, among other things, whether the pro-cessing should take place at the national, European or international level. Where appropriate, an implementation on an international or European level is preferred. If similar standardisa-tion work on the same subject is already implemented at European level, implementation of national standardisation measures is not possible due to a "standstill agreement"97. On a European level, the ESOs CEN and CENELEC closely cooperate internationally with the ISO and the IEC. This close cooperation has been reflected by the signature of the Vienna Agreement (ISO-CEN) and the Dresden Agreement (IEC-CENELEC). The Vienna Agree-ment was signed in 1991. It was drawn up with the aim of preventing duplication of effort and reducing time when preparing standards. As a result, new standards projects are jointly planned between CEN and ISO. The Dresden Agreement was signed in 1996 with the same purpose. As a result, new electri-cal standards projects are now jointly planned between CENELEC and IEC, and where possi-ble most are carried out at international level. This means that CENELEC will first offer a New Work Item (NWI) to its international counterpart. If accepted, CENELEC will cease working on the NWI. If IEC refuses, CENELEC will work on the standards content develop-ment, keeping IEC closely informed and giving IEC the opportunity to comment at the public enquiry stage. The Dresden Agreement also determines that CENELEC and IEC vote in parallel (both or-ganisations are voting in the same time) during the standardisation process. If the outcome of

97 See DIN, Entstehung einer nationalen Norm, no date. http://www.din.de/cmd?level=tpl-artikel&languageid=de&cmstextid=54278

http://www.iec.ch/about/globalreach/partners/regional/iec_cenelec_agreement.htm


of 170

the parallel voting is positive, CENELEC will ratify the European standard and the IEC will publish the international standard.98 This close cooperation has resulted in some 75% of all European standards adopted by CENELEC being identical or based on IEC standards. This high proportion of aligned stand-ards is regarded as an indicator of the implementation of the WTO Agreement on Technical Barriers to Trade. The CEN-ISO cooperation is an efficient division of labour where both organizations can re-fer to the expertise and resources of each other. This is especially important for cases of com-plement expert knowledge. The cooperation facilitates the technical exchange between both organizations and meanwhile increases the global recognition of both organizations. The rati-fication on the European as well as on the international level furthermore increases transpar-ency and supports the harmonization process.

3.3. SECURITY STANDARDISATION AND CERTIFICATION IN EUROPE

3.3.1. INTRODUCTION

Compared with products and services in general, requirements on products and services for civil security include several specifics. Therefore their testing and approval is based on two aspects: an evaluation of product safety in general and a specific security assessment. The general evaluation covers, for example, product or operational safety, environmental safety, etc. In addition, an assessment is needed on how products, services and service providers are capable of fulfilling their intended security function. These functions include, for example, warning or protection. Here, minimum levels are determined by the state to build the foundation of the testing and certification processes. Since the state has the right to determine what to protect and how to protect it, it defines the performance requirements for some devices and technologies.99

The secrecy of certain information about the requirements for equipment and technology justifies additional preventive protection measures, although this contradicts with the aim of open and transparent standardisation, certification and accreditation.100 As described in Chapter 2.6, no common European market for security products exists compared with other areas. The market is highly fragmented and suffers from time-consuming and costly national certifications.101 Member States have their own national certification systems in place. Nearly no mutual recognition of certifications exists. A need for European Conformity Assessments and Certifications (CAC) is significant.102

98 See CEN/CENELEC, “ISO and IEC”, no date. http://www.cencenelec.eu/intcoop/StandardizationOrg/Pages/default.aspx 99 See Teichler et al., op. cit., 2013, p. 139. 100 See Teichler et al., op. cit., 2013, p. 134f. 101 See Thoma, Klaus, Positionspapier des wissenschaftlichen Programmausschusses zum nationalen Sicherheitsforschungs-programm, 2010. http://www.bmbf.de/pubRD/WPA_Positionspapier_2010.pdf; ECORYS, Security Regulation, Conformity Assessment & Certification. Final Report-Vol.I., 2011a. http://ec.europa.eu/enterprise/policies/security/files/doc/secerca_final_report_volume__1_main_report_en.pdf 102 See ECORYS, op. cit. 2011a.


of 170

In addition, a large number of different standards and certification procedures exist and a manufacturer that operates throughout Europe needs to acquire six to ten national certificates, usually based on separate and distinct test processes. Some Member States have implemented certification procedures for certain products, while other Member States have no approach to certify such products.103 A key reason for the problem is the absence of common standards. ECORYS describes the problem as follows: “In the absence of agreement on common standards, it is unlikely that

Member States would (voluntarily) agree to any procedure for mutual recognition of certification/approval of security products”

104. The main problems are the fragmentation of the EU security market for airport screening equipment and the lack of harmonised certification procedures and standards. At least 27 different security markets exist. This is a particular problem for SMEs105. The absence of appropriate solutions to certify security solutions in other Member States let to high barriers to market entry and true economies of scale are nearly impossible. In summary, the development of CACs is characterized by numerous challenges. ECORYS106 identified the following issues in particular:

Highly fragmented European market, challenges regarding future growth; No common (single) framework that applies to security products and the market for

security products as a whole; Absence of common certification systems for security products; No mechanism of mutual recognition across countries of products certified at a national

level; and Slow speed of response and adaptation of certification procedures, notably where new

security threats require the implementation of new security solutions and technologies.

Only a few solutions exist in small areas of the European security markets. The SOGIS-MRA for example has long been existed in this sensitive area. Common Criteria (CC), as another good example, will be described in Chapter 6.4.2. In addition, several steps to solve the existing problems in the other security fields have been taken but even these accomplishments bear weaknesses: “Some steps have been taken towards the development of EU-wide systems, for example the ECAC Common Evaluation Process in the aviation sector, though this applies only to certain categories of equipment and stops short of a procedure for mutual recognition of approved/certified equipment”107.

103 See European Commission, Action Plan for an innovative and competitive Security Industry {SWD(2012) 233 final}, Communication from the Commission to the European Parliament, the Council and the Economic and Social Committee, COM(2012) 417 final, Brussels, 26.07.12, p. 33 104 See ECORYS, op. cit., 2011a, p. 187. 105 See DG ENTR, Roadmap Establish an EU harmonised certification system for airport screening equipment, 2013. http://ec.europa.eu/smart-regulation/impact/planned_ia/docs/2014_entr_004_harmonized_certification_airport_ screening_equipment_en.pdf. 106 See ECORYS, op. cit., 2011a 107

See ECORYS, op. cit., 2011a, p. 187.


of 170

Solutions to certify security solutions in other Member States are needed. In Germany, this was documented in 2011 in a workshop at DIN, which was attended by about 100 experts. Supported by the European industry and based on common interests of its members, the withdrawal of national certification marks was recommended. In addition preserving existing levels of quality and the simplification of test procedures (one-stop testing, one-stop certification) was regarded as important108 (see Chapter 6.5.1 also). Such a solution is also described by ECORYS by suggesting "an EU-wide accepted certification scheme with one unique label"109. With regard to CBRNE, the members of the European project CREATIF developed a joint testing facility concept, although this has not been accepted by the stakeholder community due to different reasons110. A need for elaborating and developing appropriate solutions remains and will be addressed in this project. The European Commission has developed precisely defined objectives and the areas in which such measures have the highest priority. It recommends starting with airport screening (detection) equipment and alarm systems.111 The next sub-chapter presents key documents which outline specific goals to facilitate the certification and accreditation landscape for security solutions in Europe. They illustrate the historic development of the field as well as present accomplishments. 3.3.2. EUROPEAN EFFORTS TOWARDS SECURITY-RELATED CAC SOLUTIONS 3.3.2.1. THE ESRIF REPORT Many initiatives have begun in the EU since the Council Resolution of 28 October 1999 on "the Role of Standardisation in Europe,"112 in which the Council acknowledged the important role of standards and invited the Commission to analyse the current situation of European standardisation and to respond to challenges facing the European standards system.113 In this sense, standardisation is an integral part of the EU policies to increase the competitiveness of enterprises and to remove barriers to trade by carrying out better regulation and by simplify-ing legislation. Focusing on security standardisation in Europe, the document that marks a turning point is the Mandate M/487 of 17 February 2011 addressed to CEN, CENELEC and ETSI to establish

108 See DIN, Koordinierungsstelle Sicherheitschaft im DIN, “Workshop Zertifizierung 2011”, no date. http://www.sicherheitswirtschaft.din.de/cmd?cmsrubid=134411&level=tpl-rubrik&languageid=de 109 See ECORYS, op. cit., 2011a, p. 18: stakeholder contribution, taken from the Public Consultation 110 See Myers, op. cit., 2011, p. 2f. 111 See DG ENTR., op. cit., 2013 112 See Council Council of the European Union, Resolution of 28 October 1999 on the role of European standardisation in the Europe, OJ C 141, 19.05.2000. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2000:141:0001:0004:en:pdf 113 At that moment, the regulatory framework of standardisation in Europe essentially consists of three pieces of legislation: Directive 98/34/EC of the European Parliament and the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on Information Society services, OJ L 204, 21.07.1998; Decision 1673/2006/EC of the European Parliament and of the Council of 24 October 2006 on the financing of European standardisation, OJ L 315/9, 15.11.2006 and Council Decision 87/95/EEC of 22 December 1986 on the Standardi-sation in the field of information technology and telecommunications, OJ L 36, 07.02.1987.


of 170

security standards. The Mandate aims at developing a work programme for the definition of European Standards and other standardisation deliverables in the area of security. It takes ac-count of the legislative background and the drawing of a security standardisation map cover-ing the most relevant national standards, the full range of available EU standards as well as ISO and IEC to ensure protection and security of the citizens (as the Mandate has an exclu-sively civil application focus). The legislative background on security is formed by several documents. In light of modern security concerns, the European Security Research and Innovation Fo-rum (ESRIF) was established in 2007 to develop a European Security Research and Inno-vation Agenda (ESRIA).114 With a view to improving coherence at European, national and regional levels, the agenda provides a common strategic roadmap for security research and innovation with a 2030 horizon to frame. On 23nd November, ESRIF adopted its key findings and recommendations. The ESRIF report finalized in December 2009 highlighted the importance of an integrated approach to security in order to embrace, among others, four areas as seen in Figure 12.

Topics of ESRIF Explanation Interoperability “Implies that the resources of different Members States and EU

organizations operate together effectively to carry out security tasks and missions as foreseen via common EU capability planning.”

Standardisation, certification, validation

“Facilitate interoperability of equipment, products, processes, and allow substitution of equipment, (i)n Europe’s fragmented security market”; “Can contribute to building more harmonization to improve (the) region’s position on the world market.”

Research and in-novation

Relevant EU programmes should “support peacekeeping, humani-tarian and crisis management tasks, including joint initiatives with other regions and international organisations, notably as regard the development of global standards.”

Transparency and exchange of best practices

Means that “the early engagement of all stakeholders and transpar-ency of the regulatory environment, including standards to stimu-late private sector investments in security research, (if) upcoming regulations are understood early on, a return on security investments can be foreseen and investments can thus be expected to take place.”

Source: Own figure based on the ESRIF report Figure 12: Relevant areas of ESRIF for CRISP’s activities

3.3.2.2. THE EUROPEAN SECURITY RESEARCH AND INNOVATION AGENDA The European Security Research and Innovation Agenda [ESRIA, COM (2009) 691] is the final result of the two-year analysis carried out by ESRIF on security challenges facing Eu-

114 See European Security Research and Innovation Forum, ESRIF Final Report. European Security Research and Innova-tion Agenda (ESRIA), European Commission Publications, December 2009. http://ec.europa.eu/enterprise/policies/security/files/esrif_final_report_en.pdf

http://ec.europa.eu/enterprise/policies/security/files/esrif_final_report_en.pdf


of 170

rope. The ESRIA includes a security R&D roadmap for the next 15 years, along with system-ic requirements. According to Figure 13, the ESRIA proposal has been organized into five content clusters and differentiates research topics according to short-, medium- or long-term needs: Cluster Description Cluster 1 Centres on the classic security cycle of preventing, protecting,

preparing, responding and recovering; and Focuses on the securing of people, civil preparedness and crisis

management. Cluster 2 Deals with countering different means of attack, as a way of dealing

with specific, known and projected future risks; Examines ways to detect and identify conventional as well as non-

conventional attacks, unintended impacts of other actions, and naturally occurring incidents to mitigate their effects; and

Analyzes potential dangers inherent to coming technologies. Cluster 3 Aims at securing critical assets, such as energy, transport and other

crucial infrastructures; and Examines security economics and outlines the necessity to analyze and

cope with limited access to critical natural resources and to secure key manufacturing capabilities and capacities in Europe.

Cluster 4 Is about securing identity, access and movement of people and goods; and

Mainly centres on border security and secure identity management. Cluster 5 Lists cross-cutting enablers of special interest, due to cross-cutting

characteristics or prior political strategic decisions; Examines the crucial role of Information and Communication

Technologies (ICT); and Deals with security implications of European space programs.

Source: Own figure based on ESRIA (2009) Figure 13: Clusters of ESRIA

ESRIA sets out policy and operational recommendations for achieving stronger security re-search and innovation results:

Enhanced transnational cooperation; Stronger articulation of demand and delivery of the most appropriate solutions, Integrated approach to security; Global dimension of EU’s civil security as a collective responsibility touching

governments, societal organisations; Industrial and individual citizens; and Transparency involving all stakeholders to implement ESRIA and reevaluation of the

roadmap. The nature of the integrated approach is described as follows: “Effective civil security must

embrace interoperability, standardisation, certification, validation, communication with the public, education & training, exchange of best practices, consultations on privacy issues and


of 170

other factors that cut across public and private spheres and provide synergies between civil security and defence research fields”.

115 3.3.2.3. COMMUNICATION ON REACTION TO ESRIF The Communication COM (2009) 691, 21 December 2009, "A European Security Research and Innovation Agenda - Commission's initial position on ESRIF's key findings and recom-mendations"116 essentially summarized the ESRIF report and the ESRIA proposal. Notably, it remarked that in order to harvest innovation and growth tomorrow it is required to invest now in an ambitious industrial policy for the security sector. The most relevant conclusions of the preliminary reaction on both documents are:

Security is first and foremost human and societal: “One of the EU’s main objectives is to

preserve and develop the European values of justice, freedom, and security whilst addressing the increasingly complex security challenges”. The EU must strengthen the legal and ethical dimensions of all security solutions to guarantee the rights and freedoms of individuals, particularly as they relate to privacy. In addition, it [the EU] must reinforce the societal dimension of security technologies to ensure that they allow societies to effectively respond to risks and losses (“societal resilience”).

117

Improve the competitiveness of the European Security Industry by

• Putting in place certification, standardisation and validation, notably as regards the applicability and efficacy of a "European Security Label";

• Creating the possibility to bring the most innovative security sectors into the Lead Market Initiative118; and

• Providing a Security Research and Development (R&D) roadmap for security missions and priorities either within the framework of the current FP7 or in preparation of the future framework programme.

The goals in the fields of certification, standardisation and validation are described as follows: "Based on the requirements of the end-users and the results of research, new technologies and solutions need not only to be validated; they should also be certified and where appro-priate standardised, so they can become part of an effective response to security threats. R&D activities should be linked to a clear validation and procurement strategy that takes into ac-count the relevant policy issues as well as economic interests. This should promote the crea-

115 European Security Research and Innovation Agenda (ESRIA), op. cit., December 2009. 116 See European Commission, A European Security Research and Innovation Agenda - Commission's initial position on ESRIF's key findings and recommendations, Communication from the Commission,.COM (2009) 691 final, Brussels, 21.12.2009. http://ec.europa.eu/enterprise/policies/security/files/mami/comm_pdf_com_2009_0691_f_communication_en.pdf 117 See European Commission, op. cit., 2009, p. 3. 118 The Lead Market Initiative (LMI) was launched by the European Commission on December 2007 following the EU’s

2006 broad based Innovation Strategy. It aims to foster the emergence of lead markets with high economic and societal value (eHealth, protective textils, sustainable construction, recycling, bio-based products and renewable energies) and sets up di-versified policy instruments to facilitate the translation of technological and non-technological innovation into commercial products and services (legislation, public procurement, standardisation, labeling and certification and other complementary instruments). Source: European Commission, A lead market initiative for Europe, Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions, COM (2007) 860 final, Brussels, 21.12.2007. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2007:0860:fin:en:pdf

http://ec.europa.eu/enterprise/policies/security/files/mami/comm_pdf_com_2009_0691_f_communication_en.pdf

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2007:0860:fin:en:pdf


of 170

tion of a European security market and better cooperation among security stakeholders at national and European levels)”.

119 3.3.2.4. COMMUNICATION TOWARDS AN INCREASED CONTRIBUTION FROM STANDARDISATION TO

INNOVATION IN EUROPE The Communication Towards an Increased Contribution From Standardisation to Innovation in Europe [COM (2008) 133]120 responds to the increasingly attention that Europe is paying to innovation issues and underlines the contribution that standards could and should make to innovation (policy). The contribution of standardisation to innovation follows from the fact that “Standardisation

complements market-based competition, typically in order to achieve objectives such as the interoperability of complementary products/services, and to agree on test methods and on re-quirements for safety, health, organisational and environmental performance. Standardisation also has a dimension of public interest, in particular whenever issues of safety, health, securi-ty and of the environment are at stake”. Finally, it is stated that “The appropriate use of standards in public procurement may foster innovation, while providing administrations with the tools needed to fulfil their tasks. Instead of prescribing particular technical solutions, the use of technology-neutral standards allows contracting authorities to call for advanced performance and functional requirements (e.g. relating to environmental aspects or to accessibility for all), thus stimulating the search for innovative technologies that provide best value for money in the long term, while ensuring safety and interoperability”. The Commission notes that “The European identity and the visibility of European standardi-sation, both inside Europe and in the world, need to be reinforced”. In order to uphold the responsibility for the continuous improvement of European standardisa-tion, the Commission identified nine key elements for focussing EU standardisation policy on innovation. In the context of this report the items of Figure 14 are important:

119 See European Commission, op. cit., 2009. p. 5. 120 See European Commission, Towards an increased contribution from standardisation to innovation in Europe, Communi-cation from the Commission to the Council, the European Parliament and the European Economic and Social Committee, COM (2008) 133 final, Brussels, 11.03.2008. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2008:0133:fin:en:pdf



of 170

Source: Own figure based on European Commission (2008)121 Figure 14: Relevant items of COM (2008) 133

Altough the role of standards is highlighted, this Communication as well as related documents does not concern the importance of harmonized conformity assessment. 3.3.2.5. STOCKHOLM PROGRAMME

The Stockholm Programme,122 adopted by the European Council in December 2009, pro-vides a roadmap for EU work in the area of justice, freedom and security for the period 2010-14. The Programme invites the Council and Commission to develop the Internal Security Strategy (ISS), with a vision of improving the protection of citizens and the fight against or-ganised crime and terrorism by ensuring that the strategy’s priorities ‘are tailored to the real needs of users and focus on improving interoperability’.123 Pursuant to this, the European Commission published a Communication in November 2010 aiming to put the EU Internal Security Strategy into action. The Communication COM (2010)

121 See European Commission, op. cit., 2008, div. pages. 122 See European Commission, Delivering an area of freedom, security and justice for Europe’s citizens. Action Plan Im-plementing the Stockholm Programme, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, COM 2010 (171) final, Brussels, 29.04.2010. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52010XG0504(01)&from=en 123 European Commission, op. cit., 2009, p. 19.

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52010XG0504(01)&from=en


of 170

673124 envisages five key strategic objectives for the EU’s internal security for the period

2011-14: disrupt organised crime, prevent terrorism, raise levels of security in cyberspace, strengthen external borders management and increase the EU’s resilience to natural disasters.

Security research plays a crucial role in achieving those goals. 3.3.2.6. MANDATE M/487

The need for a more harmonized European framework to enhance the competitiveness of the EU security industry was concluded by the Research for a Secure Europe (2004)125 and the 2009 ECORYS126 and 2011 ECORYS127 studies on security competitiveness and regulation. More harmonized European regulatory frameworks and standards have begun to take shape in the field of security, encouraged by the development of the EU Security Industrial Policy.128 In particular, this is taking place within the CEN/CENELEC/ETSI framework under Man-date M/487 on Security Standards129 to develop a work programme for the definition of European Standards and other standardisation deliverables in the area of security (where secu-rity refers to protection against threats by terrorism, serious and organized cross-border crime, natural disasters, pandemics and major technical accidents, excluding defence and space tech-nologies). M/487 is a mandate issued to ESOs in February 2011, including two phases: Identification of priority areas for standardisation (2011 to May 2012)130 and identification of the specific standardisation needs in the selected areas and development standardisation programmes with roadmaps per sector (January – November 2013). Its overall objectives are shown in Figure 15.

124 See European Commission, The EU Internal Security Strategy in Action: Five steps towards a more secure Europe, Communication from the Commission to the European Parliament and the Council, COM (2010) 673 final, Brussels, 02.11.2010. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0673:fin:en:pdf 125 See European Commission, Report of the Group of Personalities in the field of Security Research, Research for a Secure Europe, European Communities, Rapporteur Burkard Schmitt, Luxembourg, 2004. http://ec.europa.eu/enterprise/policies/security/files/doc/gop_en.pdf. 126 See ECORYS, Study on the Competitiveness of the EU security industry. Within the Framework Contract for Sectoral Competitiveness Studies – ENTR/06/054, Final Report, Brussels, 15 November 2009. http://ec.europa.eu/enterprise/policies/security/files/study_on_the_competitiveness_of_the_eu_security_industry_en.pdf. 127 See ECORYS, Security Regulation, Conformity Assessment & Certification. Final Report – Volume I: Main Report, Brussels, October 2011. http://ec.europa.eu/enterprise/policies/security/files/doc/secerca_final_report_volume__1_main_report_en.pdf. 128 See European Commission, op. cit., 2012. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0417:fin:en:pdf 129 See European Commission, Programming Mandate Addressed to CEN, CENELEC and the European Telecommunica-tions Standards, M/487, Brussels, 17.02.2011. ftp://ftp.cencenelec.eu/CENELEC/EuropeanMandates/M_487.pdf. 130 To this aim, CEN is coordinating, through CEN/TC 391 “Societal and citizen security”, the response to M/487. The

Committee investigated with several industry players and public authorities priorities for future standardisation activities in three security thematic areas set out in the above mentioned European Commission, Security Industrial Policy. Action Plan for innovative and competitive security industry, European Commission, op. cit., 2012: (1) Chemical, Biological, Radiologi-cal, Nuclear and Explosives (CBRN-E); (2) Border Security – automated border control systems (ABC), as well as biometric identifiers; (3) Crisis Management and Civil Protection – including communication and organizational interoperability. http://standards.cen.eu/BP/680331.pdf.



of 170

Source: Own figure Figure 15: Objectives of Mandate M/487

The Commission document states that work for developing and setting these standards "should be undertaken in close cooperation with the widest possible range of interested groups" and “with the involvement of the different stakeholders and operators, particularly end users and SMEs”. According to Figure 16, the Mandate defines three security areas: Security field Description Security of the Citizens

Protection against organized crime, terrorism as well as chemical, biological, radiological and nuclear threats, explosives and fire hazard

Security of infrastructures and utilities

(Protection of) building design, energy/transport communication grids, surveillance and supply chains

Border Security Security of land borders/check points, sea borders and air borders

Source: Own figure Figure 16: Security areas based on Mandate M/487

3.3.2.7. ACTION PLAN FOR AN INNOVATIVE AND COMPETITIVE SECURITY INDUSTRY

The Action Plan for an Innovative and Competive Security Industry [COM(2012) 417] was communicated in July 2012 and has three particular objectives: overcoming the fragmentation of the EU security market, reducing the gap from research to market and better integration of


of 170

the societal dimension.131 With regard to standardisation and certification four items of the action plan are relevant which are shown in Figure 17:132

Action Description Action 1 creating standardisa-

tion roadmaps in the areas of CBRNE, border security, crisis management/civil protection

The Commission will ask the ESOs to establish standardisation roadmaps that should focus on the next generation of tools and tech-nologies.

Action 2 legislation on EU-wide harmonised certification systems for airport screening equipment and alarm systems

The Commission would propose two legislative proposals to estab-lish an EU wide harmonised certifi-cation system for airport screening (detection) equipment and an EU harmonised certification system for alarm systems. The objective is to achieve mutual recognition of certi-fication systems.

Action 3 issuing standardisa-tion mandates to ESOs for 'hybrid standards'

The Commission intends to issue standardisation mandates to the ESOs for 'hybrid standards'.

Action 8 issuing a standardisa-tion mandate for de-veloping a “privacy

by design” standard

The Commission will issue a man-date to the ESOs to develop a standard modelled on existing qual-ity management schemes, but ap-plied to the management of privacy issues during the design phase.

Source: Own figure Figure 17: Selected elements of the action plan for the European security industry

During the next project stages, CRISP will analyse how it can link its work with the relevant activities. 3.3.3. REGULATIONS AND DIRECTIVES IN SELECTED SECURITY AREAS

3.3.3.1. OVERVIEW In Chapter 3.1.1, Directive 1999/93 EC on a Community framework for electronic signatures was described in detail. It specified certification systems based on voluntary accreditation in a specific technological field.

131 See Pastuszka, Hans-Martin, European Security Standardisation & Certification. Presentation at the 1st ERNCIP Confer-ence JRC, Ispra, Italy 12 – 13 December 2012, http://ipsc.jrc.ec.europa.eu/fileadmin/repository/sta/cinet/ docs/erncip/1sterncipconference/Opening-Hans-Martin_Pastuszka.pdf. 132

See European Commission, op. cit., 2012.


of 170

Based on analyses of the Perinorm database, the next section will give an overview of additional European regulations and directives related to privacy and data protection. In addition, the Perinorm-based analyses showed that many regulations and directives on air traffic security exist. The foundation is created by Commission Regulation (EC) No 185/2010 of 4 March 2010 laying down detailed measures for the implementation of the common basic standards on aviation security. Examples for related regulations are:

Commission Regulation (EC) No 622/2003 of 4 April 2003 laying down measures for the implementation of the common basic standards on aviation security;

Commission Implementing Regulation (EC) No 711/2012 of 3 August 2012 amending Regulation (EC) No 185/2010 laying down detailed measures for the implementation of the common basic standards on aviation security as regards the methods used for screening persons other than passengers and items carried;

Commission Implementing Regulation (EC) No 1147/2011 of 11 November 2011 amending Regulation (EC) No 185/2010 implementing the common basic standards on civil aviation security as regards the use of security scanners at EU airports; and

Commission Implementing Regulation (EC) No 859/2011 of 25 August 2011 on amending Regulation (EC) No 185/2010 laying down detailed measures for the implementation of the common basic standards on aviation security in respect of air cargo and mail.

Aviation security, including airport screening equipment and air cargo, plays an important role in plans for the future of the European conformity assessment system for security products. A similar situation exists regarding alarm systems. Both technical fields will be described in more detail in Chapter 6, which will refer to Commission Regulation (EC) No 185/2010 and its consequences in more detail. Other security fields shaped by a number of regulations and directives include commerce agreements, energy, telecommunications, traffic security and others. All sources can be found in the attachment. Note: Search results provide only documents on security in a narrow sense; as such, docu-ments such as those related to fire protection etc. are not included. 3.3.3.2. DOCUMENTS RELATED TO PRIVACY AND DATA PROTECTION

The importance of privacy and data protection is reflected by principle international and Eu-ropean declarations. Principle privacy-related rights are defined by the Universal Declara-tion of Human Rights (UDHR), Article 12 and in Europe, for example, by the EU Charter of Fundamental Rights and the EU Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), Article 8. Additional European documents related to privacy include:

Commission Regulation (EC) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications;


of 170

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications);

Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users' rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws; and

Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector.

European documents related to data protection and confidentiality include

Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems;

Commission Recommendation of 2 July 2008 on cross-border interoperability of electronic health record systems;

Commission Decision of 3 June 2008 adopting implementing rules concerning the Data Protection Officer pursuant to Article 24(8) of Regulation (EC) No 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data;

Regulation (EC) No 444/2009 of the European Parliament and of the Council of 28 May 2009 amending Council Regulation (EC) No 2252/2004 on standards for security features and biometrics in passports and travel documents issued by Member States;

Corrigendum to Regulation (EC) No 444/2009 of the European Parliament and of the Council of 28 May 2009 amending Council Regulation (EC) No 2252/2004 on standards for security features and biometrics in passports and travel documents issued by Member States;

Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data;

Commission Regulation (EC) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications;

Commission Regulation (EC) No 1224/2012 of 18 December 2012 amending Regulation (EC) No 883/2004 of the European Parliament and of the Council on the coordination of social security systems and Regulation (EC) No 987/2009 of the European Parliament and of the Council laying down the procedure for implementing Regulation (EC) No 883/2004 (data protection);

Commission Regulation (EC) No 1244/2010 of 9 December 2010 amending Regulation (EC) No 883/2004 of the European Parliament and of the Council on the coordination of social security systems and Regulation (EC) No 987/2009 of the European Parliament and of the Council laying down the procedure for implementing Regulation (EC) No 883/2004;


of 170

Regulation (EC) No 465/2012 of the European Parliament and of the Council of 22 May 2012 amending Regulation (EC) No 883/2004 on the coordination of social security systems and Regulation (EC) No 987/2009 laying down the procedure for implementing Regulation (EC) No 883/2004;

Regulation (EC) No 988/2009 of the European Parliament and of the Council of 16 September 2009 amending Regulation (EC) No 883/2004 on the coordination of social security systems, and determining the content of its Annexes;

Council Regulation (EC) No 2135/98 of 24 September 1998 amending Regulation (EEC) No 3821/85 on recording equipment in road transport and Directive 88/599/EEC concerning the application of Regulations (EEC) No 3820/84 and (EEC) No 3821/85; and

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

According to Wurster133, current European activities focus on the creation of a new General Data Protection Regulation which will supersede Directive 95/46/EC. The draft134 was released in January 2012. The European Parliament adopted a modified Directive in March 2014, while ist implementation is expected to be finished in 2016. The work of CEN/TC 224 gives an example of how such documents influence European standards, see Chapter 4.3.3 and Figure 25. A recent survey by the EU135 included questions on how to ensure the integration of ethi-cal/societal aspects in security technologies. An option which was clearly rejected was keep-ing privacy by design a voluntary effort for industry. According to the document, most repre-sentatives from large industry groups would prefer a selected mandatory certification, which would only concern specific security technologies: "We believe that a mandatory certification assessment (…) would only be reasonable in some areas, but not in all. Hence, a case-by-case decision, respecting the distinctiveness of the concerned products/processes, would be far more valuable”. In addition, the majority (66%) of the respondents agreed on the usefulness of a combination of a possible ethical certification process and a general certification proce-dure, instead of having two separate processes. Privacy-related issues will be covered in more detail in CRISP’s WP 4.

133 See Wurster, Simone, „Ethics and Privacy Issues of Critical Infrastructure Protection – Risks and Possible Solutions Through Standardization“, Praxis der Informationsverarbeitung und Kommunikation, Fachzeitschrift für den Einsatz von Informationssystemen, Special issue on ICT standardization, Forthcoming. 134 See European Commission, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 2012. http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf 135 See European Commission, Commission Staff Working Paper Security Industrial Policy Accompanying the document Communication from the Commission to the European Parliament, the Council and the European Economic and Social Committee Security Industrial Policy Action Plan for an innovative and competitive Security Industry {COM(2012) 417 final}, SWD(2012) 233 final, Brussels, 26.07.2012. pp. 69ff.


of 170

3.3.4. LINKS BETWEEN STANDARDS, CERTIFICATION AND PRE-COMMERCIAL PROCUREMENT Considerations on security standardisation and conformity assessment were recently extended by the additional aspect of pre-commercial procurement (PCP). The EU defines PCP as “an approach to procuring R&D services other than those where the benefits accrue exclusively to the contracting authority for its use in the conduct of its own affairs, on condition that the ser-vice provided is wholly remunerated by the contracting authority and that does not constitute State aid”

136. ECORYS137 describes PCP as a demand based innovation scheme. A fundamental character-istic is that end-users are involved from the beginning of the innovation process. Security suppliers and end-users cooperate in defining common needs and corresponding specifica-tions to reach optimal solutions. The PCP concept is originally based on EU Directives on the procurement of public authorities and public entities. The directive on public procurement in the fields of defence and security is relevant for the application in the security field. It builds on a shared risk-benefit approach.138 ECORYS139 describes its particular attractiveness in the maritime borders and airport security sectors which are characterized by high international organisation, public involvement and security awareness. According to ECORYS,140 PCP offers several specific opportunities to support efforts in the fields of standardisation and accreditation141 bundling of operator demand facilitates interop-erability and standardisation142 and, in addition, PCP aims to increase the degree of interoper-ability between participants. Such efforts after each R&D phase pave the way for open stand-ards. Since PCP is initiated at the beginning of the market cycle with the first expression of operational security needs, linking these three activities in the security field is regarded as crucial.143 According to ECORYS144 the EU is particularly well placed to set international standards. In this context specific attention should be paid to equipment that is developed in response to newly arising threats or where security functions are automated, as in the case of biometric identity cards and eGates at airports. 3.3.5. SUMMARY AND CONCLUSIONS Standards complement European and national policies in many areas. On the field of security standardisation, Mandate M/487 ushered a new phase in the area of security with a particular emphasis on cooperation with the widest range of interested groups. The process towards this mandate was characterized by crucial stages in which EU security policies have been focused

136 See ECORYS, Study on pre-commercial procurement in the field of Security Within the Framework Contract of Security Studies – ENTR/09/050 Final report. Report for the European Commission, DG Enterprise and Industry 2011, 2011b, http://ec.europa.eu/enterprise/policies/security/files/doc/pcp_sec_finalreport_en.pdf, p. 18. 137 See ECORYS, op. cit., 2011b, p.7 138 See ECORYS, op. cit., 2011b, p. 11. 139 See ECORYS, op. cit., 2011b 140 See ECORYS, op. cit., 2011b, p. 17, 47 and 97. 141 See ECORYS, op. cit., 2011b, p. 69. 142 See ECORYS, op. cit., 2011b, p. 35, 76. 143 See ECORYS, op. cit., 2011b, p. 20. 144 See ECORYS, op. cit., 2011b, p. 47.


of 170

on the area of research and innovation [as reflected in the ESRIA proposal (2009) or the Communication COM (2008) 133 final], on the area of justice, freedom and security [as re-flected in the Stockholm Programme (2009)] or on the internal security threats [as reflected in the EU Internal Security Strategy (2010)], among others. In addition, many security fields are shaped by additional documents. Besides this micro view, the European Commission communicated clear perspectives on structural aspects of the future European security-related conformity assessment system. PCP plays an important role in this regard.


of 170

4. STATE OF THE ART IN SECURITY STANDARDS IN DIFFERENT SECTORS 4.1. WORK OF EUROPEAN STANDARDISATION ORGANISATIONS 4.1.1. INTRODUCTION The field of standardisation organisations in Europe is rather extensive, not only due to the large number of national standardisation organisations – since there exists often more than one standardisation organisation per country responsible for different technological fields – but also as a result of the several regional (European) and international standardisation organ-isations. Although most of the standardisation activities in the Member States are influenced by European and international standards, as a part of the European standardisation harmonisa-tion145 and also the aim of the CRISP project is to facilitate the “harmonised playing field for

the European security industry by developing a robust methodology for security product certi-fication”

146, the main focus of the analysis will be on the European and international standard-isation organisations. ESOs of importance are mainly CEN, CENELEC and ETSI, with national standardisation organisations as members (see Chapter 2.3.1). Since all three are private organisations, a co-operation between them and the EC and the European Free Trade Association has been signed147 in order to ensure that the voluntary and consensus-driven activity of standardisation is accepted and coherent with each other, especially due to the impact on several areas of pub-lic concern such as the industry, the single market and the environment.148 By this it has been enabled that only standards created by those three organisations are recognised as European standards (ENs). Furthermore, the regional standardisation organisations are to be seen as regional mirror bod-ies to the international organisations, which is also the result of different bilateral agreements between the standardisation bodies. The bilateral agreements between CEN and ISO as a re-sult of the Vienna Agreement149 and between CENELEC and IEC as a result of the Dresden Agreement150 were described in Chapter 3.2.2. In addition, ETSI and the ITU collaborate in the telecommunication standardisation sector. The result of those co-operations is again a harmonisation of standards on an international level, with more efficiency, the avoidance of

145 Largely responsible for the harmonisation of the European standardisations is the ‘regulation (EC) No 1025/2012 of the

European Parliament and of the Council of 25 October 2012 on European standardisation’, setting the rules for the imple-mentation of harmonised European standardisations and also the necessity of information to and the possibility for amend-ment from the Commission and other Member States after the draft of a national standard from a Member State. The purpose of this regulation is mainly to ensure the functioning of the internal European market and the free movement of goods and services (c.f. European Parliament and the Council, regulation (EC) No 1025/2012 of 25 October 2012 on European stand-ardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Coun-cil and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Coun-cil). 146 CRISP Description of Work, Part A, p. 3. 147 European Commission, European Free Trade Association, CEN, CENELEC, ETSI, General Guidelines for the co-operation between CEN, CENELEC and ETSI and the European Commission and the European Free Trade Association, 28 March 2003. 148 See European Commission, op. cit.,2003, p. 2. 149 See ISO, CEN, Agreement on technical co-operation between ISO and CEN (Vienna Agreement), No date. http://isotc.iso.org/livelink/livelink/fetch/2000/2122/4230450/4230458/Agreement_on_Technical_Cooperation_between_ISO_and_CEN_%28Vienna_Agreement%29.pdf?nodeid=4230688&vernum=-2 150 See CENELEC, IEC - CENELEC Agreement on Common planning of new work and parallel voting, Guide n° 13, no date. http://www.iec.ch/about/globalreach/partners/regional/iec_cenelec_agreement.htm


of 170

duplication of work and an increasing of the speed in the elaboration and maintenance of the standardisations.151 Based on information of the M/487 Final Report Phase 1152 and own analyses the next figures show the year of establishment of security-related TCs at CEN and CENELEC as well as their accomplishments so far.

Committee Title Year of Establ.

Published Standards

Work pro-gramme

CEN/TC 164 Water supply 1990 229 51 CEN/TC 162 Protective clothing including hand and

arm protection and lifejackets 2005 152 32

CEN/TC 278 Intelligent transport systems 1993 144 46 CEN/TC 250 Structural Eurocodes 1989 127 8 CLC TC 79 Alarm Systems 1980 104 14 CEN/TC 251 Health informatics 2010 94 24 CEN/TC 264 Air quality 2013 91 29 CEN/TC 127 Fire safety in buildings 2005 75 34 CEN/TC 189 Geosynthetics 1989 69 30 CEN/TC 79 Respiratory protective devices 2004 66 1 CEN/TC 224 Personal identification, electronic signa-

ture and cards and their related systems and operations

1989 49 19

CEN/TC 287 Geographic Information 2003 48 9 CEN/TC 234 Gas infrastructure 2007 26 10 CEN/TC 346 Conservation of Cultural Heritage 2012 18 10 CEN/TC 325 Crime prevention through building,

facility and area design 2012 7 1

CEN/TC 352 Nanotechnologies 2006 6 3 CEN/TC 379 Project Committee - Supply Chain secu-

rity 2007 2

CEN/TC 384 PC Airport and aviation security ser-vices

2008 1

CEN/TC 388 Perimeter Protection 2010 1 CEN/TC 391 Societal and Citizen Security 2010 1 5 CEN/CLC/ TC 4

PC - Services for fire safety and security systems

2011 1

CEN/TC 417 PC - Maritime and port security services 2011 1

Source: websites of CEN, CENELEC, own analysis Figure 18: Year of establishment and published standards by security related CEN/CLC/TCs

The figures do not include TCs from ETSI because of missing data of the relevant commit-tees. According to Figure 19, most of the security-related TCs at CEN and CENELEC were established in 2004 or later.

151 See ISO, op. cit., no date, p. 1. 152 See European Commission, Mandate M/487 to Establish Security Standards. Final Report Phase 1. Analysis of the Cur-rent Security Landscape, 09. May 2012.

http://standards.cen.eu/dyn/www/f?p=204:32:0::::FSP_ORG_ID:6145&cs=1F7C7AA73990546C443B4206E2810EED6

http://standards.cen.eu/dyn/www/f?p=204:22:0::::FSP_ORG_ID:6145&cs=1F7C7AA73990546C443B4206E2810EED6

http://standards.cen.eu/dyn/www/f?p=204:32:0::::FSP_ORG_ID:6143&cs=1172B5BBB1F1411294D97D98575DE977D

http://standards.cen.eu/dyn/www/f?p=204:22:0::::FSP_ORG_ID:6143&cs=1172B5BBB1F1411294D97D98575DE977D

http://standards.cen.eu/dyn/www/f?p=204:32:0::::FSP_ORG_ID:6259&cs=1EA16FFFE1883E02CD366E9E7EADFA6F7

http://standards.cen.eu/dyn/www/f?p=204:22:0::::FSP_ORG_ID:6259&cs=1EA16FFFE1883E02CD366E9E7EADFA6F7

http://standards.cen.eu/dyn/www/f?p=204:32:0::::FSP_ORG_ID:6231&cs=1475B1C21B51CE51CCD000F68519ABE9C

http://standards.cen.eu/dyn/www/f?p=204:22:0::::FSP_ORG_ID:6231&cs=1475B1C21B51CE51CCD000F68519ABE9C

http://standards.cen.eu/dyn/www/f?p=204:32:0::::FSP_ORG_ID:6232&cs=18CA078392807EDD402B798AAEF1644E1

http://standards.cen.eu/dyn/www/f?p=204:22:0::::FSP_ORG_ID:6232&cs=18CA078392807EDD402B798AAEF1644E1

http://standards.cen.eu/dyn/www/f?p=204:32:0::::FSP_ORG_ID:6245&cs=178094E67E1897102F190938A48C7A285

http://standards.cen.eu/dyn/www/f?p=204:22:0::::FSP_ORG_ID:6245&cs=178094E67E1897102F190938A48C7A285

http://standards.cen.eu/dyn/www/f?p=204:32:0::::FSP_ORG_ID:6109&cs=104D85C15BEEEFAC5963909130D6A7EB7

http://standards.cen.eu/dyn/www/f?p=204:22:0::::FSP_ORG_ID:6109&cs=104D85C15BEEEFAC5963909130D6A7EB7

http://standards.cen.eu/dyn/www/f?p=204:32:0::::FSP_ORG_ID:6062&cs=1FE6D4AE51AA3AA72A7024518C8767D1B

http://standards.cen.eu/dyn/www/f?p=204:22:0::::FSP_ORG_ID:6062&cs=1FE6D4AE51AA3AA72A7024518C8767D1B

http://standards.cen.eu/dyn/www/f?p=204:32:0::::FSP_ORG_ID:6205&cs=1FB1CC5B5F03F85F0ECCECA7598551CFC

http://standards.cen.eu/dyn/www/f?p=204:22:0::::FSP_ORG_ID:6205&cs=1FB1CC5B5F03F85F0ECCECA7598551CFC

http://standards.cen.eu/dyn/www/f?p=204:32:0::::FSP_ORG_ID:6268&cs=1463041AEB6C5E614A612D0C224DCB350

http://standards.cen.eu/dyn/www/f?p=204:22:0::::FSP_ORG_ID:6268&cs=1463041AEB6C5E614A612D0C224DCB350

http://standards.cen.eu/dyn/www/f?p=204:32:0::::FSP_ORG_ID:6215&cs=164D8136B9DA5808851E88A0BB973C593

http://standards.cen.eu/dyn/www/f?p=204:22:0::::FSP_ORG_ID:6215&cs=164D8136B9DA5808851E88A0BB973C593

http://standards.cen.eu/dyn/www/f?p=204:32:0::::FSP_ORG_ID:411453&cs=11079A55D70F8377E3942E1C6704C7664

http://standards.cen.eu/dyn/www/f?p=204:22:0::::FSP_ORG_ID:411453&cs=11079A55D70F8377E3942E1C6704C7664

http://standards.cen.eu/dyn/www/f?p=204:32:0::::FSP_ORG_ID:6306&cs=133518429ECB0D4DDB06C8583A7A5CD0D

http://standards.cen.eu/dyn/www/f?p=204:22:0::::FSP_ORG_ID:6306&cs=133518429ECB0D4DDB06C8583A7A5CD0D

http://standards.cen.eu/dyn/www/f?p=204:32:0::::FSP_ORG_ID:508478&cs=1A6FDA13EC1F6859FD3F63B18B98492ED

http://standards.cen.eu/dyn/www/f?p=204:22:0::::FSP_ORG_ID:508478&cs=1A6FDA13EC1F6859FD3F63B18B98492ED

http://standards.cen.eu/dyn/www/f?p=204:32:0::::FSP_ORG_ID:628930&cs=1D9C69D9C0A7DB0568EAC5B8670ABD6C4

http://standards.cen.eu/dyn/www/f?p=204:22:0::::FSP_ORG_ID:680331&cs=18422BF6F2CD25C72E8F633D87A8147AB

http://standards.cen.eu/dyn/www/f?p=204:22:0::::FSP_ORG_ID:915653&cs=1FE49FBB434E290FB5AC3CC257FC67633


of 170

Source: websites of CEN and CENELEC, own analysis Figure 19: Establishment of security-related TCs at CEN and CENELEC

As already mentioned, the aim of the ESOs is to create harmonised security standards throughout the different areas amongst the European Member States and the EFTA, as well as harmonisation with important international standards. In the next sections, the security-related work of the different ESOs as well as relevant international acitivities will be described more deeply. 4.1.2. ANALYSIS OF DIFFERENT STANDARDISATION ORGANISATIONS AND THEIR SECURITY-

RELATED STANDARDS 4.1.2.1. EUROPEAN COMMITTEE FOR STANDARDISATION (CEN) Of the three ESOs, CEN153 is responsible for ENs in all the technical sectors except for the electrotechnical and the telecommunications sectors.154 The main bodies of the CEN, governed by the General Assembly (GA), responsible for the conception of standards are the Technical Committees (TCs) and the Subcommittees (SCs), within which specific Working Groups (WGs) related to clearly defined subjects create the draft standards that are reported to the either the TC or the SC. Overviewing the TCs is the Technical Board (BT), controlling the standards programmes, approving CEN policies and strategies, takes decisions on standardisation issues and organises cooperation with interna-

153

See CEN, no date. http://www.cen.eu/Pages/default.aspx 154 See CEN, no date, http://www.cen.eu/about/Pages/default.aspx for a detailed decription of the fields in which CEN is active.


of 170

tional and/or intergovernmental organisations.155 Another important body is the Project Committee (PC), seen as a technical body with the aim of creating “a specific short time

standardisation task within a given target date”156 and disbanded after completing the task.

Finally, Workshops (WS) which can be developed fast are important for the development of standards and specifications in rapidly-changing fields of technology. In the next sections, the most important technical bodies in the field of security standards will be presented, including an overview of the related standards – where available – that have been developed or are currently being developed. Mandate M/487 led to a report of the security landscape in 2012 in which the European TCs in relevant security areas were identified. The scope was broad to also include the safety as-pect and fire safety/fighting in general. This inclusion led to a relevance-classification of the TCs, ranging from low relevance to high relevance in the security context. For our analysis, selected TCs with high relevance in the security standardisation were selected as examples. They are presented in Figure 20. CEN TC Standardisation for

the following topics Comment

CEN/ CLC/ TC 4

General require-ments for services in fire or safety systems

Aims at the development of a single standard Focus: specifying “general requirements for

services in fire safety systems and/or general security systems, especially in regard to the planning, design, installation, commissioning, verification, handover or maintenance”

157 of such systems

CEN/ TC 164

Security of drink-ing water supply

Has established a large amount of the standards A few standards address security issues, e.g.:

• EN 15975-1:2011, Security of drinking water supply - Guidelines for risk and crisis management - Part 1: Crisis management and

• EN 15975-2:2013, Security of drinking water supply - Guidelines for risk and crisis management - Part 2: Risk management158

155 See European Committee for Standardisation, “Technical Board”, 28 August 2014,

http://boss.cen.eu/TechnicalStructures/Pages/BT.aspx 156 See European Committee for Standardisation, “Project Committee”, 28 August 2014,

http://boss.cen.eu/TechnicalStructures/Pages/ProjCmte.aspx 157 See Website of the Technical Committee: http://www.iso.org/iso/home/standards_development/list_of_iso_technical_committees.htm 158 See European Commission, DG Enterprise and Industry, Security Research and Development, Mandate M/487 to Estab-lish Security Standards, Final Report Phase 1 Analysis of the Current Security Landscape, 2012, Annexe C; http://standards.cen.eu/dyn/www/f?p=204:110:0::::FSP_PROJECT:30474&cs=1DC596AC378112DEAA73B0BD03D2B377B and http://standards.cen.eu/dyn/www/f?p=204:110:0::::FSP_PROJECT:34082&cs=1AA89C0488D68938C415AF7F162C579F4

(figure continues)


of 170

CEN/ TC 224

Identity card sys-tems

Authentication de-vices

Secure signature creation devices

The aim is to create standards for user interface or human-machine interface in application like banking, retail, passenger transport and borders.

Security standards issued: EN 1332 Identification card system, EN 1332-1:2009: Identification card system – Man-Machine Interface, EN 14890-1:2008 – Application Interface for smart cards used as Secure Signature Creation Devices

CEN/ TC 234

Security in gas supply system and other critical infra-structure

A definition of critical infrastructure provides European Commission (2004)159

CEN/ TC 251

Medical security Mainly responsible for the creation of ICT standards in medical, social care and welfare settings

CEN/ TC 263

Storage of cash and valuables for fire or burglary inci-dents

Published several standards relating to protective measures in regard to the storage of cash and other valuables towards fire prevention and the prevention of burglaries

Focuses on a large number of security products dealing with these protective measures160

CEN/ TC 278

Intelligent transport systems

Mostly data transmission standard but some related to security e.g. EN 15213, EN 15213, EN 15213, ENs ISO 14814:2006, 14815:2005 and 14816:200 which mostly cover location, tracking and identification of crimes.

CEN/ TC 325

Prevention of crime for private and public build-ings

Focuses on developing standards for the prevention of crime at a wide range of private and public buildings, applying the following, particularly in an urban setting161: • Different strategies, security levels; and • Building and area layout, etc.

159 European Commission, Critical Infrastructure Protection in the fight against terrorism (COM/2004/0702), 2004, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2004:0702:FIN:EN:PDF. 160

An overview of those standards can be found here: http://standards.cen.eu/dyn/www/f?p=204:32:0::::FSP_ORG_ID,FSP_LANG_ID:6244,25&cs=1F7BB1CF3AE29C75644A28F3E97469504 161

See CEN, CEN/TC 325 – Crime prevention through building, facility and area design, CEN/TC 325 Scope, 2014. http://standards.cen.eu/dyn/www/f?p=204:7:0::::FSP_ORG_ID:6306&cs=133518429ECB0D4DDB06C8583A7A5CD0D

(figure continues)


of 170

CEN/ TC 379

Supply Chain Se-curity

Reporting crime incidents

Crime related in-formation collec-tions

Standard EN 16352:2013 Logistics – Specifications for reporting crime incidents created common rules for the data collection and processing within the reporting of crimes, unrelated to the origin of the reporter or data collector162

Relates closely to the functions ‘information

collection, storage and management to produce intelligence’ as well as ‘prevention’ in CRISP’s

glossary (Deliverable 1.1)163 CEN/ TC 388

Field of border se-curity

Protection of criti-cal infrastructures

Aims at the standardisation of security products and systems for perimeter protection

Focusses only onterrains surrounding buildings, but not on systems within the buildings.

Focuses on border security as well as the protection of critical infrastructure limits

A TR has been created, which provides information for the design of perimeter protection standards164

TC is not active at the moment CEN/ TC 391

Societal and Citi-zen Security

Security issues in destabilizing or disruptive events

Incidents risk is-sues

Prevention / as-sessing situational awareness

Published CEN/TS 16595:2013 CBRN - Vulnerability Assessment and Protection of People at Risk

Focus of the TS: security risks in the field of CBRN Incidents with potential large scale effects

Consists mainly of tools for the development of vulnerability assessment, awareness and management165

Work correlates with the functions described in the glossary of security products, systems and services in CRISP’s Deliverable 1.1, not only regarding pre-vention, but also regarding the assessment of a secu-rity issue and the creation of situational awareness166

CEN/ TC 417

Security for mari-time and port set-ting

Focuses on quality standards for security services in that field

One standard is currently under enquiry CEN/ TC 419

Forensic science processes

No standards output yet. Focus on all steps scene of the crime, the transporta-

tion and storage of material, interpretation of the re-sults

Source: Own figure Figure 20: Overview of the work of selected CEN TCs in the security field

162

See also EN 16352:2013 Logistics – Specifications for reporting crime incidents, p. 12. 163

See D1.1 Glossary of security products and systems 164

See CEN, op. cit., 2014 165

See CEN, op. cit., 2014 166

See CRISP D1.1


of 170

The work of the committees will be analysed in more detail in Chapter 4.3.

As shown on the basis of its TCs, CEN provides a large amount of European standards amongst the different security areas and is to be regarded as the main ESO responsible for security ENs. 4.1.2.2. EUROPEAN COMMITTEE FOR ELECTROTECHNICAL STANDARDISATION (CENELEC) The European Committee for Electrotechnical Standardisation (CENELEC)167 cooperates closely with CEN, resulting not only in a similar governing structure within the organisation but also in TCs collaborating in order to create standards that affect both the general as well as the electrotechnical field. The CEN-CENELEC Management Centre (CCMC) is in charge of the coordination and promotion of the joint activities of both organisations. As already de-scribed above, a close cooperation between CENELEC and the IEC exists. Again similar to CEN, members within CENELEC are the national organisations entrusted with the electro-technical standardisation of the 28 European Member States, the three EFTA countries, the Former Yugoslav Republic of Macedonia, and Turkey. While most of the TCs of CENELEC are dedicated to the creation of technical standards, which of course can also consists of technical parts included in security products or systems, only a few focus purely on security. They are described in Figure 21. CENELECs most important activities in the security field are related to alarm systems, not only for intruder alarm systems or access control systems but also for alarm systems used in crisis management. Another important activity is the ESO’s involvement in CEN/CLC TC 4.

167 See European Committee for Electrotechnical Standardisation, 2014. http://www.cenelec.eu/index.html


of 170

CLC TC Standardisation for the following topics

Comment

CLC/ TC 79

Alarm systems, monitoring systems, surveillance systems, access control systems

Aims at harmonising standards for detection, alarm and monitoring systems that are used for the protection of persons and properties

Published a large number of ENs, covering the broad field of alarm systems

As already described in the CRISP deliverable 1.1 a lot of those security products and systems consist of a large variety of functions, which can also differ depending on their application areas

CLC/ BTTF 133-1

Emergency purposes which are not part of alarm systems

Broadcasting of information in emergency situations

Attention drawing alarm systems

Sound distribution systems

Created a draft standard,168 specifying the performance requirements for alarm systems

Focus of the draft standard: the broadcasting of information in emergency situations, for example • Attention drawing alarm systems; or • Sound distribution systems in order to

mobilise rapidly occupants in emergency situations

CLC/ TC 45AX

Instrumentation, control and electrical systems of nuclear facilities

Safety of the nuclear plant

Prepares the implementation of the IEC/SC45A169 standards in ENs, adapting them where necessary

Several ENs have already been established Important standards regarding CRISP’s fields of

interest: • EN 60671:2011, Nuclear power plants –

Instrumentation and control systems important to safety – Surveillance testing;

• EN 60965:2011, Nuclear power plants – Control rooms – Supplementary control points for reactor shutdown without access to the main control room;

• EN 62340:2010, Nuclear power plants – Instrumentation and control systems important to safety – Requirements for coping with Common Cause Failure (CCF).

Source: Own figure Figure 21: Overview of the work of selected CLC/TCs in the security field

168

See prEN 50849:2014, Sound systems for emergency purposes. 169 See International Electrotechnical Commission, IEC/SC45A Instrumentation and control (and electrical) systems for nuclear facilities, no date. http://www.iec.ch/dyn/www/f?p=103:7:0::::FSP_ORG_ID,FSP_LANG_ID:1358,25

http://www.iec.ch/dyn/www/f?p=103:7:0::::FSP_ORG_ID,FSP_LANG_ID:1358,25


of 170

4.1.2.3. EUROPEAN TELECOMMUNICATIONS STANDARDS INSTITUTE (ETSI) Compared to CEN and CENELEC, ETSI170 develops not only European standards, but differ-ent standards, reports, specifications and guides, depending on the different telecommunica-tion market needs. These include the ENs,171 drafted by the TCs; ETSI Standard (ES) for technical requirements; ETSI Guide (EG) for the handling of specified technical standardisa-tions; ETSI Technical Specification (TS), which are similar to the ES, but issued if the tech-nical requirements need the document for quick use; ETSI Technical Report (TR) includes explanatory material; ETSI Special Report (SR) when the information needs to be public; ETSI Group Specification (GS) provides technical requirements and/or explanatory material – all requiring a different kind of approval.172 Standards published by ETSI are available free of charge and are thus publicly accessible. Besides the TCs and working groups, ETSI can also set up Special Task Forces (STFs) when a rapid publication is needed and thus the expert of the STFs can work intensively on the creation of the documents. Furthermore Industry Specification Groups (ISGs) focus on very specific activities and technology areas and serve as an alternative to creating industry fora. The membership within ETSI is also different from the other two organisations, as it consists not only of National Standards Organizations, but also of Administrations, Administrative Bodies, Network Operators, Manufacturers, Users, Service Providers, Research Bodies, Uni-versities, Consultancy Companies/Partnerships and others. Probably the most prominent ISG is the “Third Generation Partnership Project” (3GPP). Established in 1998, the 3GPP is main-ly responsible for the maintenance and development of cellular telecommunication network technologies.173 This leads also to a broad field of technologies and clusters within which ETSI operates, which are all related to ICTs. Two of the clusters that are mostly relevant for our analysis are the security cluster174 and the public safety175 cluster. Some of the work with-in those two clusters will be presented in the following. Security cluster According to the following table, the security cluster relates to reliable and secure communi-cations to protect users and provide a secure environment for the industrial sector, whereas the public safety cluster has relevance and relates to communication systems and services for public safety – mainly facilitating emergency communications in a wide range of cases.

170 See European Telecommunications Standards Institute, 2014. http://www.etsi.org/ 171 A list with all the harmonised standards for radio & telecommunication terminal equipment can be found on the ETSI website: European Telecommunications Standards Institute, “ETSI Harmonized Standards for Radio & Telecommunications

Terminal Equipment Directive 1999/5/EC”, 2014. http://www.etsi.org/standards/list-of-harmonized-standards 172

See European Telecommunications Standards Institute, “Different types of ETSI standards”, 2014.

http://www.etsi.org/standards/different-types-of-etsi-standards 173 See European Telecommunications Standards Institute, “3GPP”, 2014. http://www.etsi.org/about/our-global-role/3gpp?highlight=YToxOntpOjA7czo0OiIzZ3BwIjt9 174 See European Telecommunications Standards Institute, “Security”, 2014. http://www.etsi.org/technologies-clusters/clusters/security 175 See European Telecommunications Standards Institute, “Public Safety”, 2014. http://www.etsi.org/technologies-clusters/clusters/public-safety


of 170

TC Description ESI – Elec-tronic Signa-tures and In-frastructures

Covers the secure online commerce and secure electronic document exchange

Application areas: everyday activities of citizens and businesses, but also vulnerability to cyber threats

Addresses the EU mandate on Electronic Signature Standardisation176 to reduce the specific risk that a lack of security standards in electronicsignatures can create

SCP – Smart Card Platform

Its standards play a crucial role where user-identification needs to be authorised and are necessary for a secure communication

Smart Card Subscriber Identity Module (SIM) is result of an ETSI standard and utilised in almost every mobile phone

SCP is responsible for SIM’s further developed and maintenance177 LI – Lawful interception

Definition of LI:“a security process in which a service provider or network operator collects and provides law enforcement officials with intercepted communications of private individuals or organizations”

178 LI is generally necessary for public and national security through the

investigation of serious crimes, organized crime and terrorism In a European context, lawful interception has raised some serious

data protection and data privacy questions, especially related to the Data Retention Directive179

The Date Retention Directive has been declared invalid by the European Court of Justice on 8th April 2014

Reason: its “wide ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data”

180 TC LI is mainly responsible for standardisations of the handover

interface, the communication and the storage of the intercepted data and the security within the network

Main standard: ETSI ES 201 671 – Lawful Interception (LI); Handover interface for the lawful interception of telecommunications traffic

Several other standards are important to LI, such as the technical specification on the requirements of law enforcement agencies.181

176 Full title of the mandate is the “M/460 standardisation mandate to the European standardisation organisations CEN, CENELEC and ETSI in the field of information and communication technologies applied to electronic signatures”.

http://ec.europa.eu/enterprise/standards_policy/mandates/database/index.cfm?fuseaction=search.detail&id=442# 177 Besides the TC SCP, the 3GPP-CT6, the Technical Specifications Group, 'Core Network and Terminals' Working Group 6 (CT WG6) also deals with further developments of the SIM, especially with network authorisation standards related to the SIM. For more information see 3GPP, “CT WG6”, no date. http://www.3gpp.org/specifications-groups/ct/wg6 178 See European Telecommunications Standards Institute, “Lawful interception”, 2014. http://www.etsi.org/technologies-clusters/technologies/security/lawful-interception 179 See European Parliament and the Council, Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, OJ L-105, 13.4.2006, p. 54-63. 180 See Court of Justice of the European Union, Judgement in Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others, Press Release No 54/14, Luxembourg, 8 April 2014, http://curia.europa.eu/jcms/upload/docs/application/pdf/2014-04/cp140054en.pdf

(figure continues)


of 170

Special com-mittee (SC) EMTEL

Covers the broad field of emergency communications, ranging from ‘simple’ emergency cases of individuals to serious emergency and

disruptions of large segments of society, thus also including crisis management essentials182

ISG quantum cryptography

Quantum cryptography is a cryptographic technology stemming from findings in quantum physics

The area Quantum key distribution especially could gretaly increase the security of internet communication, granting the privacy and confidentiality of the communication

High level encryption marks spying almost impossible Could become important in the fields of e-government, e-health, e-

commerce, as well as in the transportation of other sensible data, like biometric data183

Source: Own figure Figure 22: Overview of the work of selected TCs in ETSI’s security cluster

Public Safety

Although public safety is defined as its own cluster, the work within the cluster can’t be strict-ly eliminated as this would result in committees overlapping. For example, the SC EMTEL mentioned above is also a part of the public safety cluster. Most of the work in the public safety cluster is dedicated to establishing the stable emergency communication necessary in different situations of crisis.184

181 See European Telecommunication Standard Institute, “ETSI TS 101 331, Lawful Interception (LI); Requirements of Law

Enforcement Agencies”, 2001. 182 This not only covers ensuring stable and secure telecommunications, but also radio/television and internet broadcasting. So for example ETSI Technical Specification on the European Public Warning System (EU-ALERT) using the Cell Broad-cast Service “defines the system requirements for a European Public Warning Service using the Cell Broadcast Service as a means of message distribution and delivery to UEs [user equipment],” like language, message type, presentation of the mes-sage, but also considerations for individuals with special needs, see European Telecommunication Standard Institute, “ETSI TS 102 900, Emergency Communications (EMTEL); European Public Warning System (EU-ALERT) using the Cell Broad-cast Service”, 2010. 183 Several countries have already started to research the necessity of standardisations in the quantum cryptography, within the EC Framework Programme 6, the SECOQC (Secure Communication based on Quantum Cryptograph) project also large-ly dealt with this, and one of the results of this project was the creation of a ETSI Industry Specification Group on Quantum Key Distribution (ISG-QKD), now addressing the standardisation questions. So far the ISG has published several GS’, cover-ing the use cases – thus application areas and scenarios in which QKD-systems could be implemented –definitions of proper-ties of components, internal and application interfaces, as well as presenting the security proofs of the QKD-systems, again outlining in what areas the systems can play an important role, based on the security claim and the identification of compo-nents that are necessary to detect any intrusion into the system, thus minimizing or even zeroing all critical security breaches and raising the security claim. For more information see: European Telecommunications Standards Institute, “Quantum Key Distribution”, 2014 and European Telecommunications Standards Institute, “Quantum Key Distribution Leaflet”, no date, European Telecommunications Standards Institute, “ETSI GS QKD 002, Quantum Key Distribution; Use Cases, V1.1.1”, June 2010. Additional sources: European Telecommunications Standards Institute, “ETSI GS QKD 003, Quantum Key Dis-tribution (QKD); Components and Internal Interfaces, V1.1.1”, December 2010. European Telecommunications Standards Institute, “ETSI GS QKD 005, Quantum Key Distribution (QKD); Security Proofs, V1.1.1”, December 2010. European Telecommunications Standards Institute, “ETSI GS QKD 008, Quantum Key Distribution (QKD); QKD Module Security Specification, V1.1.1”, December 2010. 184 A good example is the development of standards for Private Mobile Radio (PMR) systems, used on the one hand in transportations, but also in emergency and medical services. The main standard is the TErrestrial Trunked RAdio (TETRA), aiming to meet the different requirements of the PMR users.


of 170

A specific area of public safety standardisations in which ETSI committees are currently working is the maritime section, where the ‘Global Maritime Distress and Safety System’ (GMDSS) has been established.185 Another special area of public safety standardisations is covered by the Satellite Emergency Communication Working Group (SES SatEC) of ETSI's Satellite Earth Stations & Systems Technical Committee (TC SES). According to ETSI, a new area with significant potential for new standards consists of Proof-ing Products against Crime, as the European Commission has requested action from the ESOs on this topic. The focus of potential activities is on integrating or embedding crime-prevention features into products to reduce their potential to become targets of criminal activity (such as theft, fraud or damage), as well as on preventing their use as instruments of crime. Potential activities may focus on physical objects, electronic information, electronic services and com-puter software.186 From a security point of view, it is apparent that most of ETSI’s committees deal with provid-ing standards for the secure transportation of different kinds of data, information or communi-cations, and with communication in different emergency and distress situations in order to reach all of the concerned individuals which makes standards important tools for crisis man-agement. Crime prevention may become an important standardisation field in the future. 4.2. WORK OF INTERNATIONAL STANDARDISATION ORGANISATIONS 4.2.1. INTERNATIONAL ORGANISATION FOR STANDARDISATION (ISO) ISO187 is the largest organisation developing standards worldwide. It is not specific to any regional limitations but operates on a global basis. The structure as well as the way standards are developed is similar to the regional standardisation bodies, with TCs reporting to the tech-nical management board, an ISO council covering the governance issues and the general as-sembly as the final authority. Security-related TCs are abundant, although not all of them spe-cifically relate to security topics in general, but cover them in specific standardisations. The following table gives relevant examples: ISO TC Standardisation for the follow-

ing topics Comment

ISO/TC 292

Security management, resilience and emergency management, fraud countermeasures and controls, security services, homeland security

Intended to officially begin 1 January 2015

The current ISO/TC 223, ISO/TC 247, ISO/PC 284 (Management system for private security companies) will be merged into this new ISO/TC 292

185 GMDSS was introduced by the International Maritime Organisation (IMO). GMDSS is used in maritime emergency cases and alerts and communicates between rescue organisations and ships, but also provides general maritime safety infor-mation, for example navigational or meteorological information. 186 See European Telecommunications Standards Institute, “Public Safety, Our roles and activities”, no date. 187 See International Organisation for Standardisation, “Technical committees”, no date. http://www.iso.org/iso/home/standards_development/list_of_iso_technical_committees.htm

(figure continues)


of 170

ISO/ TC 223

Societal security, protection from human and natural acts

Incident responses, emergency management, export inter-operability of video-surveillance

Div. standards, e.g. ISO 22311 for video surveillance which is for example used for certification by AFNOR Certification, see Chapter 6.1.

ISO/ TC 224

Security of drinking water supply

Example: ISO 24510:2007 and ISO 24512:2007 Activities relating to drinking water and wastewater services

ISO/ TC 247

Fraud countermeasures and controls

Examples: ISO 12931:2012 Performance criteria for authentication solutions used to combat counterfeiting of material goods and ISO 16678:2014 Guidelines for interoperable object identification and related authentication systems to deter counterfeiting and illicit trade

ISO/ TC 8

Ships and marine technology Example: ISO 20858:2007, Ships and marine technology -- Maritime port facility security assessments and security plan development

ISO/ TC 68

Financial services Examples: ISO 9564, Financial services -- Personal Identification Number (PIN) management and security, ISO 13491-1:2007 and ISO 13491-2:2005, Banking -- Secure cryptographic devices (retail) -- Part 1: Concepts, requirements and evaluation methods -- Part 2: Security compliance checklists for devices used in financial transactions

ISO/ TC 21

Fire detection and alarm systems

Focus on safety measures

ISO/ TC 92

Fire hazard mitigation for building designs, materials, products and components


ISO/ TC 85

Protection and security against nuclear and radiological threats


ISO/IEC JTC 1

Information technology Security-related activities in several SCs, extended description is to find below

Source: Own figure Figure 23: Overview of the work of selected ISO TCs in the security field

Within the joint technical committee between the ISO and the IEC on information technolo-gy188 (JTC 1) an important player is Sub Committee 27/Work Group 5, ‘Identity Man-agement and Privacy Technologies’. Its focus in the privacy field includes topics such as ‘A

188 See ISO, ISO/IEC JTC 1 Information technology, no date. http://www.iso.org/iso/iso_technical_committee?commid=45020


of 170

Privacy Framework’, ‘A Privacy Reference Architecture’, ‘Privacy infrastructures’, ‘Ano-nymity and Credentials’, ‘Specific Privacy Enhancing Technologies (PETs)’ and ‘Privacy

Engineering’. Privacy standards developed by the work group include, in particular, ISO/IEC

29100, ISO/IEC 29101 as well as ISO/IEC 29115. In addition, the Sub Committee 37 Biometrics has become an important feature of all kind of security products, systems and services. Several standards have been developed, especially regarding the biometric application programming interface (API), thus covering the basic functions of biometric applications, like identifying and verifying in combination with a data-base.189 Other standards are concerned with biometric data interchange formats, thus creating a common data format for the specific biometrical records in order to guarantee interoperabil-ity. This includes finger minutiae,190 finger image, 191 finger pattern spectral192 and finger pat-tern skeletal data,193 along with data of face194, iris195 and vascular196 image data, signa-ture/sign behavioural data,197 hand geometry silhouette data198 and DNA data.199 Another range of important standards and also closely relates to the data interchange formats concerns the interoperability and data interchange of biometric profiles, which are already in use, as for example for access control at airports or for biometric profiles used on Seafarers’ Identity

Document (SID).200 4.2.2. INTERNATIONAL ELECTROTECHNICAL COMMISSION (IEC) The IEC is “the world’s leading organization for the preparation and publication of Interna-tional Standards for all electrical, electronic and related technologies”

201. Similarly to CEN and CENELEC, IEC and ISO cooperate on several matters, as already was shown above with the JTCs. Thus also the management and working structure of the IEC is similar to the other

189 See ISO/IEC 19784-1:2006 Information technology -- Biometric application programming interface -- Part 1: BioAPI specification; ISO/IEC 19784-2:2007, Information technology -- Biometric application programming interface -- Part 2: Biometric archive function provider interface; ISO/IEC 19784-4:2011, Information technology -- Biometric application programming interface -- Part 4: Biometric sensor function provider interface. 190 See ISO/IEC 19794-2:2011, Information technology -- Biometric data interchange formats -- Part 2: Finger minutiae data. 191 See ISO/IEC 19794-4:2011, Information technology -- Biometric data interchange formats -- Part 4: Finger image data. 192 See ISO/IEC 19794-3:2006, Information technology -- Biometric data interchange formats -- Part 3: Finger pattern spec-tral data. 193 See ISO/IEC 19794-8:2011, Information technology -- Biometric data interchange formats -- Part 8: Finger pattern skele-tal data. 194 See ISO/IEC 19794-5:2011, Information technology -- Biometric data interchange formats -- Part 5: Face image data. 195 See ISO/IEC 19794-6:2011, Information technology -- Biometric data interchange formats -- Part 6: Iris image data. 196 See ISO/IEC 19794-9:2011, Information technology -- Biometric data interchange formats -- Part 9: Vascular image data. 197 See ISO/IEC 19794-7:2014, Information technology -- Biometric data interchange formats -- Part 7: Signature/sign time series data; ISO/IEC 19794-11:2013, Information technology -- Biometric data interchange formats -- Part 11: Signature/sign processed dynamic data. 198 See ISO/IEC 19794-10:2007, Information technology -- Biometric data interchange formats -- Part 10: Hand geometry silhouette data. 199 See ISO/IEC 19794-14:2013, Information technology -- Biometric data interchange formats -- Part 14: DNA data. 200 See ISO/IEC 24713-1:2008, Information technology -- Biometric profiles for interoperability and data interchange -- Part 1: Overview of biometric systems and biometric profiles; ISO/IEC 24713-2:2008, Information technology -- Biometric pro-files for interoperability and data interchange -- Part 2: Physical access control for employees at airports; ISO/IEC 24713-3:2009, Information technology -- Biometric profiles for interoperability and data interchange -- Part 3: Biometrics-based verification and identification of seafarers. 201 International Electrotechnical Commission, op. cit., 2014.


of 170

standardisation bodies – although in this case a bit slimmed down – with a management board supervising the technical committees, which can either themselves create working groups and projects (PT) or maintenance teams (MT), or create subcommittees that are responsible for the WGs, PTs and the MTs. As emphasised earlier, CENELEC and IEC collaborate based on the Dresden agreement. Spe-cific results in the field of security were the implementation of standardisations for alarm sys-tems. For the IEC, the responsible TC was the TC 79 Alarm and Electronic Security Sys-tems,202 which created several standards that have been adopted by CENELEC. These cover all kinds of requirements such as the transmissions of alarms,203 different alarm and electronic security systems (e.g. access control systems, intrusion and hold-up systems)204 and video surveillance systems.205 Recently, the IEC has also started to standardise social alarm systems which have started to become more and more popular for elderly people living alone. Beside ISO’s and IEC’s afforementioned JTC 1/SC 37 on biometrics, another SC of JTC 1 is developing standardisations for cards and personal identification – an important tool for iden-tification at borders and thus essential for border security. The ISO/IEC JTC 1/SC 17 Cards and personal identification manages all kinds of identification cards – including ID cards for working/industrial purposes – and thus needs to cover a broad field with the standardisations. For border security, probably the most important standard here are

ISO/IEC 7501-2:1997 Identification cards – Machine readable travel documents – Part 2: Machine readable visa; and

ISO/IEC 7501-3:2005, Identification cards – Machine readable travel documents – Part 3: Machine readable official travel documents, simplifying the correct identification of persons at border controls.

Finally, biometrics also play an important role within identification cards, which are covered by the ISO/IEC 24787:2010 Information technology -- Identification cards -- On-card bio-metric comparison. Thus, again similar to the CENELEC, the IEC is only partly relevant regarding standardisa-tions in the security sector. It is a single standardisation body only dealing – but exhaustively – with different alarm systems and as a co-operating standardisation body with the ISO, also covering biometrics and identification cards standardisations. 4.2.3. INTERNATIONAL TELECOMMUNICATION UNION (ITU) The ITU206 has a slightly different organisational structure compared with the other standardi-sation bodies. The ITU in general is not only responsible for standardisations, but has also a radiocommunication sector (ITU-R) as well as a development sector (ITU-D) for the devel-opment and improvement of ICTs in developing countries. The sector which is responsible for

202 See International Electrotechnical Commission, “TC 79 Alarm and electronic security systems”, 2014. 203 See IEC 60839-5, Alarm systems - Part 5: Requirements for alarm transmission systems. 204 See IEC 60839-10-1:1995, Alarm systems - Part 10: Alarm systems for road vehicles - Section 1: Passenger cars; IEC 60839-11-1:2013, Alarm and electronic security systems - Part 11-1: Electronic access control systems - System and compo-nents requirements; IEC 62642:2010-2011, Alarm systems - Intrusion and hold-up systems, Part 1 – Part 8. 205 See IEC 62676:2013, Video surveillance systems for use in security application – Part 1 – Part 4. 206 See International Telecommunication Union, no date. http://www.itu.int.


of 170

the standardisations in the ICT sector is the ITU Telecommunication Standardisation Sector (ITU-T). On an organisational level, the general direction and structure of the ITU-T is set by the World Telecommunication Standardisation Assembly (WTSA). The priorities are divided amongst study groups (SG), of which ten study groups exist in the current period (2013 – 2016).207 The SGs are responsible for the development of normative recommendations – which are equivalent to the standards created by the other standardisation bodies – with a main concern on the interoperability of telecommunication networks. Beside the normative recommendations, ITU-T also develops, similar to the technical reports, ITU-T Handbooks, Implementer’s Guides and Supplements. The Study Group (SG) 17 – Security is of most relevance for CRISP. It aims at the devel-opment and maintenance of the security of information and communication technologies. The SG developed a security standards roadmap which shows the security needs within the ICT sector, the current available/approved security standards of different regional and international standardisation bodies208 and the security standards currently under development.209 In the next section, only security standards approved by the ITU-T will be analysed. The ITU-T recommendations largely deal with providing a secure way of data deliveries for a wide range of ICT and also with communication in regard to security incidents or crisis. SG 17 is structured into five WPs: Fundamental security (WP1); Network and information securi-ty (WP2); Identity management and cloud computing security (WP3); Application security (WP4) and Formal language (WP5). Probably the most prominent ITU-T recommendation for security purposes is the recommen-dation ITU-T X.509: Information technology - Open Systems Interconnection - The Directo-ry: Public-key and attribute certificate frameworks, a joint activity of the ITU with the ISO and IEC. This recommendation is the main standard for security in web communication and largely responsible for providing a secure e-commerce. It defines public-key and attributes certificates as well as authentication services. This includes simple authentication by pass-word and strong authentication using cryptographic techniques.210 Resulting from this scope of security questions are a large number of recommendations, most-ly represented by Series X on data networks, open systems communication and security. Se-ries X covers a large number of topics. Those include

Access control and authentication mechanisms, more precisely on telebiometrics related to human physiology211 defining “quantities and units for physiological, biological or behavioural characteristics that might provide input or output to telebiometric identification or verification systems (recognition systems)”212; and

207 See International Telecommunication Union, “ITU-T Study Groups (Study Period 2013 - 2016)”, 2014. 208 See International Telecommunication Union, “Part 2: Approved ICT Security Standards”, 2014. 209 See International Telecommunication Union, “Part 3: Security standards under development”, 2014. 210 See International Telecommunication Union, “ICT Security Standard "ITU-T X.509 | ISO/IEC 9594-8" details”, 2010. 211 See ITU, “ITU-T X.1082, Telebiometrics related to human physiology”, 11.2007; amended in 10.2009 and in 05.2010;

ITU, “ITU-T X.1084, Telebiometrics system mechanism - General biometric authentication protocol and profile on telecom-munication system”, 05.2010; ITU, “ITU-T X.1088, Telebiometrics system mechanism - General biometric authentication protocol and profile on telecommunication system”, 05.2008; ITU, “ITU-T X.1089, Telebiometrics authentication infrastruc-ture”, 05.2008. 212 See ITU, op. cit., 05.2010a, p. 1.


of 170

Other biometrical recommendations, providing a framework for different security issues related to biometrics, like privacy and authentication.213

Other topics relate to cybersecurity in general, covering:

Cybersecurity exchange techniques;214 Exchange of known vulnerabilities and exposures215 and setting special methods for

the exchange of incident information as a real-time inter-network defence (RID);216 and

Methodologies on cybersecurity risk assessments for organisations.217 Furthermore, security recommendations relate to:

Requirements for the protection of digital identity;218 Common alerting protocols for emergency services;219 Risks resulting of spam and spyware;220 Security requirements for wireless networks;221

Thus as outlined already, the large amount of security standards resulting from ITU deal with security threats on different data networks and communication systems. 4.3. WORK OF SPECIFIC TECHNICAL COMMITTEES 4.3.1. INTRODUCTION As mentioned in Chapter 4.3.1, the foundation for the studies presented in this sub-chapter is the M/487 Final Report Phase 1,222 which offers an overview of European TCs that devel-op(ed) standards on security. It distinguishes between two groups: TCs with “high relevance”

for the security industry and TCs with “low relevance,” whose main focus is on other topics.

CRISP focuses on the first group for in-depth analyses. In addition the websites from the ESOs were searched for new TCs in the security field which were established in 2012 or later and added to the selected TCs.

213 See ITU, op. cit., 10.2011. 214 See ITU-T X.1500, Cybersecurity information exchange techniques, 04.2011; amended in 03.2012, 09.2012, 04.2013, 09.2013, 01.2014. 215 See ITU-T X.1520, Common vulnerabilities and exposures, 01.2014. 216 See ITU-T X.1580, Real-time inter-network defence, 09.2012. 217 See ITU-T X.1208, A cybersecurity indicator of risk to enhance confidence and security in the use of telecommunica-tion/information and communication technologies, 2014. 218 See ITU-T X.1171, Threats and requirements for protection of personally identifiable information in applications using tag-based identification, 02.2009. 219 See ITU-T X.1303, Common alerting protocol (CAP 1.1), 09.2007. 220 Those are covered by a range of recommendations, addressing several problems as a result of spam and spyware, as for example guidelines for telecommunication operators (ITU-T X.1207), or technical strategies and guidelines for countering spam, email spam and SMS spam (ITU-T X.1231; ITU-T X.1240 and ITU-T X.1241; ITU-T X.1242). 221 See ITU-T X.1313, Security requirements for wireless sensor network routing, 10.2012. 222 See European Commission, Mandate M/487 to Establish Security Standards. Final Report Phase 1. Analysis of the Current Security Landscape, 09. May 2012.


of 170

Ten TCs were selected for detailed analyses and interviews. New TCs indicate an establish-ment due to current security needs. Therefore an emphasis was mainly put on young TCs. The remaining TCs were asked to answer a series of questions. TCs chosen for detailed investiga-tions include:

CEN/CLC/TC 4 PC Services for fire safety and security systems CEN/TC 224 Personal identification, electronic signature, cards and their related sys-

tems and operations CEN/TC 278 Road transport and traffic telematics CEN/TC 325 Crime prevention by urban planning and building design CEN/TC 379 PC - Supply chain security CEN/TC 388 Perimeter protection CEN/TC 391 Societal and citizen security CEN/TC 417 PC Maritime and port security services CEN/TC 419 Forensic science services CLC/TC 79 Alarm systems

The questions that formed the basis of interviews conducted by CRISP are provided in the annex. Analyses of the relevant TCs are presented in the following sub-chapters. All remain-ing security-related TCs identified as “high relevance” were contacted via email, participants

were asked to provide written short responses. These topics are presented in the annex. The results are presented in Chapter 4.3.12. 4.3.2. CEN/CLC/TC 4 PC SERVICES FOR FIRE SAFETY AND SECURITY SYSTEMS According to its website,223 the Project Committee CEN/CLC/TC 4 is developing a basic standard for services for fire safety and security systems. It aims at specifying the requirements for the quality of services supplied by companies and the competencies of staff charged with the planning and design, engineering, installation and hand over, maintenance and repair of fire safety and/or security systems. Examples of fire safety and/or security systems are fire detection, fire extinguishing, voice alarm, intruder alarm, hold up, access control, social alarm, smoke and heat exhaust ventilation, CCTV systems, control equipment for escape and evacuation route, and combinations of these systems. The committee was established in 2011 in response to EU Directive 2006/123/EC224 on services in the internal market. This directive aims at establishing a single European market for services and requests all EU Member States to remove legal and administrative obstacles to the free movement of services and to develop European standards for uniform quality as-surance for the provision of services. The European standardisation organization CEN was then commissioned by the European Commission to draw up a work program for the devel-opment of service standards (Mandate M/371) which was the foundation of the establishment of CEN/CLC TC 4.

223

See European Committee for Standardisation, “CEN/CLC/TC 4 - Project Committee - Services for fire safety and securi-ty systems”, 2014. 224 See European Parliament and the Council, Directive 2006/123/EC of the European Parliament and the Council of 12 December 2006 on services in the internal market, 2006.


of 170

Consisting of representatives of seventeen EU countries, the TC plans to finish the development of its standard EN 16763 Services for fire safety systems and security systems in 2015 (The Enquirey Stage225 finishes in September 2014). With regard to future activities, EN 16763 defines general services provider requirements for all fields of expertise. Since different application requirements exist in the relevant fields of expertise EN 16763 will serve as a basic standard and as a foundation for specific application guidelines. These documents need to be developed for the different security sectors covering planning, desgin, installation, commissioning, verification, handover and maintenance of security and safety systems. Frameworks for the development of these guidelines need to be defined. Founded to develop EN 16763, CEN/CLC/TC 4 is a project committee only. CEN/TC 72 “Fire detection and fire

alarm systems“ and TC 191 “Fixed firefighting systems“ as well as CELC/TC 79 “Alarm

systems“ are responsible for the relevant security areas, but their scope does not include

services. Therefore it is to be decided whether CEN/CLC/TC 4 should become a fully-structured TC in the future or whether the scope of the other three TCs should be extended. Specific information on the interrelation between the TC and the European certification landscape is given in Figure 24. Perceived problems of multinational standardisation processes (not only in the context of security-related certification) communicated by a member of the TC include in particular already existing national standards and the need for changes. With regard to the development of certifying services, it is regarded as challeging to define certification criteria, operationalize them and to measure compliance. Most important security-related standards of the TC

prEN 1676 Services for fire safety systems and security systems (unter development)

Security-related standards of the TC which form the basis of testing and certification processes

Not yet relevant

Certification organizations that are responsible for issuing such certificates

Not yet relevant

What is standardised Services, processes Security-related standards related to European directives or regulations

prEN 16763 Services for fire safety systems and security systems: Directive 2006/123/EC; Directive on fair competition in Europe

Major topics of the security-related standards

Basic requirements on security service companies, on the knowledge and experience of the staff and on the quality of the services

Main effects on the market so far

No specific effect so far

Additional security-related standards of the TC that might form the basis of testing and certification processes

prEN 16763: Services for fire safety systems and security systems

225 CEN provides a flowchart ‘Drafting of European Standards up to Enquiry stage’ at http://boss.cen.eu/developingdeliverables/EN/Documents/ENtoENQ.pdf

(figure continues)


of 170

Certification organizations that might be responsible for issuing such certificates

Everyone who fulfils specific requirements of the European Certification Council can offer such certification service but there are only a few organizations experienced in the certification of security services. Examples: VdS, TÜV, LPCB, SBSC, et al. Eight national and European certification bodies participate in talks on the use of the EN for certification already

Additional comments An interesting approach to collaborate with certification bodies is used. European standardisation and certification is shaped by specific framework conditions in Member States. With regard to prEN 16763 different qualification frameworks exist226 but countries participating in CEN/CLC TC 4 started adaptation processes.

Source: Own figure Figure 24: Interrelation between CEN/CLC/TC 4 and the European certification landscape

The committee follows an innovative approach to collaboration with certification bodies early, and as such offers an interesting example from which to learn. In cooperation with the EURALARM service section227 and the EURALARM Working Group, CERT (the chair of the TC) could organize a first meeting with eight national and European certification bodies active in EURALARM in May 2014 to present the current version of EN 16763 and to exchange views on its future use for certification. Additional meetings are planned. A next step will include an in-depth analysis of potential problems regarding the use of the standard for certification. An interviewee of the TC stressed the importance of “one stop testing – one stop certifying”

228 to receive one certificate which is valid in Europe. The innovative approach of the EFSG group and its progress towards European certification solutions were highlighted in this regard. 4.3.3. CEN/TC 224 PERSONAL IDENTIFICATION, ELECTRONIC SIGNATURE, CARDS AND THEIR

RELATED SYSTEMS AND OPERATIONS The TC on personal identification, electronic signature and cards was established in 1989. Its activities were initially focused on standards for cards in sectors such as telecomunications, health, transport and banking/payment. They targeted both functionality and security aspects. Over time, the CEN/TC 224 work has broadened and included personal identification related aspects in a multi-sectorial environment. Digital economy, dematerialised services and associated secure technologies is considered to be a growth area for Europe. This impacts the scope of the TC which is currently undergoing a review. Future activities of the committee will further concentrate on interoperability issues

226 See European Commission, European Qualifications Framework for lifelong learning, no date. 227 See EURALARM, Section Members Meeting Services, no date. 228 See chapter 3.3.1


of 170

as well as on security of personal identification and related personal devices, systems and operations such as:

operations such as applications and services like electronic identification, electronic signature, payment and charging, access and border control;

personal devices with secure elements, independently of their form factor, such as cards, mobile devices, and their related interfaces;

security services including authentication, confidentiality, integrity, biometrics, pro-tection of personal and sensitive data;

system components such as accepting devices, servers and cryptographic modules. Sectors such as public transport, road tolling, passports, and e-payments are now widely using contactless technology. Other sectors such as financial services are implementing this technology in their cards. Moreover, thanks to contactless technology and NFC229 technologies mobile devices may now be used for face-to-face transactions. This is also an area of further work for the committee. CEN/TC 224 will also further explore a multi-sectorial dimension with special emphasis for sectors such as Government/Citizen, Transport, Banking and e-Health. It will also include the views of consumers and providers from the supply side such as card manufacturers, security technology, conformity assessment bodies and software manufacturers. The grouping of companies and alliances between the operators of different sectors may also occur in liaison with the development of multi-application solutions. TC 224 currently encompasses the following working groups:

WG6: User interface and accessibility WG11: Surface Transport Applications WG15: European Citizen Card (ECC) WG16: Electronic Signature: SSCD based on ISO 7816 WG17: Electronic Signature: Protection profiles for products and applications WG18: Interoperability of biometrics recorded data

The following international and European TCs are relevant for CEN/TC 224:

ISO/IEC JTC 1/SC 17 “Cards and personal identification” ISO/IEC JTC 1/SC 27 “IT Security techniques” ISO/IEC JTC1/SC37 “Biometrics” ISO/TC 68/SC 7 “Core Banking” CEN/TC 251 “Health informatics”, for healthcare applications CEN/TC 278 “Road transport and traffic telematics”, for surface transport applications ETSI Electronic Signature Infrastructure Committee.

All parties involved in the development, production of systems and infrastructures are represented. These include:

229 Near Field Communication


of 170

industry of cards and related smart secure devices (including components and cards manufacturers, personalisators as well as security service providers);

experts in security and cryptography, and providers of cryptographic modules; operators of the various application sectors; public authorities; conformity assessment bodies; software manufacturers and consumers.

CEN/TC 224 has also established liaisons with several European and international organisations. Most recent security-related trends in the committee have covered electronic ID based services, e-Government and e-business, privacy by design aspects and electronic pay-ments. These trends are also expected to shape the activities of the committee in the months to come. Most recent security related projects covered the European Citizen Card, electronic signature and other trust services and biometrics for border control. Some of these projects have been driven by manufacturers and others by EU regulations (see further below). Other projects are coherent with the scope of ISO international standardisation activities where the European Commission is encouraging European actors to play a much more proactive role. Specific information on the interrelation between the TC’s standards and the European certification landscape is given in the following table. Most important security-related standards of the TC

TS 15480, ECC, in 5 parts EN 419212, Application interface for SSCD, in 5 parts EN 419111, Protection profiles for signature creation and verification application (5 parts) EN 419211, Protection profiles for SSCD (6 parts) EN 419221, Protection profiles for TSP cryptographic modules (5 parts) EN 419231, Protection profiles for systems supporting time stamping EN 419241, Protection profiles for systems supporting server signing (2 parts) EN 419251, Protection profiles for devices for authentication (3 parts) EN 419261, Security requirements for trustworthy systems managing certificates for electronic signatures EN 419103 Conformity assessment for signature creation and validation EN 419203 Conformity assessment for secure devices and trustworthy systems

(figure continues)


of 170


Not relevant. In general, the ISO common criteria form the basis for IT security certification. CEN/TC 224 does not duplicate the work of ISO but, either transposes some of the related international standards or uses them as the basis for specific European works. In a number of cases the ultimate objective of the work of the TC is to contribute to international standardisation. The TC deals with the development of a considerable number of protection profiles for each component of the electronic signature process.


Not relevant.

What is standardised: products, component, material, processes, procedures, system or service

Products: secure signature creation device, device for online authentication, cryptographic modules for Trust Service Providers, Time stamping systems, server signing. Applications: signature creation and verification. Product/process: capture of biometrics data.

Security-related standards which are related to European directives or regulations

Electronic signatures and trust services, shaped by proposal for a Regulation on eID and Trust services for electronic transaction in the internal market. This Regulation will be a powerful legal instrument for the promotion of the digital economy in the internal market.

Various national or European regulations exist in relation with the work of CEN/TC 224 such as on electronic identification, data protection, identity card, electronic ticketing, Schengen Visa and passport, electronic signature, payment. These are:

Directive 1999/93/EC on electronic signatures and Regulation proposal on electronic identification and trust services for electronic transactions in the internal market: all standards related to electronic signatures. Directive 1995/46/EC on data protection and Regulation proposal on general data protection: potentially all standards.

Directive 2007/64/EC on payment services as well as the proposal of revision. The Green Paper of the European Commission "Towards an integrated European market for card, internet and mobile payments" and the Euro Retail Payment Board launches by the European Central Bank is a framework for CEN/TC 224 for further standardisation activities.

Potential activities for TC 224 might draw inspiration from the White Paper of the European Commission defining a roadmap to a Single European Transport Area – Towards a competitive and resource efficient transport system (2011): EN 1545 (Data elements) EN 15320: Interoperable Public Transport Application Framework.

(figure continues)


of 170

Major topics of the security-related standards including beyond security, such as trust, efficiency and freedom infringement

A major topic for security – related standards is interoperability among components of systems such as the creation of a qualified electronic signature by a SSCD, commands/protocol between components (card/reader). Another major topic is the protection of personal data. A third major topic is trust: the TC involves consumer representatives as a guaranty for including consumer requirements in its work and for building trust. The TC also acts in close contact with various consumer organizations working – amongst other – on accessibility of services by people with disabilities. However, enhancing consumer trust is not only a question of standardisation, it is also a communication issue. Trust is difficult to establish and can be quickly lost. Trust considerations are very much linked to consumer’s

perceptions and the role of media. In some cases the most effective solution to create a link between a certification process and trust is through a label.

Main effects on the market and expectations

Effects: interoperability of security product/services, security of other services, cross-border recognition of security product/services. Expectations: enhancing the internal market for the above mentioned products and services.

Additional comments Any new methodology for certification developed in the framework of the CRISP project should factor in already existing practices and methodologies. It might also be useful to take into account methodologies specified outside the ESOs, such as the one developed by the European Payment Council – that provide specification of standards in the area of mobile payments and have defined a methodology for certification applicable in the field of security. Finally, there might be the need to strike a balance between attempts to achieve a uniform methodology and the benefits of a portfolio of ad hoc methodologies.

Source: Own figure Figure 25: Interrelation between CEN/TC 224 and the European certification landscape

The TC’s activities are aimed at providing a sound basis for the development of numerous

trusted applications based on personal identification and for trust in electronic transactions. Enhanced interoperability in security of personal identification related products and services is of utmost importance. In this respect, the increased mobility of European citizens through the EU requires cross border interoperability of these systems. There is also the ambition of strengthening the position of the supply side for non European markets. The “trust” dimension

receives special emphasis in the committee’s activities. Consumers confidence (including


of 170

security, quality, ergonomical and privacy aspects) is an important key factor for successful market development and integration. Stakeholders’ involvement is inherent to the functioning of the committee. This guarantees

that demand for security standards is not exclusively driven by the supply side. An interview-ee stressed the importance of avoiding any conflict of interest in the development of security standards. Such standards should always include requirements that satisfactorily match all possible risks. Security standards should be developed by balancing profit considerations and the public interest. In this sense, the role of the European Commission in coordinating some of the most strategic security standardisation activities is crucial and active stakeholder partic-ipation is a dominant point of attention for the CEN/TC 224. 4.3.4. CEN/TC 278 ROAD TRANSPORT AND TRAFFIC TELEMATICS CEN/TC 278 develops standards in the field of telematics to be applied to road traffic and transport, including those elements that need technical harmonization for intermodal operation in the case of other means of transport. So far, CEN/TC 278 has published over 160 standards and currently it is working on 60 work items (both revisions of standards and development of new standards). Main topics within this TC are:

Communication between cars: new technologies which enable cars to communicate and form the basis for self-operating vehicles.

TMC: the technology used to enable drivers to receive up-to-date traffic information though their GPS system.

EETS: user fee collection system to enable drivers to enter toll roads with one elec-tronic device. This subject has a close relation with privacy-issues: the device might enable organizations to know exactly when a driver was where. This might not be a problem for professional transport, but consumers are not very willing to share that in-formation.

eCall: A system which automatically connects the driver to the emergency center in case of an accident. This system becomes compulsory for all newly produced cars in Europe from 2015 onwards.

Public transport chip cards. Specific information on the interrelation between the TC’s standards and the European

certification landscape is given in the following table:

Most important security-related standards of the TC

See above


The main standards are technical specifications. For almost all standards, including the ones for EETS and TMC, testing standards have been developed as well. (http://standards.cen.eu/dyn/www/f?p=204:32:0::::FSP_ORG_ID:6259&cs=1EA16FFFE1883E02CD366E9E7EADFA6F7)

Certification organizations that are responsible for issuing such certi ficates

Unknown, many manufacturers use the testing standards for their own internal quality procedures.

(figure continues)


of 170


Products, components, systems


Standardisation Mandates M/338 and M/453 are based on Directive 2004/52/EC on the interoperability of electronic road toll systems. Many standards were developed under these mandates. For a full list, see the mandate reports230.


In almost all standards developed by TC 278, privacy is a major topic. Often, the transport sector has less of a problem with the possibility to know someone’s

whereabouts, but consumers do have a problem with that. The same goes for public transport chip card systems. Efficiency: the aim of many standards is to use the roads more efficiently. Other relevant items are less polution, less traffic victims and a more convenient use of public transport.


The market focusses mainly on the future. Producers use the standards for their own internal procedures and product development. Since there is no legal basis (yet) which obliges systems to cooperate, information is not being shared among organisations. The item of privacy only comes into sight once standards are being implemented, it could be useful to incorporate that topic into the standardisation process more.


No response


No response

Additional comments No response


As shown above, privacy is a major topic in almost all standards developed by TC 278. Neverless it was obseserved, that the issue only comes into sight once standards are being implemented. Therefore it was suggested to incorporate that topic into the standardisation process more. In addition, no certification body concerned with these issues seems to exist. The potential need for certification services in this field, possible benefits as well as the development of appropriate solutions, require further research.

230 Link M/338: ftp://ftp.cencenelec.eu/CENELEC/EuropeanMandates/m338en.pdf, link M/453: http://ec.europa.eu/enterprise/sectors/ict/files/standardisation_mandate_en.pdf


of 170

4.3.5. CEN/TC 325 CRIME PREVENTION BY URBAN PLANNING AND BUILDING DESIGN CEN/TC 325 involves the development of European standards for the prevention of crime at industrial facilities, educational institutions, hospitals, residential building areas, department stores, squares and public meeting places through building, facility and area design. It is the intention that standards may be applied to new and significantly refurbished buildings, facili-ties and areas. The standards are comphrehensive with regard to urban planning and buiding design. Standards in CEN/TC 325 include their area of application, the corresponding strate-gy, security levels, building and area layout, application of construction elements, roads and pavements. CEN/TC 325 specifies that standards will not deal with building products and security systems components. Specific information on the interrelation between the TC’s standards and the European

certification landscape is given in the following table: Most important security-related standards of the TC

EN 14383-1:2006 Prevention of crime - Urban planning and building design - Part 1: Definition of specific terms ENV 14383-2:2003 Prevention of crime - Urban plan-ning and design - Part 2: Urban planning CEN/TS 14383-3:2005 Prevention of crime - Urban planning and building design - Part 3: Dwellings CEN/TS 14383-4:2006 Prevention of crime - Urban planning and design - Part 4: Shops and offices CEN/TR 14383-5:2010 Prevention of crime - Urban planning and building design - Part 5: Petrol stations CEN/TR 14383-7:2009 Prevention of crime - Urban planning and building design - Part 7: Design and man-agement of public transport facilities CEN/TR 14383-8:2009 Prevention of crime - Urban planning and building design - Part 8: Protection of buildings and sites against criminal attacks with vehi-cles


Crime follows trends that change in time and defer from place to place, from region to region and from facility to facility.


So far none: the standards give guidance for urban planners, security engineers and facility managers.

A certification could be build up on the competence of a person to apply the described prevention processes. The result could be a certified engineer (by a certified body according to EN ISO/IEC 17024), which has the knowledge and experience to plan a facility according to EN 14383.

(figure continues)


of 170

What is standardised Terminology: EN 14383-1 in three languages (EN-FR-DE)

Process: planning for crime prevention in Part 2-8

Security-related standards related to European directives or regulations

None

Major topics of the security-related standards

The standards provide proposals for reducing the risk of criminal activity, fears of criminality and antisocial behaviour by the means of planning.


The standards are used in planning processes as guid-ance or reference in a contract.


-


So far nobody.


Source: own figure Figure 27: Interrelation between CEN/TC 235 and the European certification landscape

4.3.6. CEN/TC 379 PC - SUPPLY CHAIN SECURITY This committee was established as a Project Committee (PC), its aim was to develop a single standard. The PC was established to complete work under a standardisation mandate from the EC and investigated the need for supply chain security standardisation. Even though the investigation showed that the European transport organisations did not feel the need for supply chain security standardisation, it led to the development of a standard for reporting of crime in the transport sector. In situations where a driver is robbed in Europe, he has to report the incident to the local police. This is often difficult due to language problems. The standard provides a form with questions to be filled in by the driver, this eases the process of reporting the robbery. Since the standard has been published, the PC has been disbanded. On a global level, the ISO 28000-series for supply chain security were developed, focussed mainly on security management systems. These standards have not been adopted as European standards. Possibile future standardisation projects, might include standards for secured parking lots and security screening of supply chain personnel. Specific information on the interrelation between the TC’s standards and the European certification landscape is given in the following table:


of 170


Mostly used are the ISO 28000-standards, even though they are not adopted as EN’s.


ISO 28000-series


Among others: Lloyds, Veritas, SGS, TUV, DNV


ISO 28000: processes, procedures


None


In the European standards: trust that reporting to the police get easier, as well as efficiency

Main effects on the market so far Unknown Additional security-related standards of the TC that might form the basis of testing and certification processes

None


None

Additional comments The supply chain organisations are not in favor of 3rd party certification, since they feel that certification might cost more than it would yield.


The committee adressess the need for supply chain standards stressed by Mandate M/419 Standardisation Mandate Addressed to CEN for the development of a Series of Standards on Supply Chain Security231 in 2007. Interestingly, Figure 28 shows that several European certi-fication bodies use the international ISO 28000-series for certification, although as noted, these standards have not been adopted as European standards. 4.3.7. CEN/TC 388 PERIMETER PROTECTION CEN/TC 388 aims at developing standards for perimeter protection systems. These systems include products, but the TC does not develop product standards. For example, standards for steel fences are developed in the TC for Steel Products and are related to the Construction Products Directive. CEN/TC 388 focuses on perimeter protection systems on the terrains sur-rounding buildings, but not on systems within the buildings. For example, the perimeter pro- 231 See European Commission, Mandate M/419 Standardisation Mandate Addressed to CEN for the development of a Series of Standards on Supply Chain Security, 23 November 2007.


of 170

tection system can include a barrier and attached cameras, but CEN/TC 388 standards do not describe the technical specifications for the camera and the barrier. CEN/TC 388 has published one document, namely CEN/TR 16705 ‘Perimeter protection – Performance classification methodology’. This TR describes different types of security and gives guidance fot classification of perimeter protection systems. It also describes how a sys-tem can be established. The TC is no longer active, due to the lack of resources (both financial and human). Reasons for this were explained in detail during an interview. Due to the global economic crisis, pro-viders who used to work in different countries, now mainly focus on their own national mar-ket. There is no longer as greater need for European standardisation. Also, the economic sit-uation makes it hard for the providers to devote time to the standardisation process. A development which is possibly relevant is the fact that security seems to move from terrains to buildings. Due to the focus on security of buildings, organisations feel less need to protect their terrains. Due to the current inactivity of the TC, there are no concrete plans. If new resources are found, a first step would be to descibe the different classes of perimeter protection systems, since the current TR only describes how to classify them, without defining actual classes. Specific information on the interrelation between the TC’s standard and the European certifi-cation landscape is given in the following table:


CEN/TR 16705

Security-related standards of the TC which form the basis of testing and certification pro-cesses

TR 16705 is not used for certification, but if classes would be defined, those could be the basis for certifi-cation.


None

What is standardised: prod-ucts, component, material, pro-cesses, procedures, system or service

Systems of security products


None but product standards (e.g. for fences and garage doors) from other TC’s are related to the TR

Major topics of the security-related standards including be-yond security, such as trust, efficiency and freedom in-fringement

It seems that, if e.g. fences look more robust, people feel more secure (even if the robustnes is just appear-ance).


Unknown


None

(figure continues)


of 170


None

Additional comments None


As descibed above, the stakeholder involvement and financing of the TC are the main reasons for its current inactivity. This seems to be related to the economic crisis and the fact that pro-viders focus on their own national markets more than on the European. 4.3.8. CEN/TC 391 SOCIETAL AND CITIZEN SECURITY The main objective of CEN/TC 391 is to elaborate a family of European standards, standard-like documents (e.g. procedures, guidelines, best practices, minimal codes of practice and similar recommendations) in the Societal and Citizen Security sector including aspects of prevention, response, mitigation, continuity and recovery before, during and after a destabilising or disruptive event. Verification and training is also considered. CEN/TC 391 does not deal with issues already dealt in other TCs. Concerning technology, the TC may identify needs in product standardisation, but this does not lead to direct action by this committee. CEN/TC 391 has three working groups:

WG 1 Security in healthcare facilities: develops a guideline for security management in healthcare facilities.

WG 2 CBRNE: has developed CEN/TS 16595 ‘CBRNE - Vulnerability assessment and protection of people at risk’ and works on a guideline for education, training and exercise of first responders to CBRNE incidents.

WG 3 Crisis management: was established in 2014 and is currently establishing its work program.

CEN/TC 391 was responsible for Mandate M/487 (2013), in which the standardisation gaps and stakeholder needs were investigated in the fields of crisis management, CBRNE and border security. Based on the results of this mandate, DG ENTR is currently working on new standardisation mandates, in which it requests the ESOs to develop standards in the fields of crisis management and CBRNE. The following topics will possibily be included in the new mandates:

CBRNE glossary CBRNE air purifying

CBRNE security as part of ongoing PPE mandate CBRNE education and training CBRNE in Health Care facilities

Crisis management glossary Crisis management guidance

Crisis management training and exercise


of 170

New mandates are expected to be issued early 2015 and most of the work to develop these standards will be completed by CEN/TC 391. CEN/TC 391 has a close relation with ISO/TC 223 Societal Security. For every standard published by ISO/TC 223, CEN/TC 391 decides whether or not it will be adopted as a European Standard. Specific information on the interrelation between the TC’s standards and the European certification landscape is given in the following table:


EN-ISO 22300: Societal security – terminology EN-ISO 22301: Societal security – Business continuity management systems – requirements CEN/TS 16595: CBRN - Vulnerability Assessment and Protection of People at Risk


EN-ISO 22301 is used for certification of organisations


Among others: Certification Europe, BSI, DNV, Lloyds, PECB, SGS


Management systems


So far none, but future mandate-related standards might (but do not have to!) have a relation to regulations.


All societal security standards are related to the trust people have in the fact that, if a major incident happens, they will be safe.


No response


None


Unknown



Conformity assessment based on EN-ISO 22301 Business continuity management systems – requirements provides an interesting example for the intense use of a standard for certification in different countries but the relationship between the different certification bodies require additional investigation.


of 170

4.3.9. CEN/TC 417 MARITIME AND PORT SECURITY SERVICES The scope of TC 417 comprises the development of one specific standard which is going to be called “Maritime and Port Security Services” and is currently in the stage of public reviewing,

which means it can be viewed without further costs online (e.g. on the website of the Austrian Standardisation Institute232). The committee was set up in 2011. Its objective is the development of the aforementioned standard. It will cease to exist once this standard has been published. The public review phase of the standard will last until August 2014. It is expected that the standard will be launched in the third or fourth quarter of 2015. The main reason for the establishment of this committee was to elaborate a standard for a spe-cific sector of European security services. This parallels a previous committee headed by the same organisation and chairperson which was set up to introduce a standard for aviation secu-rity services (CEN/TC 384). Not surprisingly, the major companies active in the EU in the field of private services provision are members of this committee. TC 417 takes up the work of CEN TC 384 and contributes to the overall aim to fully cover the whole of the European Security Services Sector. COESS, the European lobbying organisation for private security services and has been the driving force behind CEN TC 384 and 417. Upon conclusion of ongoing work in CEN TC 384, it is anticipated that a new TC will be set up, broadly charged with developing standards for sectors not covered until now. The most prominent of these are security services for transport and supply chain security. In contrast to the current configuration, therefore, it is expected that this new body will issue more than one standard. Limited information was obtained regarding the specifics of how certification of the “Mari-time and Port Security Services” will be implemented, as the technical secretary is not in-volved in detailed work on security services. Nor does his organisation (Austrian Standards) offer certification for this TC’s predecessor, the TC which set up the standard for Aviation Security Services (EN 16082:2011). Specific information on the interrelation between the TC and the European certification landscape is given in Figure 31.


prEN 16747 Maritime and port security services

Security-related standards of the TC that form the basis of testing and certification pro-cesses

prEN 16747 Maritime and port security services


This is the first and only standard of CEN/TC 417. Certification has therefore not yet occurred. In the fu-ture, similarities to EN 16082:2011 are possible re-garding the implementation of/and the certification based on the standard as well as regarding the certifi-cation bodies involved.

232 Austrian Standards, 2014. https://www.austrian-standards.at/home/

(figure continues)

https://www.austrian-standards.at/home/


of 170

What is standardised The standard concerns port and maritime security and regulates issues such as

• Specific human resources management; • Identification, recruitment and management of

service staff; • The certified organisation must have a concept of a

corporate governance in place; • Training measures (basic, for specific tasks,

additional supplementary training, structures on the job training, refresher training)

Security-related standards related to European directives or regulations

Not relevant

Major topics including beyond security, such as trust, efficiency and freedom infringements.

The standard specifies and specifically mentions re-quirements that ensure quality in organization, pro-cesses, personnel and management of security services providers. It stipulates quality criteria for security ser-vices providers and can be used to select, award and review successful private security services bidders.


As above


Remaining sectors of private security services provi-sion (e.g. security services for supply chain, critical infrastructures, transport not yet covered).


As above

Additional comments Any inferences from this TC’s work to the standardisa-tion and certification landscape in Austria are not fruit-ful, as the technical secretary of TC 417 is not in-volved in detailed, content-related work in this field.


As mentioned previously, it is anticipated that after TC 417’s conclusion a new TC will be set

up with a broader scope: to develop standards for those sectors of the private security services market which have not yet been covered by a standard. Opportunities to use the potential standards for certification will need to be investigated in more detail. 4.3.10. CEN/TC 419 FORENSIC SCIENCE SERVICES CEN/PC 419 was established in 2012. The main motivation for this was the increase in trans-boundary crime and the need to coordinate chains of forensic investigation. The work pro-gram consists of the development of four standards, based on the work flow within forensic organisations. The four standards cover:


of 170

Crime scene investigation Analysis Interpretation of results Evaluation and reporting

The first standard (CSI) is already under development, the other three work items will start end of 2014 / early 2015. Specific information on the interrelation between the TC’s standards

and the European certification landscape is given in the following table: Most important security-related standards of the TC

See above, since the standards are under development, they do not have a number and title yet.

Security-related standards of the TC which form the basis of testing and certification pro-cesses

Forensic labs are certified on the basis of ISO 17020 and ISO 17025, which are the general certification standards for labs. There is no specific certification for forensic labs, but the standards developed under PC 419 might form the basis for that in the future.


ISO 17020 and ISO 17025: only accreditation, e.g. by RVA and UKAS


Processes, procedures and competencies


None

Major topics of the security-related standards including be-yond security, such as trust, efficiency and freedom in-fringement

Forensic investigation, specifically at crime scenes, is often related to e.g. dealing with victims with dignity and dealing with personal belongings.


Unknown, since standards are still under development.


None


None

Additional comments None



of 170

4.3.11. CLC/TC 79 ALARM SYSTEMS CLC/TC 79 Alarm systems contributes to the definition of performance standards for alarm systems for intruder and hold-up alarm systems, access control systems, periphery protection systems, and CCTV systems.233 The committee´s role is to “prepare harmonized standards for detection, alarm and monitoring

systems for protection of persons and property, and for elements used in these systems. The scope includes in particular intruder and hold-up alarm systems, access control systems, pe-riphery protection systems, combined alarm - fire alarm systems, social alarm systems, CCTV-systems, other monitoring and surveillance systems related to security applications, as well as associated and dedicated transmission and communication systems. The standards shall specify conformity tests.”

234 CLC/TC 79 includes the following fifteen working groups, in addition to a Chairman’s Advi-sory Group:

WG 01 Intruder & hold-up alarm systems WG 02 Detection devices for intruder alarm systems WG 03 Control & indicating equipment, power supply for intruder alarm systems WG 04 Social alarm systems WG 05 Alarm transmission systems (annunciation equipment) WG 06 Warning devices (audible & visual) for intruder & hold-up alarm systems WG 07 CCTV surveillance systems for security applications WG 09 Environmental testing WG 10 Smoke security devices WG 11 Alarm systems local interconnections WG 13 Combined/integrated alarm systems WG 14 Monitoring and alarm receiving centre requirements WG 15 Audio and video door entry apparatus

The CLC/TC 79 committee is formed by representatives from 23 EU countries, with repre-sentatives from Digitaleurope, EC, EURALARM and ONVIF235 who act as observers. Key EU directives relevant to the committees work refer to electrical equipment designed for cer-tain voltage limits and electromagnetic applicability.236 Relevant EU mandate is Mandate M/404 to the European Standardisation Organisations CEN, CENELEC and ETSI for Harmo-nised Standards According to the Electromagnetic Compatibility Directive 2004/108/EC. 237

233

This chapter is based on desk research only as CRISP partners were unable to organise an interview with the relevant parties at CLC/TC 79 before the due date of this report. 234

See CENELEC, CLC/TC79 “Alarm Systems, Scope”, no date. 235 See ONVIF, “About Us”, 2014. 236

See CENELEC, CLC/TC79 “Alarm Systems, EU Directives”, no date. 237

See European Commission, Enterprise and Industry, “Standardisation, Mandates”, no date.


of 170

4.3.12. OTHER SECURITY-RELATED TCS As described in Chapter 4.3.1, all remaining security-related TCs at CEN were contacted via email. Based on the responses, Figure 33 was developed.

Name of the TC Questions

CEN/TC 72 Fire detection and fire alarm systems

CEN/TC 251 Health informat-ics

What has been standardised by the TC in the security field so far

The TC has provided standards on fire detection and fire alarm products as well as a system compatibility standard and in-stallation guideline technical specifications.

processes, systems, services (the TC cooperates intensely with ISO/TC 215 'Health infor-matics')

Security-related standards of the TC which are related to European direc-tives or regulations

The product standards developed by TC 72 come under the CPD/CPR.

NEN-EN-ISO 27799 Infor-mation security management in healthcare: Data Protection Di-rective

Major topics of the security-related standards including beyond security, such as trust, effi-ciency and freedom infringement

Performance in the event of fire, Operational reliability, Flamma-bility of materials, Duration of operation, Temperature re-sistance, Humidity resistance, Shock and vibration resistance, Corrosion resistance, Electrical stability/EMC

Data protection

Security-related standards of the TC which form the ba-sis of testing and certification pro-cesses

EN 54-1, EN 54-2, EN 54-3, EN 54-4, EN 54-5, EN 54-7, EN 54-10, EN 54-11, EN 54-12, EN 54-13, EN 54-16, EN 54-17, EN 54-18, EN 54-20, EN 54-23, EN 54-24

NEN-EN-ISO 27799

Certification organ-izations that are responsible for is-suing such certifi-cates

BSI, CNBOP, BRE, VdS, AFNOR, ANPI, TUV Austria, DBI Certification A/S Denmark, National Standards Authority of Ireland, TÜV Rheinland Neder-land B.V, Det Norske Veritas Certification AS, Norway, AENOR

In the Netherlands it is possible to certificate against NTA 7515 which is the certification schema for NEN 7510: Dutch translation of EN-ISO 27799 (and NEN-ISO/IEC 27001+27002)

Additional security-related standards of theTC that might form the basis of testing and certifi-cation processes

EN 50130-4, EN 60068-1, EN 60068-2-1, EN 60068-2-2:2007, EN 60068-2-6, EN 60068-2-27, EN 60068-2-30 EN 60068-2-42, EN 60068-2-75, EN 60068-2-78, EN 60529, EN 60695-11-10, EN 60695-11-20, EN 61672-1

n/a.

(figure continues)


of 170

Certification organ-izations that might be responsible for issuing these certif-icates

BSI, CNBOP, BRE, VdS, AFNOR, ANPI…

In the Netherlands: DNV, DEKRA, lloyd's register

Suggestions to im-prove the European certification land-scape for security products/ technologies/ systems/services

A single certification body throughout Europe would pro-vide a more widely recognized certification marked. That body could control better the test or-ganizations. Alternatively, certification or-ganizations should be regulated by a single European body en-forcing rules for a common and uniform approach to the way testing and certification is ap-plied to security products.


CEN/TC 296 Tanks for the transport of dangerous goods

CEN/TC 352 Nanotechnolo-gies

What has been standardised by the TC in the security field so far

tanks and its equipment

Terminology and nomenclature of Nanotechnologies, Phys-Chem characterization of nano-objects and nanoparticles, Test methods and protocols adressing Health, (occupational) Safety and Environnment, Responsible development of products contai-ning manufactured nano-objects.

Security-related standards of the TC which are related to European direc-tives or regulations

Directive 2008/68 and RID/ADR

General Products Safety Di-rective, REACH Regulation, CLP Regulation.

Major topics of the security-related standards including beyond security, such as trust, effi-ciency and freedom infringement

Updated soon

Responsible and sustainable development of products

(figure continues)


of 170

Security-related standards of the TC which form the ba-sis of testing and certification pro-cesses

EN 13094, EN 14025 and EN 12972

Almost the full set of developed standards addresses safety and security as it is dedicated to test methods and protocols for char-acterizing products against safe-ty and security, but it doesn't address any certification pro-cesses at all

Certification organ-izations that are responsible for is-suing such certifi-cates

inspection bodies and compe-tences authorities

none

Additional security-related standards of theTC that might form the basis of testing and certifi-cation processes

No response No response

Certification organ-izations that might be responsible for issuing these certif-icates

No response None

Suggestions to im-prove the European certification land-scape for security products/ technolo-gies/ systems/services

No response (improvement of) CLP and REACH regulations together with the European definition (under revision) for nanomateri-als frame the European land-scape for Nanotechnologies at the present time.


CEN/TC 127 Fire safety in buidlings, CEN/TC 189 Geosynthetics, CEN/TC 192 Fire and Rescue Service Equipment

CEN/TC 250 Eurocodes, CEN/TC 294 Communication systems for meters and remote reading of meters

Div. TCs pointed out that they cannot offer valuable information on se-curity-related certification aspects related to their activities

Source: Own figure, updated soon Figure 33: Interrelation between additional security-related CEN TCs and the European certification landscape

According to Figure 33, standards from CEN/TC 72 are frequently used by certification bod-ies from different Member States. Potential for mutual recognition needs to be analyzed in more detail. The table also shows that several TCs could not provide relevant information on security-related certification. There are a number of different reasons for this, including dif-ferent scope of the TC. An example here is TC 127 whose main focus is in the safety field.


of 170

Furthermore, Figure 33 shows that CEN/TC 251 is active in the field of data protection which is relevant for many fields of security-standardisation in general. In addition, the table indi-cates that the work of the TC is used by a number of certification bodies although only one Member State could be mentioned. The use of the relevant standard in additional Member States requires further investigation. CEN/TC 352 is an example of a TC whose standards are not used in certification. Therefore potential for collaboration between national certification bodies could not be identified in this context. In addition, two TCs stated that information on certification aspects of their standards is not available. 4.3.13. SUMMARY Figure 34 summarizes the information gained from interviews and emails from different CEN/CLC/TCs and shows certification bodies that use standards from these TCs for certification. According to the table, there are several EU countries in which standards-based certification services are available in many security fields. In addition, a few international certification bodies exist, which offer services based on specific standards in numerous countries. Certification services related to the ISO 28000-series are related the work of CEN TC 379 in Europe. Offered by internationalized certification bodies, they are available in many countries. Nevertheless there are countries in which few activities could be identified. This might have three reasons in particular:

a) there are no additional standards-based security-related certification services in a Member State, e.g. because no security industry exists

b) the certification of security products is not regarded as important c) certification bodies are unknown by a TC.

One interviewee describes the lack of awareness of the importance of certification in his country as follows: “We are quite far away from the level of evaluation and certification of

other European countries in terms of awareness of the companies. I think this is not a phenomenon linked to the current economic crisis that has hit companies but it is due to a lack of awareness.” The TCs listed in Figure 34 provided much information. Nevertheless, the key duty of national, European and international standards bodies is the development of standards. Although CEN/CLC/TCs have a broad view on the relevant technical issues including conformity assessment, information on the implementation of their standards in the certification landscape of the different Member States is not an aspect of their daily business. Further analyses are needed in this regard. In addition, a number of certification bodies are active in several countries. This needs further investigation.

CEN TC Standard Certification Bodies div AX AL AD BE BA BG DK DE EE FO FI FR GI GR GB GG IE IS

current potential CEN CLC TC 4

- x VdS, TÜV, LPCB, SBSC, …

x x

72

Div EN 54-x238

EN 50130-4, 60068-1, div. others239

BSI, CNBOP, BRE, VdS, AFNOR, ANPI, TUV Austria, DBI Cert., Na. Standards Authority of Ireland, TÜV Rhein-land Nederlands, Det Norske Veritas, AENOR

x x x x x240 x

127 - - - 189 - - - 192 - - - 224 - - - 235 - - - 250 - - - 251 NEN-EN-

ISO 27799 DNV, DEKRA, Lloyd's x

278 - No response - 294 - - - 296 EN 13094,

14025, 12972 No response No names given

352 - - - 379 ISO 28000-

series e.g. Lloyds, Veritas241,

SGS, TUV, DNV x

388 - - - x x 391 EN-ISO

22301 - Certification Europe,

BSI, DNV, Lloyd’s, PECB, SGS

x x x x x x x

417 - x NA 419 ISO 17020;

17025 - only accreditation, e.g.

by RVA and UKAS x

(figure continues)

238 54-1 to-7, 54-10 to 13, 54-16 to 18, 54-20, 54-23, 54-24 239 60068-2-1, -2-2 , -2-6, -2-27; -2-30, -2-42, -2-75, -2-78, 60529, 60695-11-10, 60695-11-20, 61672-1 240 BRE Ireland 241 Veritas has many locations worldwide, country list: http://www.bureauveritas.de/wps/wcm/connect/bv_de/local/home/worldwide-locations/locations. The organisation is requested to provide information on the availability of the relevant service in each country

CEN TC

Standard Certification Bodies IM IT JE KZ

XXK HR LV LI LT LU MT MK MD MC ME NL NO AT PL

current potential CEN CLC TC 4


72 Div EN 54-x242

EN 50130-4, 60068-1, div. others243


x x x x

127 - - -

189 - - -

192 - - -

224 - - -

235 - - -

250 - - -

251 NEN-EN-ISO 27799

DNV, DEKRA, Lloyd's x

278 - No response -

294 - - -

296 EN 13094, 14025, 12972

No response No names given

352 - - -

379 ISO 28000-series

e.g. Lloyd’s, Veritas, SGS, TUV, DNV

x

388 - - -

391 EN-ISO 22301 - Certification Europe, BSI, DNV, Lloyd’s, PECB, SGS

x x x x

417 - x NA LU MT MK MD MC ME NL NO AT PL 419 ISO 17020;

17025 - only accreditation, e.g.

by RVA and UKAS x

(figure continues)

242 54-1 to-7, 54-10 to 13, 54-16 to 18, 54-20, 54-23, 54-24 243 60068-2-1, -2-2 , -2-6, -2-27; -2-30, -2-42, -2-75, -2-78, 60529, 60695-11-10, 60695-11-20, 61672-1

CEN TC Standard Certification Bodies PL PT RO RU SM SE CH RS SK SI ES SJ CZ TR UA HU VA BY current potential

CEN CLC TC 4


x

72 Div EN 54-x244

EN 50130-4, 60068-1, div. others245


x x

127 - - - 189 - - - 192 - - - 224 - - - 235 - - - 250 - - - 251 NEN-EN-ISO

27799 DNV, DEKRA, Lloyd's

278 - No response - 294 - - - 296 EN 13094,

14025, 12972 No response No names given

352 - - - 379 ISO 28000-

series e.g. Lloyd’s, Veritas, SGS,

TUV, DNV x

388 - - - 391 EN-ISO

22301 - Certification Europe, BSI,

DNV, Lloyd’s, PECB, SGS x x x x x x x x

417 - x NA 419 ISO 17020;

17025 - only accreditation, e.g. by

RVA and UKAS

Source: Own figure showing a minimum number of countries that offer the specific services, certification bodies were contacted to provide additional information Figure 34: Summarized interrelation between selected security-related CEN/CLC/TCs and the European certification landscape

244 54-1 to-7, 54-10 to 13, 54-16 to 18, 54-20, 54-23, 54-24 245 60068-2-1, -2-2 , -2-6, -2-27; -2-30, -2-42, -2-75, -2-78, 60529, 60695-11-10, 60695-11-20, 61672-1


of 170

As shown in Figure 18, at least eight of 22 security-related TCs at CEN and CENELEC were established in 2010 or later. The development of a standard lasts at least three years. There-fore, few of the standards from these TCs are currently available. This low number helps to explain why so few deliverables of these TCs are used for certification so far. Nevertheless, current standardisation activities offer the potential to establish strong interrelations between standards and certification in the future. CEN/CLC/TC 4 provides a good example for that. Raising awareness regarding certification aspects is very important in this regard. 4.4. CORRELATE THE GENERAL SECURITY AREAS AND STANDARDISATION ACTIVITIES Figure 35 was derived based on the segmentation of the security market in SWD (2012) 233 Final246 and the list of security-related European TCs in the M/487 Final Report Phase 1 (which was extended by two new TCs). Based on analysis of the scopes of the TCs the matrix was filled subsequently. To give examples for the content of the matrix, many areas of the security industry deal with perimeter protection systems. CEN/TC 388 is specialized for that field. As described earlier, the TC is not active at the moment. Relevant cells are highlighted in red. Additional similarities identified by the analysis of the business plans of TCs include, for example, the activities of CLC/TC 79 in the field of CCTV as well as the acitivities of CEN/TC 391 in the field of critical infrastructure security. With regard to CBRN the European Commission published the EU CBRN Action Plan. The document requests the development of minimum CBRN detection standards as well as the establishment of testing and certification schemes.247 CEN/TC 391 addresses this field.

246 See European Commission, op. cit., 26.07.12, p. 73f. 247 European Commission, Communication from the Commission to the European Parliament and the Council of 24 June 2009 on Strengthening Chemical, Biological, Radiological and Nuclear Security in the European Union – an EU CBRN Action Plan, June 2009.

TC 7

9 R

espi

rato

ry

prot

ectiv

e de

vice

s

TC 1

27 F

ire sa

fety

in

bui

ldin

gs

TC

16

2 P

rote

ctiv

e cl

oth

ing

…

TC 1

64 W

ater

supp

ly

TC 1

89 G

eosy

nthe

tics

TC 2

24 P

erso

nal

iden

tifi

cati

on

…

TC 2

34 G

as in

frast

ruct

ure

TC 2

50 S

truct

ural

Eur

ocod

es

TC 2

51 H

ealth

care

info

rmat

ics

TC 2

64 A

ir qu

ality

TC 2

78 R

oad

trans

port

and

traffi

c te

lem

atic

s

TC 2

87 G

eogr

aphi

c in

form

atio

n

TC

32

5 C

rim

e p

rev

enti

on

…

TC 3

46 C

onse

rvat

ion

of c

ultu

ral

prop

erty

TC 3

52 N

anot

echn

olog

y

TC 3

79 P

C -

Supp

ly c

hain

secu

rity

TC 3

84 P

C A

irpor

t and

av

iatio

n se

c. se

rvic

es

TC 3

88 P

erim

eter

pro

tect

ion*

TC 3

91 S

ocie

tal a

nd

citiz

en se

curit

y

TC 4

17 P

C M

ariti

me

&

port

secu

rity

serv

ices

TC 4

19 F

oren

sic

scie

nce

serv

ices

CLC

/TC

79

Ala

rm sy

stem

s

Aviation Security x x� Airport terminal security systms� Airport perimeter security systmse x� Passenger screening systems x� Hand-held and checked-luggage screening systems� Application of RFID systems� Airport security command, control & communiation IT and hardware infrastructure� Reinforced blast-proof aircraft containers x� Explosives detection systems x x� Security-related renovations and construction projectsMaritime Security x� Smart container systems x� RFID container seal systems x� Container explosives screening systems x� Seaport perimeter protection systems x� Nuclear/Radiological container screening systems Cruise ship & ferry passenger screening systems, including hand-held and checked luggage screening systems� Deepwater security systems� Ship identification systemsBorder Security x� Border-perimeter interoperable communication systems x� Virtual border systems� Checkpoint, fence and barrier hardware� Border-perimeter people screening systems x Border-perimeter people and workforce biometric identification systems

x x

� Explosives screening portals x� Border-perimeter construction projects x� Border-perimeter nuclear/radiological screening portals. x

(figure continues)

* currently not active due to financial reasons

TC 7

9

TC 1

27

TC 1

62

TC 1

64

TC 1

89

TC 2

24

TC 2

34

TC 2

50

TC 2

51

TC 2

64

TC 2

78

TC 2

87

TC 3

25

TC 3

46

TC 3

52

TC 3

79

TC 3

84

TC 3

88

TC 3

91

TC 4

17

TC 4

19

CLC

TC

79

Critical Infrastructure Security x x x� Governmental critical infrastructure terror mitigation security systems x� Medical and public health infrastructure terror mitigation security systems x� Nuclear facilities terror mitigation security systems x� Critical infrastructure workforce and visitors identification and surveillance systems x x� Communication infrastructure terror mitigation security systems x� The government and private sector IT critical infrastructure security systems x� Critical Infrastructure perimeter protection systems x� Dams terror mitigation security systems x x� Large high volume structures terror mitigation security systems x� Transportation industry terror mitigation security systems x x� Banking and financial industry business continuity x Energy infrastructure security systems x� Workforce and visitor identification systems x xCounter-Terror Intelligence Market� Command, control and communication systems� Cyber space monitoring systems� Cyber terror remediation systems� Perimeter security systems x� Data fusion IT systems� Land-based imagery systems� Communication interoperability systems� Information analysis software� Cyber security IT systems� Cyber surveillance IT systemsPhysical Security Protection x� CCTV systems x� Fire alarm systems x� Intruder alarm systems x� Burglar alarm systems x� Communication systemsProtective Clothing x� CBRN personal protection gear x x� CBRN air filtering systems x x� Protective clothing for police forces x� Protective clothing for fire fighters x� Search and rescue equipment x

Source: Own figure, updated soon Figure 35: Links between security sectors and the work of CEN and CENELEC


of 170

In summary, the analysis showed that CEN/TC 391 in particular addresses many relevant are-as. Nevertheless, a need for action remains, which will be described in Chapter 4.6. 4.5. CORRELATE CRISP’S WP1 MATRIX OF SECURITY AREAS AND STANDARDS In order to provide a simplistic overview, but also an analysis of the security standards estab-lished by the standardisation organisations, the matrix of the functions of security products, systems and services in regard to the areas of security – compiled in the deliverable 1.1 – can be used. The matrix correlates the security functions with the security areas while making the distinction between primitive, connective and performative functions. Using the matrix, it is possible to show in what areas of security the standards, technical re-ports and specifications, as well as the other work of the technical committees, are applicable and what security functions are addressed by the standards. This also shows the possibilities which go along with a glossary of security functions correlated with security related stand-ards, as it works as an easy way to handle tool for security PSS stakeholders, identifying what kind of standard(s) can be useful for their product, system or service, based on what use case the security PSS has. The matrix is to be read by selecting the expected function(s) of a security PSS and identify-ing the area(s) of security in which the security PSS should be deployed in order to find the relevant regional and international standards that might apply for the chosen security PSS. However, it is important to recognise that not every available security standard is included in the matrix and it is not to be seen as an exhaustive list of standards. It can be observed that the security areas ‘security of the citizens’ and ‘critical infrastructure’

are the most regulated by security standards. The ‘border security’ area includes the standards

with a specific border relation, excluding those necessary for general security purposes, which are covered by the ‘critical infrastructure’ area. The special nature of the ‘crisis management’

area also reflects in the corresponding security standards. Furthermore some security func-tions are covered more widely by standards than others. This is due to the broad scope of some of the functions, which can also be seen in the CRISP security taxonomies.248 For ex-ample, the identify function is not only covered by a large number of security systems, but also, the emergence of biometrics resulted in a large amount of standardisation. For the detain function, security standards are scarce, on the one hand due to the exclusivity of the detain-ment for security services – which are not standardised to such an extend as the security prod-ucts and systems – but on the other hand, the detainment of people is often regulated on a le-gal basis.249 Furthermore the detaining function executed by private security services is also fragmented on a European level within the Member States. For example a different regulation exists in Finland where security service providers “have the right to hold up and detain a per-son under specified circumstances”

250, regulated by the 2003 Private Security Services Act, while in other countries no such regulations exists and private security services hold the same rights and duties as citizens.251 248

See Sveinsdottir, et al., op. cit., 2014. 249

See Fritz, et al., op. cit., 2014, p. 32. 250

See Sveinsdottir, et al., op. cit., 2014, p.76. 251

E.g. in the UK this is thus regulated by the 1984 Police and Criminal Evidence Act, section 24A, giving persons the right to arrest, but not to detain, an offender under certain specific circumstances.

Area of security Security of the citizens Critical infrastructure Border security Crisis management

Function

Information col-lection storage and management to produce intelli-gence

CEN/TC 251 EN 15213 EN ISO 14816:2005 ETSI ES 201 671 ETSI TR 102 022-1 ETSI TS 101 331 ETSI TS 102 900 ETSI TS 103 260 FprEN ISO 22311 ITU-T X.1520

CEN/TC 251 EN 16352:2013 FprEN ISO 22311 ETSI EN 300 338 ETSI ES 201 671 ETSI TS 101 331 ETSI TS 103 260 ITU-T X.1520

CEN/TC 251 FprEN ISO 22311 ETSI EN 300 338 ETSI ES 201 671 ETSI TS 101 331

CEN/TC 251 ETSI TR 102 022-1 ETSI TS 102 900 ETSI TS 103 260 ISO 22320:2011 FprEN ISO 22311

Detect CEN/TC 325 CLC/TC 79 EN 15213 IEC 62851-2:2014 ISO 7240 prEN 16763

CEN/TC 325 CLC/TC 79 EN 15213 EN 60671:2011 ISO 7240 ISO 7753:1987 prEN 16763

CLC/TC 79

CLC/TC 79

Locate CLC/TC 79 EN 15213 ISO 7240-16:2007

CLC/TC 79 ETSI EN 300 338 ISO 7240-16:2007

CLC/TC 79 ETSI EN 300 338

CLC/TC 79

Track CLC/TC 79 EN 15213



CLC/TC 79

Assess CEN/TS 16595:2013 EN ISO 22301 FprEN ISO 22313 ISO 7240-16:2007 ITU-T X.1520

CEN/TS 16595:2013 EN 60671:2011 EN ISO 22301 FprEN ISO 22313 ISO 7240-16:2007 ISO 11311:2011 ISO 16117:2013 ISO 20858:2007 ITU-T X.1208 ITU-T X.1520

. (figure continues)

Identify CLC/TC 79 EN 1332 EN 14890 EN 15213 EN ISO 14816:2005 ISO 9564 ISO/IEC 19784 ISO/IEC 19794 ISO/IEC 24713-1:2008 ISO/IEC 24787:2010 ITU-T X.1082

CLC/TC 79 EN 1332 EN 14890 EN 60671:2011 ETSI EN 300 338 ISO 9564 ISO/IEC 19784 ISO/IEC 19794 ISO/IEC 24713-1:2008 ISO/IEC 24713-2:2008 ISO/IEC 24713-3:2009 ISO/IEC 24787:2010 ITU-T X.1082

CLC/TC 79 EN 1332 EN 14890 ETSI EN 300 338 ISO/IEC 7501-2:1997 ISO/IEC 7501-3:2005 ISO/IEC 19784 ISO/IEC 19794 ISO/IEC 24713-1:2008 ISO/IEC 24713-2:2008 ISO/IEC 24713-3:2009 ISO/IEC 24787:2010

Verify CLC/TC 79 EN 1332 EN 14890 ISO 9564 ISO/IEC 19784 ISO/IEC 19794 ISO/IEC 24713-1:2008 ISO/IEC 24787:2010 ITU-T X.1082

CLC/TC 79 EN 1332 EN 14890 ISO 9564 ISO/IEC 19784 ISO/IEC 19794 ISO/IEC 24713-1:2008 ISO/IEC 24713-2:2008 ISO/IEC 24713-3:2009 ISO/IEC 24787:2010 ITU-T X.1082

CLC/TC 79 EN 1332 EN 14890 ISO/IEC 7501-2:1997 ISO/IEC 7501-3:2005 ISO/IEC 19784 ISO/IEC 19794 ISO/IEC 24713-1:2008 ISO/IEC 24713-2:2008 ISO/IEC 24713-3:2009 ISO/IEC 24787:2010

CLC/TC 79

Authorise EN 1332 EN 14890 ISO 9564 ISO/IEC 19784 ISO/IEC 19794 ISO/IEC 24713-1:2008 ISO/IEC 24787:2010 ITU-T X.1082

CEN/TR 16705:2014 EN 1332 EN 14890 EN 60965:2011 ISO 9564 ISO 13491 ISO/IEC 19784 ISO/IEC 19794 ISO/IEC 24713-1:2008 ISO/IEC 24713-2:2008 ISO/IEC 24713-3:2009 ISO/IEC 24787:2010 ITU-T X.1082

CEN/TR 16705:2014 EN 1332 EN 14890 ISO/IEC 7501-2:1997 ISO/IEC 7501-3:2005 ISO/IEC 19784 ISO/IEC 19794 ISO/IEC 24713-1:2008 ISO/IEC 24713-2:2008 ISO/IEC 24713-3:2009 ISO/IEC 24787:2010

(figure continues)

Source: Own figure Figure 36: Correlate of CRISP’s WP1 matrix of security areas and standards

Control EN 1332 ETSI ES 201 671

EN 1332 EN 60965:2011 EN 62340:2010 ETSI ES 201 671

EN 1332 ETSI ES 201 671

ISO 22320:2011

Create situational awareness

CEN/TS 16595:2013 EN ISO 22301 ETSI TR 102 022-1 ETSI TS 102 900 ETSI TS 103 260 FprEN ISO 22313 ISO 7240-16:2007 prEN 50849:2014 ITU-T X.1520

CEN/TS 16595:2013 EN 60671:2011 EN ISO 22301 ETSI TS 103 260 ISO 7240-16:2007 ITU-T X.1520 FprEN ISO 22313

CEN/TS 16595:2013 EN ISO 22301 ETSI TR 102 022-1 ETSI TS 102 900 ETSI TS 103 260 FprEN ISO 22313 ISO 7240-16:2007 ISO 11320:2011 ISO 22320:2011 prEN 50849:2014 ITU-T X.1303

Detain - - - -

Prevent/Protect CEN/TC 263 CEN/TC 325 CLC/TC 79 ISO 7240 ISO 7240-16:2007 prEN 16763 ITU-T X.1171 ITU-T X.1520 ITU-T X.1580

CEN/TC 263 CEN/TC 325 CEN/TR 16412:2012 CEN/TR 16705:2014 CLC/TC 79 EN 16352:2013 EN 60671:2011 EN 60965:2011 EN 62340:2010 ISO 7240 ISO 7240-16:2007 ISO 8194:1987 ISO 20858:2007 ISO 13491 ITU-T X.1171 ITU-T X.1520 ITU-T X.1580 prEN 16763

CEN/TR 16705:2014 CLC/TC 79 ISO 20858:2007

CEN/TC 251 CEN/TC 325 CLC/TC 79 EN 15975 ISO 7240-16:2007 ISO 8194:1987 ISO 11320:2011


of 170

Register:

CEN/TC 251 – Healthcare informatics CEN/TC 263 – Secure storage of cash, valuables and data media CEN/TC 325 – Crime prevention through building, facility and area design CEN/TR 16412:2012 – Good practice guide for small and medium sized operators CEN/TR 16705:2014 – Perimeter protection – Performance classification methodology CEN/TS 16595:2013 – CBRN - Vulnerability Assessment and Protection of People at Risk CLC/TC 79 – Alarm systems (see also IEC/TC 79) EN 1332 – Identification card system – Man-Machine Interface – Part 1-5. EN 14890 – Application Interface for smart cards used as Secure Signature Creation Devices

– Part 1 & 2 EN 15213 – Intelligent transport systems – After-theft systems for the recovery of stolen ve-

hicles – Part 1-5 EN 15975 – Security of drinking water supply – Guidelines for risk and crisis management –

Part 1 & 2 (see also ISO 24510:2007(en) – Activities relating to drinking water and wastewater services -- Guidelines for the assessment and for the improvement of the ser-vice to users; ISO 24512:2007(en) – Activities relating to drinking water and wastewater services -- Guidelines for the management of drinking water utilities and for the assess-ment of drinking water services)

EN 60671:2011 – Nuclear power plants – Instrumentation and control systems important to safety – Surveillance testing

EN 60965:2011 – Nuclear power plants – Control rooms – Supplementary control points for reactor shutdown without access to the main control room

EN 62340:2010 – Nuclear power plants – Instrumentation and control systems important to safety – Requirements for coping with Common Cause Failure (CCF)

EN 16352:2013 – Logistics – Specifications for reporting crime incidents EN ISO 14816:2005 – Road transport and traffic telematics - Automatic vehicle and equip-

ment identification - Numbering and data structure EN ISO 22301 – Societal security - Business continuity management systems – Requirements

(see also ISO 22301:2012: Societal security -- Business continuity management systems --- Requirements)

ETSI EN 300 338 – Electromagnetic compatibility and Radio spectrum Matters (ERM) – Technical characteristics and methods of measurement for equipment for generation, transmission and reception of Digital Selective Calling (DSC) in the maritime MF, MF/HF and/or VHF mobile service

ETSI ES 201 671 – Lawful Interception (LI); Handover interface for the lawful interception of telecommunications traffic

ETSI TR 102 022-1 – User Requirement Specification; Mission Critical Broadband Commu-nication Requirements, V.1.1.1

ETSI TS 101 331 – Lawful Interception (LI); Requirements of Law Enforcement Agencies ETSI TS 102 900 – Emergency Communications (EMTEL); European Public Warning Sys-

tem (EU-ALERT) using the Cell Broadcast Service


of 170

ETSI TS 103 260 – Satellite Earth Stations and Systems (SES) – Reference scenario for the deployment of emergency communications – Part 1 & 2

FprEN ISO 22313 – Societal security - Business continuity management systems – Guidance (see also: ISO 22313:2012 Societal security -- Business continuity management systems – Guidance)

FprEN ISO 22311 – Societal security - Video-surveillance - Export interoperability (see also: ISO 22311:2012 – Societal security -- Video-surveillance -- Export interoperability)

IEC 62851-2:2014, Alarm and electronic security systems - Social alarm systems - Part 2: Trigger devices

ISO 7240 – Fire detection and alarm systems – Part 3; 5; 6; 7; 8; 10; 12; 15; 20; 22; 27 ISO 7240-16:2007 – Fire detection and alarm systems -- Part 16: Sound system control and

indicating equipment ISO 7753:1987 – Nuclear energy -- Performance and testing requirements for criticality de-

tection and alarm systems ISO 8194:1987 – Radiation protection -- Clothing for protection against radioactive contami-

nation -- Design, selection, testing and use ISO 9564 – Financial services -- Personal Identification Number (PIN) management and se-

curity, Part 1; 2 and 4 ISO 11311:2011 – Nuclear criticality safety -- Critical values for homogeneous plutonium-

uranium oxide fuel mixtures outside of reactors ISO 11320:2011 – Nuclear criticality safety -- Emergency preparedness and response ISO 16117:2013 – Nuclear criticality safety -- Estimation of the number of fissions of a pos-

tulated criticality accident ISO 20858:2007 – Ships and marine technology -- Maritime port facility security assessments

and security plan development ISO 22320:2011 – Societal security -- Emergency management -- Requirements for incident

response ISO 13491 – Banking -- Secure cryptographic devices (retail) -- Part 1 & 2 ISO/IEC 7501-2:1997 – Identification cards -- Machine readable travel documents -- Part 2:

Machine readable visa ISO/IEC 7501-3:2005 – Identification cards -- Machine readable travel documents -- Part 3:

Machine readable official travel documents ISO/IEC 19784 – Information technology -- Biometric application programming interface --

Part 1, 2 and 4. ISO/IEC 19794 – Information technology -- Biometric data interchange formats -- Part 2 –

11; Part 14. ISO/IEC 24713-1:2008 – Information technology -- Biometric profiles for interoperability

and data interchange -- Part 1: Overview of biometric systems and biometric profiles ISO/IEC 24713-2:2008 – Information technology -- Biometric profiles for interoperability

and data interchange -- Part 2: Physical access control for employees at airports ISO/IEC 24713-3:2009 – Information technology -- Biometric profiles for interoperability

and data interchange -- Part 3: Biometrics-based verification and identification of seafarers


of 170

ISO/IEC 24787:2010 – Information technology -- Identification cards -- On-card biometric comparison

prEN 16763 – Services for fire safety systems and security systems prEN 50849:2014 – Sound systems for emergency purposes ITU-T X.1082 – Telebiometrics related to human physiology ITU-T X.1171 – Threats and requirements for protection of personally identifiable infor-

mation in applications using tag-based identification ITU-T X.1208 – A cybersecurity indicator of risk to enhance confidence and security in the

use of telecommunication/information and communication technologies ITU-T X.1303 – Common alerting protocol (CAP 1.1) ITU-T X.1520 – Common vulnerabilities and exposures ITU-T X.1580 – Real-time inter-network defence 4.6. NEED FOR STANDARDS According to the European Commission,252 40 of 59 participants in a survey expressed strong agreement when asked “Do you agree that the lack of EU wide standards for security affects

the market fragmentation?” and 7 participants expressed agreement (with lower intensity). Although the identification of standardization needs is not a subject of this report, a few im-portant aspects were identified. The tables in Chapter 4.4 show that there are very few European standardization initiatives in the Counter-Terror Intelligence sector. A few international and European standards and activ-ities exist in the sub-field of cyber security but they do not address all areas of that sector. On a European level, CEN, CENELEC and ETSI formed a so called coordination group in cyber security (CSCG). Usually coordination groups are established if a subject is relevant for multiple TC's, is a 'hot topic' and has a link to European legislation. The role of the coor-dination group is to act as a single point of contact for pan‐European interchange on Cyber Security standardization and provide a set of recommendations and advice to the European Commission (DG CONNECT and DG ENTR) and EU Member States in the area of Cyber Security standardization. Additionally, the Coordination Group liaises actively with the Eu-ropean Union Agency for Network and Information Security (ENISA) and the Multi Stake-holders Platform on ICT standardization. More information is available at http://www.cencenelec.eu/standards/Sectors/DefenceSecurityPrivacy/Security/Pages/Cybersecurity.aspx. Chapter 4.5 investigates the security market on a functional level and shows that security standards for the detain function are scarce. Furthermore the detaining function executed by private security services is fragmented within the Member States. An analysis of a potential need for additional standards in the field of Counter-Terror Intelligence and with regard to the detail function is regarded as necessary.


http://www.enisa.europa.eu/

http://www.enisa.europa.eu/

https://ec.europa.eu/digital-agenda/en/european-multi-stakeholder-platform-ict-standardisation

https://ec.europa.eu/digital-agenda/en/european-multi-stakeholder-platform-ict-standardisation


of 170

In addition to these findings, an interviewee of a CEN TC stressed that (nearly) no European standard regarding security software/ICT or software/ICT which is integrated in security products exist. His assessment is in harmony with Regulation (EC) No 1025/2012. This lack of European documents hinders security-related certification based on standards.


of 170

5. FIELDS WHERE THE AVAILABILITY OF OPEN STANDARDS SHOULD BE RESTRICTED The issue of whether or not there are security fields where the availability of information should be restricted and subject to control is complex, with active and ongoing debate be-tween national and international formal standardisation bodies, national governments, the European Union and representatives from industry. A major obstacle for the standardization of security products, applications, technologies and processes is the desire of governments and representatives from the security and intelligence industries to avoid the disclosure, in-cluding through standards, of information deemed inappropriate, and often described as too sensitive, for general or public consumption. Another potential barrier to standardization, which is not focussed by CRISP, is based on the possibility that vendors of security solutions may decide to keep certain knowledge proprietary instead of participating in open standardi-sation processes. Where decisions have been made to impose restrictions, it is considered essential to security that certain information should remain controlled, made available only to a select audience. Classification, nondisclosure, restrictions, secrecy and the establishing of rigorous regulations are tools used for protecting fields of security from public disclosure, where it has been judged that doing so would be to the detriment of security253. Where such practices are em-ployed, it is considered necessary to security that information should only be made available to entities that have attained a specific level of security clearance, or are able to offer formal and strict guarantees that they have taken all measures necessary to retain confidence provi-sions. Such a position is maintained in the context of the Council of the European Union with re-gard to the adoption of the Council’s security regulations

254. The Council has previously un-derlined its position on the importance of security activities and areas of security and defence that require a degree of confidentiality. The Council advises of the need to establish and up-hold a comprehensive system of classification that safeguards the effectiveness of security:

In order to safeguard the effectiveness of the security system thus established, the Commission will make EU classified information available only to those outside bodies which offer guarantees that they have taken all measures necessary to ap-ply rules strictly equivalent to these provisions255.

These provisions lay down the basic principles and minimum requirements for security to be respected by the Council, the General Secretariat of the Council, by Member States and by the decentralised agencies of the EU so that security is safeguarded. In this context, classified information is taken to be:

253

See European Commission, Programming Mandate Addressed to CEN, CENELEC and the European Telecommunica-tions Standards, M/487, Brussels, 17.02.2011. 254

See Official Journal of the European Communities, Council Decision of 19 March 2001 adopting the Council’s security

regulations, Volume 44 , Brussels, 11.4.2001. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32001D0264 255

See Official Journal of the European Communities, Commission Decision of 29 November 2001 amending its internal Rules of Procedure (notified under document number C(2001) 3031), Volume 44, 3.12.2001. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32001D0844


of 170

Any information and material, an unauthorised disclosure of which could cause varying degrees of prejudice to the EU interests, or to one or more of its Member States256.

The position on restricted access and enforced control as safeguards for the effectiveness of security is further emphasised in the context of specific security fields. Take, for example, the requirement of detailed measures for the implementation of the common basic standards on aviation security:

If they contain sensitive security measures, these measures should be regarded as EU classified information within the meaning of Commission Decision 2001/844/EC, ECSC, Euratom of 29 November 2001 amending internal rules of procedure (2), as provided for by Article 18 point (a) of Regulation (EC) No 300/2008 and should therefore not be published. These measures should be adopted separately, by means of a Decision addressed to the Member States257.

A similar position is maintained in other fields of security, leading to a myriad of strict regu-lations concerning how sensitive security information and material should be handled, stored, protected, and to whom it can be disclosed, and by what means secure disclosure might be undertaken. Taking the position of the UK Government as an example, a process of vetting and security clearance is enforced in order to provide assurances on the suitability of a per-son, or institution, to access information at a level corresponding to the level of security clearance held. Security clearance and vetting serve to guard against the threat of “unneces-sary or indiscriminate disclosure of sensitive information [that] could damage the security and integrity of the United Kingdom”

258. Recently, the UK Government published a policy describing how HM Government classifies information assets to ensure they are appropriate-ly protected: “HMG information assets may be classified into three types [in terms of the likely impact resulting from compromise, loss or misuse]: OFFICIAL, SECRET and TOP SECRET. Each attracts a baseline set of security controls providing appropriate protection against typical threats”

259. Each of the three classification types provides for a baseline set of personnel, physical and information security controls that offer an appropriate level of protec-tion against a typical threat profile260. Vetting and mechanisms to prescribe security clearance are common. In the case of many security activities, applications, technologies and processes, it is deemed essential to impose rigorous restrictions and maintain strict controls and measures on access, as well as establishing means to ensure varying degrees of confidentiality. In the context of air cargo in Germany, for example, all companies active in the air freight field need to pass

256

See Official Journal of the European Communities, op. cit. 3.12.2001 257

See Official Journal of the European Union, Commission Regulation (EU) No 185/2010 of 4 March 2010 laying down detailed measures for the implementation of the common basic standards on aviation security (1), Volume 53, 5.3.2010. http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32010R0185 258

See Secret Intelligence Service MI6, What is Security Clearance?, no date. https://www.sis.gov.uk/careers/working-for-us/security-vetting/what-is-security-clearance.html 259

See UK Government, Government Security Classifications April 2014, Cabinet Office, Version 1.0, 4.2014. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/251480/Government-Security-Classifications-April-2014.pdf 260

This is not a statutory scheme but operates within the framework of domestic law, including the requirements of the Official Secrets Acts (1911 and 1989), the Freedom of Information Act (2000) and the Data Protection Act (1998).


of 170

an evaluation and registration procedure set by the Luftfahrtbundesamt (LBA) to attain a reg-istration as a ‘known consignor’. Elsewhere, secrecy and nondisclosure are deemed crucial to the success of security operations, where openness and public access to security information would otherwise be dangerous and compromise the efficacy of the practice of security. In the ECAC’s CEP application to EDS, LEDS, ETD equipment, and security scanners, the sub-stances subject to testing (explosives and chemicals) are kept secret in an effort to ensure that the testing process and crucially the scanning for malicious substances is not compromised261. Secrecy and restricted access is, in this way, used to guard against a range of established and nascent threats. A further example of restriction and strict access management is highlighted through the cas-es of printing presses used in the implementation of manufacturing processes for banknotes to ensure full volume tracking, the use of security scanners used at securitised border check-points in EU airports, or the controls placed on cryptography. Due to the nature of these ap-plications and the potential risk associated with open or public access information, decisions have been made to enforce restricted access in these fields of security. Access is limited ex-clusively to those who have obtained approved authorization:

“[S]tandards for certain security applications, such as scanners at airports or banknote printing presses, should only be made available to entities which have the required security clearances”

262. Security considerations are made concerning, in particular, vulnerabilities to a range of cur-rent and possible future threats and the risks that openness in these security field electronic create. Due to the very real threat posed by fraud and forgery on the part of counterfeiting operations in the context of banknote printing, or the potential dangers to passenger aviation with possible breaches of prohibited items through bypassing or evading detection by security scanners during screening processes, restrictions have been established and imposed, and are tightly controlled. These are efforts to minimise risk and to maximise successful operation. Whilst there are compelling reasons to restrict access in certain fields of security, there are critics arguing for openness. Opponents have argued that restrictions, secrecy and the myriad policies of nondisclosure in security fields, products, systems, procedures and protocols are unhelpful and unacceptable. Critics have moved to suggest that the availability of open stand-ards in security fields should be more widespread so as to establish a platform that allows sharing appropriate data effectively and ensures greater flexibility and choice in security. Highlighting the importance of removing restrictions placed on open standards, there are a number of advantages cited to explain the necessity of working to remedy restrictions im-posed on open standards and indeed when developing standardisation for security fields. In-deed, in its strategy aimed at establishing a European standardisation system, the European Commission states that in terms of standards that are ‘of service to society’, the Commission proposes to revise and apply European standards to security, and civil protection263.

261

See ECAC, Common Evaluation Process for Security Equipment, 16.6.2014 https://www.ecac-ceac.org//activities/security/cip_for_security_equipment 262

See European Commission, op. cit., 01.06.2011 263

See European Commission, op. cit., 01.06.2011


of 170

Of note in this debate is the matter of public interest and a range of societal dimensions that are considered as being potentially undermined through the use of restrictions. Standards and the process of standardisation might prove a useful means of demonstrating to the public that those working in security are committed to their needs and interests.European standards have a function in serving society, and an important role to play with regard to security and safety concerns, and civil protection. It has been suggested that standards should be used to address key societal challenges, including making information more accessible and available through open standards for security fields which is a means of ensuring greater transparency, an un-derstanding of public accountability and a demonstrable commitment to public scrutiny. Openness and accountability, through standards, is recommended as a tool to positively effect public confidence in security. Take, for example, the recommendations for a European strate-gy on Cyber Security Standardisation outlined in a white paper published in collaboration by CEN, CENELEC and ETSI. In the document, advice is outlined that recommends the devel-opment of a range of initiatives aimed at producing standards in security to “create the most

trustworthy environment in the world; this should include privacy and harmonised objectives for education and awareness”

264. Such a vision is not possible where standards are controlled and restricted. Elsewhere, critics of restrictions placed on open standards in fields of security have noted that open standards could in fact serve to improve security and provide more effective responses to security threats265. It is contended that open standards hold the potential to ensure that se-curity solutions are appropriate, have been rigorously scrutinised and shown as meeting the required or agreed level of quality or attainment. Standardization in security also serves as a means to achieve consistency addressed to differ-ent security landscapes across the EU. Without restrictions, it is believed that standards can lead to greater efficiency, improved performance, enhanced interoperability between end us-ers and across Member States, better test methods and certification requirements, provide the conditions to facilitate innovation and crucially, enhance safety and security levels266. These factors demonstrate the importance of standards for the demand side, notably with regard to the range of security technologies and processes used by first responders, law enforcement authorities, etcetera. Additionally, standards can be utilised to ensure uniform quality in the provision of security services. Lessening restrictions in security standards would, it is argued, lead to the option of developing a range of security sector specific guidance documents. Such guidance papers could be developed to accompany standards, with the intention of promoting technologies, practices and processes, and further enhancing security itself267. In addition, as well as a number of operational reasons for removing, or at least reducing restrictions on open standards there are a range of business and financial incentives for ensur-

264

See CEN/CENELEC/ETSI, Recommendations for a Strategy on European Cyber Security Standardisation, Cyber Secu-rity Coordination Group (CSCG), White Paper No. 01, 21.3.2014. http://www.cscg.focusict.de/sixcms_upload/media/3829/CSCG%20White%20paper.171536.pdf 265

See European Commission, A European Security Research and Innovation Agenda - Commission's initial position on ESRIF's key findings and recommendations, Communication from the Commission.COM (2009) 691 final, Brussels, 21.12.2009. 266

See European Commission, op. cit., 17.2.11 267

See European Security Research & Innovation Forum, ESRIF Final Report, 12.2009 http://ec.europa.eu/enterprise/policies/security/files/esrif_final_report_en.pdf


of 170

ing the greater availability of open standards in security fields. Effective standardization, as the UK Government notes in their guidance on innovation in standardisation, “encourages innovation and forceful competition and improves profitability”. Standards and the process of standardization can have a number of positive outcomes, including “better access to markets … minimising business costs and risks … streamlining internal processes [and] improving

communication”268. In addition, and as Hatto observes, “[v]oluntary, documentary standards

play a critical, but frequently overlooked role in facilitating and regulating industry and commerce”

269. There are currently no EU-wide certification systems for security technologies or a system to provide conformity in assessment. As a result, security products are “normally subject to

some form of national validation and approval/certification procedures”270. National certifica-

tion systems differ widely, a situation that has been recognised as contributing significantly to the fragmentation of the security market271. Divergent national standards and systems of cer-tification pose a major obstacle for the creation of a true internal market for security, thus hindering the competitiveness of the EU security industry, as well as those of EU Member States. Open standards in fields of security, as elsewhere, are identified as ensuring lower costs for security products and processes and allowing for an economy of scale for industry, providing easier market access, improving harmonisation of the security market itself and reducing the fragmentation currently identified in the EU272. It has been argued that standards, the processes of standardisation, and open standards in par-ticular, have an important and as yet under exploited role to play in security research and the development of security markets. Concerned with this omission, Blind writes of the different functions of standards and standardisation in security research and describes what he terms the ‘catalytic functions’ of standardisation in the development of emerging security mar-kets273. He concludes that standardisation and standards present a number of opportunities to promote further research and to assist in the development of security markets, he also warns of a range of challenges, indicating that this is an area that is at present underexplored and so requires further investigation. It is proposed that utilising security standards and the standard-isation process to develop security markets will “contribute to making the European defence

and security sector more efficient and thereby strengthen the Union’s Common Security and Defence Policy”

274.

268

See UK Government, “Guidance: Innovation Standardisation: Standardisation”, 16.012014. https://www.gov.uk/innovation-standardisation--4 269

See Hatto, Peter. Standards and Standardization Handbook, European Commission, Brussels, 2010, http://www.iec.ch/about/globalreach/academia/pdf/academia_governments/handbook-standardisation_en.pdf pp.1-19. 270

See ECORYS, Security Regulation, Conformity Assessment & Certification. Final Report – Volume I: Main Report, Brussels, October 2011. 271

See European Commission, Security Industrial Policy Action Plan for an innovative and competitive Security Industry, Communication from the Commission to the European Parliament, the Council and the European Economic and Social Committee, {COM(2012) 417 final}, SWD(2012) 233 final, Brussels, 26.07.12 272

See ECORYS, Study on the Competitiveness of the EU security industry. Within the Framework Contract for Sectoral Competitiveness Studies – ENTR/06/054, Final Report, Brussels, 15 November 2009. 273

See Blind, Knut. “Standardization and Standards in Security Research and Emerging Security Markets”, Security Re-search Conference “Future Security”, 2008, pp.1-10. 274

See European Commission, A New Deal for European Defence Implementation Roadmap for Communication COM (2013) 542; Towards a more Competitive and Efficient Defence and Security Sector, July 2013. http://ec.europa.eu/enterprise/sectors/defence/files/communication_defence_en.pdf


of 170

Whilst there are examples of security fields where it has been recommended that the availa-bility of information should be restricted, and counter claims made that support continued efforts to promote more widespread use of open standards, further and more detailed analysis of the potential positive and negative implications of both open standards and restrictions as well as the impacts of policies of nondisclosure of information in security fields is required.


of 170

6. STATE OF HARMONISATION AND MUTUAL RECOGNITION 6.1. NATIONAL CERTIFICATION ORGANISATIONS IN THE SECURITY FIELD To give the reader an impression of the European certification landscape, 12 certification organisations which are very active in Europe are presented below as examples. The analysis was mainly based on internet search. With regards to the nature of the certificates, security products, components, processes, procedures, software systems and services are certified but most certificates are issued for products, followed by systems and services. AENOR (Spain) What is certified? E.g. fire detection and fire alarm systems (updated soon) Basis of the testing and certification pro-cesses

E.g. EN 54-1 to-7, 54-10 to 13, 54-16 to 18, 54-20, 54-23, 54-24 (updated soon)

Website http://www.aenor.es/aenor/inicio/home/home.asp AFNOR Certification (France) What is certified? E.g. solutions for fire prevention and extinction, security services,

video surveillance, alarm systems Basis of the testing and certification pro-cesses

French, European and international standards, e.g ISO 9001 for security services, DIN EN 3-7 for fire extinctions, ISO 22311 for video surveillance; EN 54, EN 5013

Website http://www.afnor.org/profils/centre-d-interet/securite/certification-et-evaluation/certification

BSI (Great Britain) What is certified? Div. e.g. windows, doors and locks, IT security, data protection Basis of the testing and certification pro-cesses

British, European and international standards, e.g. BS 7950 for window security, PAS 24-1 for door security, BS 3621 for lock security, ISO/IEC 27001, regulation, own scheme, Security Indus-try Authority - Approved ContractorScheme (SIA-ACS), EN 54

Website http://www.bsigroup.com CNPP (France) What is certified? Fire prevention and protection; Theft and intrusion; Physical secu-

rity Basis of the testing and certification pro-cesses

French, and European standards which are required (e.g. EN 1300, EN 1143, EN 14450, EN 5013) as well as further requirements for the label “NF”. A set of Rules (R) from APSAD defines what is required.

Website http://www.cnpp.com/en/Certifying DBI (Denmark) What is certified? Fire security; Intruder security Basis of the testing and certification pro-cesses

European standards required for the CE certificate; Danish stand-ards and international standards

Website http://en.dbi-net.dk/certification.asp FOI (Sweden) What is certified? FOI is an important player in the field of testing CBRNE protec-

tion products, for example (figure continues)

http://www.bsigroup.com/


of 170

Basis of the testing and certification pro-cesses

e.g. ECAC

Website http://www.foi.se/en/ LPCB (Great Britain) What is certified? Fire and security; Environment; Management systems and quality Basis of the testing and certification pro-cesses

British, European and international standards, e.g. LPS (Loss Pre-vention Standards) for fire detection; ISO 9001 for management quality EN 54, EN 5013

Website http://www.bre.co.uk/page.jsp?id=1764 SBSC (Sweden) What is certified? Fire protection & Crime prevention Basis of the testing and certification pro-cesses

e.g. EN 1300, EN 1143, EN 14450

Website http://efsg.org/ TÜV Rheinland (Germany) What is certified? Security related areas: e.g. IT Security, data protection Basis of the testing and certification pro-cesses

e.g. ISO 27001, ISO 18028, BSI Grundschutz, German Data pro-tection law (BDSG)

Website http://www.tuv.com/de TÜV Sued (Germany) What is certified? Various domains. airport construction and aviation security; IT

security and data safety; fire safety, safety management Basis of the testing and certification pro-cesses

Management systems - Quality Management ISO 9001 / AS 9000 / EN 9100 - Environmental Management ISO 14001 - EMAR EEC 1836 / 93 - Safety Management SCC / BS 8800 Systems evaluation for LBA / EASA275 certification - Aircraft industry JAR-OPS / EASA - Flight schools JAR-FCL / EASA - Technical aviation company JAR-145 / EASA Airport and Aircraft Equipment (e.g. ground equipment)

Website http://www.tuev-sued.de/home_en TNO (the Netherlands) What is certified? TNO is for example an important player in the field of testing

CBRNE protection products Basis of the testing and certification pro-cesses

e.g. ECAC

Website https://www.tno.nl/?Taal=2

275 European Aviation Safety Agency

(figure continues)


of 170

VdS Schadenverhütung (Germany) What is certified? Everything in the area of fire safety and security,

products, software, systems, components, companies/service pro-viders charged with the planning and design, engineering and in-stallation of fire safety and security systems

Basis of the testing and certification pro-cesses

European and national standards, regulations, VdS guidelines, Prüfvereinbarungen e.g. EN 1300, EN 1143, EN 14450, EN 54, EN 5013, DIN 14676

Website http://vds.de/en

Source: Own figure (updated soon) Figure 37: Examples of security-related certification bodies in European Member States

Several certification bodies are already involved in European collaborations. This is de-scribed in Chapter 6 in more detail. In-depth analyses of national certification bodies will be given by deliverable 2.2. 6.2. GENERAL FINDINGS REGARDING THE STATE OF HARMONIZATION With the aim of identifying good practice examples in niches of the security market the or-ganizations European Accreditation, IIOC, EFAC, and CEOC international were contacted and asked for information about mutual recognition agreements in the security field in Eu-rope. Appropriate examples for such collaborations could not be identified. This is stressed by a survey which is presented in an EC staff working paper.276 According to Figure 38, par-ticipants widely agreed on the statement that the lack of harmonized certification/conformity assessment procedures for security technologies affects market fragmentation.



of 170

Responses to the question: "Do you agree that the lack of harmonised certification/ conformity assessment procedures for security technologies affects the market frag-mentation?" Respondent profile Do not

agree at all

Do not agree

Agree Agree very much

Do not know

A business association 4 6 3 A national administration 3 1 An academic institution or think tank

1 2

An individual 1 Large enterprise (> 250 employees) 2 2 14 1 Medium enterprise (between 50 and 249 employees, turnover < € 50

million) 2 3

Micro or small enterprise (< 49 employees, turnover < € 10 million) 1 1 4

Non governmental organisation 1 3 Other 1 2 Regional or local administration 1 Grand Total 0 3 15 33 8

Source: European Commission (2012)277 Figure 38: Perceived lack of harmonised certification procedures in Europe

Further research efforts, including talks with representatives of the security market, stressed that few approaches towards harmonization and mutual recognition exist. There are activities, ideas and partial solutions with regard to selected products, components and systems only (e.g. offered by CertAlarm and EFSG). In the field of security services no harmonized certification approach exists yet. Rather na-tional standards are used as the foundation for certification in several areas. The development of European standards for these specific fields has not yet begun. This topic will be described in more detail in Chapter 6.3.5. There are different reasons for the difficulties to reach mutual recognition in the Member States. A significant factor is the different perception of security and necessary protective measures in the Member States. In addition:

Different concepts and organisational structures of national security exist in the Eu-ropean countries;

Insurance companies have different security-related requirements; Different national laws exist (e.g. in the field of building legislation) which have to

be addressed by certification; and



of 170

Organisations with safety and security functions have specific requirements on se-curity products and systems which means that it is not a specific certificate that is most important but rather the fulfilment of specific requirements of the organisations.

According to the observation of an industry expert, organisations with safety and security functions prefer using products from their own countries. This reflects certain patterns of the U.S. market, too. Various difficulties exist for foreign companies to sell products to the U.S. government. Nevertheless, steps to improve the market conditions are being taken. In addition there are national barriers to sellling products with a high level of protection abroad. For example, there are areas in the field of protection against CBRNE in which sell-ing the products abroad requires a specific confirmation by the seller’s own country. 6.3. THE SITUATION IN DIFFERENT SECURITY SECTORS 6.3.1. CBRNE An important milestone towards harmonized solutions for conformity assessment in the field of CBRNE (chemical, biological, radiation, nulear and explosives) detection was the imple-mentation of the European project CREATIF. Based on the results of this project, Myers et al.278 identified a need for three types of testing: laboratory, human factors, and operational testing. With regards to testing concepts, scenario based testing was regarded as the most effective form of testing. The authors stress the opportunities of round robin exercises as a tool to compare test results from different laboratories and provide a means of quality assurance for testing. In addition, specifics in the fields of chemical, biological, radiation and nuclear detection as well as ex-plosives detection were explored.279 In the field of chemical (“C”) detection, a wide choice in equipment requirements and test-ing guidelines to be decided upon exists and may lead to conflicts of interest among Member States due to political, tactical, security and other issues. Concerning further steps, it is regarded as useful to focus on a series of small steps towards a slow but continued progress.280 The results of the project suggest that a roadmap should take several agreed-upon conclusions and recommendations into account. These conclusions in-clude, for example, the following activities:

Developing and agreeing upon the requirements for chemical detectors and the pa-rameters for testing;

Defining or improving standards for testing of detection systems based on require-ments;

Discussing best practises of testing;

278 See Myers et al., op. cit., 2011, p. 2f. 279 See Myers et al., op. cit., 2011, p. 8. 280 By Myers et al., op. cit., 2011


of 170

Focusing on agreement upon the range and selection of chemical agents and inter-ferents for testing;

Using inter laboratory comparison of testing to harmonise and develop common or mutually agreed-upon protocols; and

Promoting international testing cooperation on regular basis to appoint and certify a group of test centers.

In the field of biological (“B”) detection obtaining certificates for B281 detectors requires the development of standards in advance. The standardisation can be divided into three compo-nents; standardised test conditions, test and evaluation methods, and operational testing.282 Performance metrics to determine are alarm limits, specificity (false alarm rates), response times and operability in different environmental conditions (weather, location, interferents) are regarded as necessary. Regarding radiation and nuclear (“RN”) detection, the topic of standardisation covers many sub-topics (usability and operational aspects, quality assurance, comparability of test-ing results; definition of minimum requirements of instruments dependent on intended use; defining relevant scenarios for testing, etc.). The CREATIF consortium regarded it as impos-sible to find global solutions regarding testing. Therefore CREATIF suggests focusing on testing the laboratories. Testing experts agreed that it is desirable to complete round-robin exercises (such as by testing new technologies before testing different brands of the same device, etc.). For such exercises, available standards should be used. The definition of inter-comparison exercises for testing facilities should follow a layered approach. There should be a core list of minimum testing parameters to be covered283. With regards to explosives (“E”) detection, the necessity of further work in the direction of testing standards development was identified. In addition, a need for inter-comparison exer-cises has been expressed from both end-users and manufacturers in the CREATIF network.284 As described earlier, CEN/TC 391 had included the topic CBRNE in its scope and created a foundation for further activities in that field. In addition, a concept for a future CBRNE certification association was developed. Accord-ing to this concept, this association is controlled by a General Assembly consisting of manu-facturers, certifiers and other stakeholders who discuss common strategic issues concerning European certification on CBRNE on the global market. For several reasons, the joint testing facility concept has not been accepted by the stakeholder community.285

In summary, according to a main representative of a participating institution, CREATIF led to the following conclusions:

281 biological 282 See Myers et al., op. cit., 2011, p. 11. 283 See Myers et al., op. cit., 2011, p. 13f. 284 See Myers et al., op. cit., 2011, p. 15. 285 It was decided not to include details in the specific document.


of 170

Harmonizing test approaches is currently very difficult because each institution wants to use its own know-how and concepts.

On the other hand, major test centers have already testing and test protocols which provide a good basis for common testings.

At first, the test protocols must be harmonized. The key problem is the mutual recognition of the tests. (Harmonization in the RN de-

tection field is regarded as very easy but solutions in the C and B field appear to be very difficult, because environmental factors must be considered.)

Recognition of hardware tests which evaluate the functionality of the system is re-garded as simple, too but recognition of the practical tests is more difficult because tests and test parameters must be agreed on based on scenarios.

To illustrated further suggestions, they used luggage check as an example, consisting of two tests: a laboratory test (test 1) and a scenario-based test (test 2):

Test 1 answers questions like: Does X-ray work? yes / no? This may be defined with

the help of a step wedge or grating (technical aspect) Test 2 is based on a set of special suitcases which is nesessary to determine the false

alarm rate and the probably of the detection of explosives.

Both critical values of test 2 were, for example, determined by a national aviation security authority based on a suitcase set whose functional scenario-based aspects are only known by a few test laboratory staff members (higher secrecy). Security personnel then selected the equipment. According to the expert, one approach to meet the specific needs in the aviation field, can for example, consists of two elements:

1.) Use of pre-tests to get a CBRNE label for a device which can be harmonized 2.) Use of the label as a prerequisite for scenario tests carried out by national security authori-ties (police, border security), governmental institutions or together with semi-public organisa-tions.

The suggestions will be analysed in more detail in following steps of this project. As de-scribed earlier, a recent accomplishment in the field of CBRN was the development of CEN/TS 16595:2013 CBRN - Vulnerability Assessment and Protection of People at Risk by CEN/TC 391. 6.3.2. AIRPORT SCREENING EQUIPMENT According to Chapter 3.3.3, aviation security is shaped by detailed EU regulation. For several product areas, EU rules have already defined essential performance requirements but harmo-nised standards and harmonised conformity assessment, with mutual recognition, are missing and the deployment of equipment has to follow various national procedures in the Member States. In a number of cases, the national procedure relies on the results of a non-binding,


of 170

common evaluation process.286 A key foundation for the European engagement in this area was an action plan that was part of the EU 2020 initiative ‘An Integrated Industrial Policy for

the Globalisation Era Putting Competitiveness and Sustainability at Centre Stage,’ published

in 2012.287 One year later, the Commission communicated the goal to establish an EU-wide harmonised certification system for airport screening (detection) equipment and to achieve mutual recognition of certification systems.288 According to Figure 39, 3 options were de-fined for realizing these goals: 1. "Baseline scenario", where the Commission would not launch any dedicated policy initiative to harmonise the certification procedures. 2. Recommendation to Member States to mutually accept their national certification sys-tems and/or to rely on the common evaluation process of the European Civil Aviation Con-ference. The aim of this recommendation would be to enable a producer of airport screen-ing equipment to certify his product only once in a single Member State in order to sell it in all Member States. 3. "Legislation" - The Commission would propose a regulation which would be elaborated jointly with regulators, industry representatives and certifiers alike. The aim of this regula-tion would be the same as for the recommendation but implemented through a binding leg-islation, which would ensure that the producer can sell his product in all Member States once it was certified in a single Member State. Three different variations of this regulation would be analysed: 3.1. The "Old Approach", characterized by a set of detailed specifications which are laid out in the directive itself. This ap-proach targets specific technologies and not gen-eral areas. The certification would be from a third-party.289

3.2. The "New Approach" focuses on essential require-ments written in general terms. Product legislation is restricted to the requirements necessary to protect the pub-lic goals of health and safety. The technical specifications are elaborated by the respon-sible ESOs. This certification would be based either on a third-party certification or on a self-certification.

3.3. The "Centralised Ap-proach", whereby the certifi-cation would be done cen-trally by an EU agency, such as the European Aviation Safety Agency, which al-ready today certifies central-ly for the whole of the EU commercial aircrafts.

Source: Own figure based on European Commission (2012) Figure 39: Options for an EU wide harmonized certification system for airport screening equipment

According to DG ENTR’s Option 1 and, to a large extent also Option 2, would not lead to any benefits. Option 2 could even cause negative side-effects. On the other hand, in-depth-analyses showed that Options 3.1, 3.2, 3.3 will lead to a drastic simplification of procedures

286 This process was established by the European Civil Aviation Conference. Chapter 6.4.5 will describe its acomplishments but also remaining needs for action. 287 See European Commission, op. cit., 2012 288 See DG ENTR, op. cit., 2013, p.1. 289 Conformity assessment can be performed through three alternate channels. The assessments can be performed by the suppliers themselves (first-party assessment including self-certification), by the purchasers (second-party assessment), or by independent organizations (third-party assessment), see Guasch, op cit., 2007, p. 63.


of 170

and a reduction of administrative burden, as companies will have to certify their products once, instead of up to 28 times depeding on the number of Member States in which they sell their products (as it is currently the case). The transposition of the options should not lead to difficulties in the Member States. However, according to the report, option 3.3. may be strongly resisted by Member States. CRISP identified a fourth approach, motivated by the industry’s lack of support for CRE-ATIF’s CBRNE-related centralized approach as explained in Chapter 6.3.1. It is regarded as possible that the certification task will not be entrusted to a single entity but to several organ-izations which use the same guidelines and follow the same procedures. 6.3.3. AIR CARGO The EU Regulation 185/2010 which became valid on 28 April 2013 created a requirement for approval procedures to be created for freight shippers. In 2008 the Regulation (EC) No 300/2008 already laid down the legal framework for air cargo shippers, defined the responsi-bilities of the Member States and called for the establishment of EU-wide standards.290 Furthermore, Regulation (EC) No 300/2008 requires that each Member State develops and advances a “national security program for civil aviation” which regulates air cargo security (Articles 10 and 4). In addition, EU Regulation 185/2010 sets out the obligations of the actors in the secure supply chain for air freight and has led to a need for testing and the approval of freight shippers291. According to Teichler et al.,292 the market for conformity assessment might reach a volume of € 12 million in the future. 6.3.4. ALARM SYSTEMS 6.3.4.1. ALARM SYSTEMS IN GENERAL In the field of fire alarm systems, some European standards are already available. Multina-tional certificates exist but the authorities of the Member States have no obligation to accept them.293 DG ENTR294 identified three basic policy options to offer solutions. Based on in-depth analyses, the third one (“Legislation”, which consists of two variations) is regarded as beneficial. DG ENTR295 describes this option as follows: “The Commission would propose a

regulation which would be elaborated jointly with regulators, industry representatives and certifiers alike. (It would be implemented through a binding legislation), which would ensure that the producer can sell his product in all Member States once it was certified in a single Member State.”

290 See Teichler et al., op. cit., 2013, p. 141. 291 In Germany for example, all companies that are active in the air freight field need to pass evaluation and registration procedures by the LBA (Luftfahrtbundesamt) to get a registration as a ‘known consignor‘, see chapter 5. 292 See Teichler et al., op. cit., 2013. 293 The certificates are offered by the industry-led certification mechanism CertAlarm. European Commission, op. cit., 2012, p. 37. Chapter 6.4.6 will describe its acomplishments but also remaining needs for action. 294 See DG ENTR, op. cit., 2013. 295 See DG ENTR, op. cit., 2013.


of 170

The first variation is based on the ‘Old Approach’ which is characterized by a set of detailed specifications. It targets specific technologies while general areas are not considered. The certification would be based on a third party certification. The second variation is based on the ‘New Approach’ (Council Resolution 85/C 136/01),

which focuses on essential health and safety-related requirements written in general terms. The technical specifications would be created by CEN/CENELEC or ETSI. The certification would be based either on a third party certification or on a self-certification. Additional activities to analyse the two variations in more detail were announced by the EU. 6.3.4.2. FIRE ALARM SYSTEMS For a long time the technical requirements for fire alarm systems have been determined by standards at the national level and for about ten years at the European level. In addition to standardisation institutes, private players have defined quality and safety standards that go partly beyond the legal requirements.296 Besides the accomplishments, remaining issues require further problem-solving activities. The use, installation and maintenance of these solutions in more complex security systems have been not considered by European standards. This lack of understanding inhibits the functioning of the European market in that field. In addition, labeling with the relevant mark of strong national conformity assessment bodies is a necessary prerequisite for the use of a product in many Member States. Nevertheless, a few multinational collaborations exist. VdS provides examples. In Europe, agreements for the mutual recognition of test results exist be-tween VdS and several other certification and inspection bodies, see Figure 40.297 Test / Certification body Country Product range LPCB United

Kingdom Fire protection and security (e.g. detector, con-trol and indicating equipment, power supply)

AFNOR, CNPP France Fire protection and security (e.g. fire detector, control and indicating equipment, security con-tainer)

DIFT, Delta Denmark Fire protection (e.g. fire detector, control and indicating equipment)

SBSC, SSF Sweden Security (e.g. security container) ICIM, Istituto Giordano SpA

Italy Security (e.g. security container)

296 See Teichler et al., op. cit., 2013, p. 140. 297 See VdS, “International Certification Partners”, 2011.

(figure continues)

http://www.redbooklive.com/

http://www.afnor.org/

http://www.cnpp.com/

http://www.dbi-net.dk/

http://www.delta.dk/

http://www.sbsc.se/

http://www.stoldskydd.se/

http://www.icim.it/

http://www.icim.it/

http://www.giordano.it/


of 170

National certification cen-ter of the Emergency Min-istry of Ukraine

Ukraine Fire protection (e.g. components for fire detec-tion and fire alarm systems, extinguishing sys-tems, smoke and heat exhaust ventilation sys-tems)

TZUS Praha, s.p. Czech Republic

Fire protection (e.g. components for fire detec-tion and fire alarm systems, extinguishing sys-tems, smoke and heat exhaust ventilation sys-tems)

Source: Own figure based on information taken from the website of VdS Figure 40: European collaborations of VdS

In addition, VdS collaborates closely with two partners in the U.S. which are shown in the following figure. Test / Certification body Country Product range U.S. Coast Guard (USCG) U.S. Fire protection (e.g. components for fire protec-

tion systems) FM Approvals U.S. Fire protection (e.g. fire detector, control and

indicating equipment, power supply equipment)

Source: Own figure based on information taken from the website of VdS Figure 41: Collaborations of VdS with the U.S.

VdS defined the clear goals of “One-Stop-Testing” and “Multiple Certification”. 6.3.5. SECURITY SERVICES According to Chapter 4, CEN/TC 384 has developed a standard for aviation security services, and a standard for marine port security services is under development by CEN/TC 417. In addition, Chapter 4.3.2 shows that a basic European standard for security services related to technical systems is currently being developed at CEN/CLC/TC 4. This standard is planned to be used as a foundation for application standards for different security areas as well as a foundation future certification processes. At the moment, little collaboration regarding the certification of security services exist in Europe. A significant barrier is that the certification processes build on specific national standards. Therefore the certificates are not comparable. 6.3.6. NEED FOR ACTION As mentioned earlier, the interrelation between standards and certification is an important aspect. According to an interviewee interviewed for this document there are barriers. To overcome them, his certification organization:

Uses guidelines for areas in which no standards exist; Offers specific solutions/procedures to certify innovative technologies for which

standards do not exist yet; and

http://www.tzus.cz/

http://www.fmapprovals.com/


of 170

Uses guidelines in addition to standards for areas in which only minimum require-ments were negotiated at the European level, while certificates certify a higher level of quality.

The relevant guidelines were developed with stakeholders. Therefore, the problem is not that alternative documents are used for certification instead of standards. The problem is related to documents which are used in addition to standards. To realize more standards-based certifica-tion, a need for new European directives was expressed. The European Directive for Fire Pro-tection was described as a good example for that. In addition, a need for similar documents in the areas of CCTV, access control, protection of critical infrastructures and smart grids was expressed. 6.4. CERTIFICATION BODIES AND SCHEMES 6.4.1. INTRODUCTION In the following sub-chapters, several multinational certification schemes are described. Fig-ure 42 shows how these solutions address the different sectors of the security market.

Source: Own figure298 Figure 42: Multilateral recognition agreements in Europe in the security field

298 EURO-PRISE and other privacy seals will be described in more detail in CRISP’s Deliverable 2.2 (Consolidated report

on security standards, certification and accreditation – best practice and lessons learnt).

Aviation Security Critical Infrastructure Security

Counter-Terror Intelligence Market

Maritime Security Physical Security Protection

Border Security Protective Clothing

EFSG

No mutual recognition-like agreement





CERT-ALARM

IT Security, PrivacyCommon Criteria SOG-IS

EASA

ITSEC e.g. EURO-PRISE

ECAC


of 170

As Figure 42 shows, many areas are not addressed by mutual recognition solutions yet. Even in fields in which certain approaches exist like in the field of aviation security common solu-tions are only offered in small areas of the specific market segments so far. 6.4.2. COMMON CRITERIA CERTIFICATION The international standard ISO/IEC 15408, introduced in Chapter 2.5.3, defines the security functionality of IT products. It is usually referred to as the “Common Criteria for Information

Technology Security Evaluation” or just “CC”. The “Common Methodology for Information

Security Evaluation” (CEM) is used as a specific instrument for the evaluation and assess-ment for the formulated IT security functionalities. On the international level, there is the “CC Recognition Arrangement” (CCRA) in which na-tional certification bodies have declared their agreement to mutually recognize evaluation results up to the evaluation assurance level 4 (EAL4) from the other participating certification bodies. 299 The CCRA regulates:

How the agreement is to be coordinated and fulfilled; How the recognition and mutual assessment of the national certification bodies is to

be done; Up to which level of assurance evaluation can or should be performed; Which technical domains should be covered by the agreement; and Which exceptions or restrictions are necessary in cases where the recognition of the

certifications would be inconsistent with national, international or European laws or regulations. This issue is of particular importance for the domain of national security.

The agreement SOG-IS, which is covered in Chapter 6.4.3 regulates those very same as-pects.300 Each Member State is given control over the certification services and their imple-mention. In Germany, for example, the responsible entity is the Federal Office for Infor-mation Security [BSI (D)]. BSI (D) is the national certified body of Germany and is responsi-ble for the overseeing of the evaluations done by BSI (D)-approved evaluation facilities. CertLab of Fraunhofer FOKUS is an example of a BSI (D)-authorized body. BSI (D) has signed the CCRA for international recognition, coordination and assessment of IT-security certificates and SOG-IS-MRA for recognition and assessment on a European lev-el as well. The whole procedure of granting certificates is divided into three phases: application, evalua-tion and certification. Any manufacturer wishing to certify their product submits an applica-tion. A BSI (D)-approved external evaluation facility is then commissioned to evaluate whether or not the product complies with the required security criteria laid down in the CC. Finally, if all requirements are met, the certificate is granted in the final phase and recognized worldwide. A few examples of information technology products which are covered by BSI

299 See Common Criteria, “The Common Criteria: Common Criteria”, no date. http://www.commoncriteriaportal.org/ 300 See Bundesamt für Sicherheit in der Informationstechnik, “Internationale Anerkennung von IT-Sicherheitszertifikaten“, no date. https://www.bsi.bund.de/DE/Themen/ZertifizierungundAnerkennung/ZertifizierungnachCCundITSEC/ InternatAnerkennung/interanerkennung.html


of 170

(D) security certificates are: smart cards, smart meters, operating systems, databases and firewalls. As mentioned previously, CertLab of Fraunhofer FOKUS is part of the BSI (D)-authorized bodies. Furthermore, they have now been put in charge of monitoring the evaluation facili-ties. BSI (D) outsourced this responsibility in part to CertLab in response to the continuously growing demand for certification procedures. According to Figure 43, the certification proce-dure remains under BSI (D) authority but employees of CertLab can for example have re-sponsibility for the monitoring of the evaluation facilities. Their field of activity is limited to software products and to EAL4.301

Source: Fraunhofer FOKUS302 Figure 43: German example of the CC certification process

European countries which signed the international CC Recognition Arrangement (CCRA) are BSI (D) (Germany), ANSSI (France) and CESG (United Kingdom). A stakeholder list is pro-vided at http://www.commoncriteriaportal.org/ccra/members/. The list distinguishes between countries that issue (authorize) certificates and countries that accept (consume) certificates. In addition, European countries signed SOG-IS, which is described in the next sub-chapter.

301 See Fraunhofer FOKUS, Common Criteria Certification Lab. Evaluation Monitoring for CC Certification Procedures, no date. http://www.fokus.fraunhofer.de/de/fokus_testbeds/common_criteria_certification_lab/index.html 302 See Fraunhofer FOKUS, op. cit.

http://www.commoncriteriaportal.org/ccra/members/

http://www.fokus.fraunhofer.de/en/fokus_testbeds/common_criteria_certification_lab/certLab_Grafik_en.png


of 170

6.4.3. SOG-IS The foundation for the establishment of the SOG-IS (Senior Officials Group Information Sys-tem Security) agreement was laid by the EU Council Decision of March 31st 1992 (92/242/EEC) regarding the security of information systems, and the Council recommenda-tion of April 7th (1995/144/EC) on common IT security evaluation criteria.303 The agreement was updated in January 2010 and has the title SOG-IS Mutual Recognition Agreement of Information Technology Security Evaluation Certificates, Version 3.0. It has four objectives:

a) To ensure that evaluations of Information Technology (IT) products and protection profiles are performed to high and consistent standards (…);

b) To improve the availability of evaluated, security-enhanced IT products and protec-tion profiles;

c) To eliminate the burden of duplicating evaluations; and d) To continuously improve the efficiency and cost-effectiveness of the relevant evalua-

tion and certification process.

The participants belong to eight European countries.304 The purpose of this agreement is to create a situation in which certified IT products and protection profiles can be procured or used without any need for further evaluation. It seeks to create confidence in the reliability of judgments by requiring that a certification body issuing Information Technology Security Evaluation Criteria (ITSEC) or CC certificates should meet high and consistent standards. The European recognition of certification bodies and the recognition of their certificates are ensured among the signatories based on EA-MLA (the Multilateral Recognition Arrangement in the private sector). Accreditation by the national accreditation body is an essential pre-requisite for all SOG-IS members. The SOG-IS Mutual Recognition Agreement (MRA) includes the recognition of CC certifi-cates up to Evaluation Assurance Level (EAL) 7305 for IT products related to certain technical domains306. The international Common Criteria Recognition Arrangement (CCRA) covers only the recognition of CC certificates up to EAL4.

303 See SOG-IS, Introduction, no date. 304

They include the Sécurité des Systèmes d'Information (ANSSI) from France, the Bundesamt für Sicherheit in der Infor-mationstechnik (BSI (D)) from Germany, CESG from the United Kingdom, the Netherlands National Communications Security Agency (NLNCSA) and the Ministry of the Interior and Kingdom Relations (BZK) of the Netherlands; the Swedish Defence Materiel Administration (FMV), the Organismo de Certificación de la Seguridad de las Tecnologías de la Infor-mación Centro Criptológico Nacional (CCN) from Spain as well as the Finnish Communications Regulatory Authority (FICORA) and the Norwegian National Security Authority operates the Norwegian Certification Authority for IT Security (SERTIT) 305

See GAO, Information Assurance: National Partnership Offers Benefits, but Faces Considerable Challenges. Report GAO-06-392. United States Government Accountability Office, 2006, p. 27 for ELA definitions 306 See ECORYS, op. cit., 2011a, p. 183.


of 170

6.4.4. EVALUATION ACCORDING TO ITSEC The “Information Technology Security Evaluation Criteria” (ITSEC) was set up on 3 March 1998. It was created within a European Agreement on mutual recognition. This agreement also states that ITSEC certificates are to be mutually acknowledged by the Member States. ITSEC differentiates between functionality and assurance levels. To set and properly define functional requirements, it offers predefined exemplary classification of functions. With re-spect to assurance levels, a second differentiation is made, namely between accuracy and effectiveness. The effectiveness evaluation includes an assessment of the strength of mecha-nisms and rating them low, medium, and high. To determine accuracy, there are six prede-fined hierarchical stages, going from E1 (lowest) to E6 (highest). The evaluation is composed of the testing and rating of the security features and the safety characteristics of the IT-products according to the defined IT-safety and IT-security requirements made by the evalua-tion manual “Information Technology Security Evaluation Methodology” (ITSEM).

307 6.4.5. ECAC

ECAC, the European Civil Aviation Conference is an arrangement of 44308 countries.309 A key instrument is ECAC’s Common Evaluation Process of Security Equipment (CEP). CEP applies to Explosive Detection Systems (EDS), Liquid Explosive Detection System (LEDS), and security scanners.310 The tests show whether the relevant products meet a product range-specific ECAC performance standard. Different authorities are responsible for ECAC in the Member States. For example, in Germany it is the Landespolizei Luebeck. These entities work together with specific European ECAC test centers. Laboratory tests of EDS, LEDS and security scanners are conducted at various participating test centres located in ECAC Member States with the objective of determining whether the tested equipment meets the required ECAC performance standards in laboratory conditions.

The CEP Management Group, which consists of national authorities contributing to the pro-cess, analyzes the test reports to determine whether the equipment is evaluated through the use of an ECAC performance standard. The test reports are communicated to the ECAC Member States signatories to the CEP Administrative Arrangements. All ECAC Member States are signatories to these arrangements.

ECAC provides information on the Explosive Detection Systems, the Liquid Explosive De-tection Systems and the security scanners that were evaluated as meeting an ECAC perfor-mance standard. The evaluation and the attributed performance standard is valid only for the

307 See Bundesamt für Sicherheit in der Informationstechnik, “IT-Sicherheitskriterien und Evaluierung nach ITSEC“, no date. https://www.bsi.bund.de/DE/Themen/ZertifizierungundAnerkennung/ZertifizierungnachCCundITSEC/ ITSicherheitskriterien/ITSEC/itsec_eval.html 308 Albania, Armenia, Austria, Azerbaijan, Belgium, Bosnia and Herzegovina, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Georgia, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxem-bourg, Malta, Moldova, Monaco, Montenegro, Netherlands, Norway, Poland, Portugal, Romania, San Marino, Serbia, Slo-vakia, Slovenia, Spain, Sweden, Switzerland, The former Yugoslav Republic of Macedonia, Turkey, Ukraine, United King-dom. 309 See ECAC, Member States, no date. 310 See ECAC, op. cit., 20 March 2014.


of 170

configuration(s) of the equipment indicated in ECAC‘s relevant table. The evaluation does not constitute an approval or certification of the equipment by ECAC. Approval or certifica-tion of equipment remains the responsibility of the relevant authority for aviation security in each ECAC Member State. ECAC’s standards include a performance standard for EDS, an

ECAC performance standard for equipment used for the screening of Liquids, Aerosols and Gels (LAGs) as well as an ECAC performance standard for security scanners. With regard to the whole CBRNE field, ECAC covers only the area “explosives” and parts of the area “chemicals”. 6.4.6. CERTALARM Due to the limited capacity of the internal market for alarm systems in the mid-2000s, the main business association for alarm systems (the industry association EURALARM) agreed on the establishment of the society CertAlarm. EURALARM encompasses national associa-tions of 14 European countries, with around 700 companies having a total turnover of approx. 3.5 billion Euros, i.e. approx. 70% of the total European market for alarm systems. CertAlarm provides a testing and certification process for security and fire protection prod-ucts by conformity assessment bodies and a single label in Europe. After its establishment in 2009, CertAlarm issued 100 certificates until February 2013.311 A weakness of CertAlarm is that it is created by manufacturers but defines rules for market players which are independent of the manufacturers. In addition, it does not cover all European countries. Nevertheless Cer-tAlarm can be regarded as a pioneer in the market for security-related conformity assessment in Europe. 6.4.7. EFSG In addition to the activities at CertAlarm, several national conformity assessment bodies working in the fire protection and security sectors established the European Fire and Security Group (EFSG). EFSG’s members signed common mutual recognition agreements with re-spect to the test results of alarm systems. Common objectives are:

To facilitate the mutual recognition of testing and inspection activities to achieve mul-tiple certification;

To facilitate easy access to multiple quality marks; and To promote best practice across the testing and certification industry.

EFSG’s members include AFNOR Certification (France), CNPP (France), ICIM (Italy), ECBS (Germany), VdS Schadenverhütung (Germany), LPCB (Great Britain), SBSC (Swe-den) and BSI (Great Britain). Figure 44 gives an overview of the relevant quality marks.

311 See CertAlarm, “100th CertAlarm certificate published”, 2013.


of 170

Source: Aris312 Figure 44: The quality marks of the EFSG System

The relevant mutual recognition agreements are published on EFSG’s website. The MRA for

the certification of intruder alarm systems,313 for example, was signed in November 2013. It starts with the following general section on p. 2: ‘This EFSG agreement specifies the conditions for the mutual recognition of test results for components of intruder alarm systems according to the standards and tables listed in the technical part314 (…) of this agreement, for the purposes of granting permission to use the

certification marks of the certification body signatories. The agreement has been made on the understanding that the participating certification bodies are accredited in accordance with EN 45011315 or EN ISO/IEC 17065316 by a member of EA (European co-operation for Ac-creditation) with a scope covering the relevant equipment.’ Section 4 of the document describes the application procedure to receive multiple certificates on p. 2: ‘If a manufacturer wants to be licensed for the certification mark of another party of the agreement, he shall apply to that certification body and shall agree to abide by its regula-tions. For comparison of test results, it is necessary, that the manufacturer gives written per-mission to the certification body and its associated testing laboratory, to exchange infor-mation (e.g. test results) between the signatories of this agreement. The test results from one of the associated testing laboratories according to the technical part of this agreement (…),

shall be mutually accepted by the certification bodies involved in this agreement, within the bounds of the respective regulations.’ The testing and certification procedure is described on p. 7 of the document: ‘An applicant shall apply for certification at those certification bodies (CBs) from which the

applicant wishes to obtain a certificate. The applicant can indicate to the CB a preference for the associated testing laboratory that is able to perform the product testing. Taking the prod-uct specifications and the test specimen(s) as a basis, the laboratory proceeds as follows:

312 See Aris, Martin, “EFSG Quality Marking for European and Worldwide Markets”, 2012 Presentation, p. 3. 313 See EFSG, “EFSG Agreement on the Components of Intruder Alarm Systems”, 24 November 2013. 314 Two tables of the technical part are shown in Figure 47f. 315 EN 45011 General requirements for bodies operating product certification systems 316 See ISO/IEC, op. cit., 15 September 2012


of 170

Examination of specimen(s) and documentation Define and agree the test program with the applicant and the CB Perform the test program Issue the test report(s)

The CB studies the test report and issues a certificate that clearly identifies the security grade and environmental classification of the product. When the applicant has not informed all the relevant CBs prior to testing and the certificates of the other CBs are sought after the testing has been completed, it may be necessary for the other CBs to request further tests to be car-ried by an associated testing laboratory party to this mutual agreement. The reasons for the additional tests shall be justified in writing to the applicant and the first CB notified by the CB that requires them.’ With regards to mutual recognition of test results the following description is given on p. 8 of the document: ‘This agreement includes the mutual recognition of the results of tests performed by an asso-ciated testing laboratory to the clauses of the EN standards identified in table(s) of this An-nex. The mutual recognition of the results of the tests that are outside of the scope of the EN standards is not covered by this agreement. (…) In the unlikely event that the results of a test

lead to uncertainty when assessing compliance against the criteria of the test standard, a participating CB can request further information and /or testing’. Figure 45 illustrates the procedure. At the beginning, a manufacturer informs an EFSG mem-ber in their country of which European countries they want to introduce a new product that needs to be certified. After certifying the product, the national EFSG member contacts other relevant members, which then test the product according to additional national requirements. According to a source from the security industry, these procedures do not meet the ultimate goal of the European manufacturers, but represent a certain step towards “one stop certifica-tion”.


of 170

Source: Aris317 Figure 45: The EFSG process

Test laboratories are important players in the certification process. According to Figure 46, each certifier nominates one or more associated test laboratories.

Source: Aris318 Figure 46: Examples for the nomination of test laboratories by a certifier of the EFSG group

EFSG has proceeded to adopt mutual recognition procedures for the mutual recognition of testing based on European standards. This has been successful in the areas of:

High security locks: EN 1300 (agreement: CNPP, ECBS, SBSC, VdS); Safes & secure cabinets: EN 1143, EN 14450 (agreement: CNPP, ECBS, SBSC,

VdS); Fire detection: EN 54 (agreement: AFNOR, LPCB, BSI (GB), VdS); and Intrusion detection: EN 5013319 (agreement: AFNOR, CNPP, LPCB, VdS).

317

See Aris, op. cit., 2012, p. 14. 318 See Aris, op. cit., 2012, p. 12.


of 170

In addition to the requirements defined by the European Standards mentioned above, each Member State has national requirements on the specific security solutions. Although the tests, criteria and certificates of the EFSG members based on the relevant standards reach a high level of similarity, additional evaluations are needed. The following figures show parts of the mutual recognition agreement on certificates for in-trusion detection systems as well as an example of a test protocol of an EFSG member.

Source: EFSG320 Figure 47: Parts of the EFSG agreement on components of intruder alarm systems -1-

319 See Aris, op. cit., 2012 and in addition EFSG, “Product Certification”, no date.

http://www.efsg.org/images/pdf/IAS%20EFSG_Agreement_Nov%202013.pdf 320

See EFSG, op. cit., 24 November 2013.


of 170

Source: EFSG321, the figure shows parts of a technical table Figure 48: Parts of the EFSG agreement on components of intruder alarm systems -2-

321



of 170

Source: EFSG322 Figure 49: Exemplary test protocol of the EFSG partner CNPP

Approvals from EFSG member certifiers are accepted across the EEA. Therefore EFSG ful-fils the objective of the European Commission and helps to make the security and safety in-dustry more competitive outside the EEA (e.g. USA and Asia). Some of the approvals from EFSG member certifiers are accepted worldwide, e.g. in Algeria, Australia, Canada, China, Israel, India, Indonesia, Japan, Liechtenstein, Malaysia, Mexico, Middle-East region, Moroc- 322



of 170

co, New Zealand, Russia, Norway, Philippines, Singapore, South Korea, South Africa, South America, Switzerland, Taiwan, Thailand, Tunisia, Turkey, and the United States.323 Currently, each conformity assessment body of the EFSG group has its own quality mark. However, according to an expert, an EFSG quality mark which also shows the relevant na-tional certification bodies is planned. Progress towards common certification has been slow due to the lack of harmonised stand-ards. To overcome the problem, EFSG certifiers and their associated laboratories participate in standards writing within CEN and CENELEC. In many cases they provide regular feed-back of test findings to the working groups to improve the standards. Besides all accomplishments, the EFSG concept has also challenges. A uniform certification program is missing. Therefore, each of the four agreements in the main areas of EFSG’s ac-tivities (fire detection, etc.) comprises at most four out of eight different EFSG partners. Important conformity assessment bodies of the four largest national European security mar-kets are united in the EFSG. But the acceptance of the test is limited to the members. An ex-tension to both new members as well as new technical areas will always require a process of negotiation and agreement. Obstacles regarding the enlargement of the EFSG network and the inclusion of new members include:

Failure of candidates to demonstrate the required experience; Lack of willingness by candidates to participate in EFSG’s quality measures, includ-

ing the use of the EFSG auditing system, multilateral supervision and round robin tests; and

Necessary efforts to participate (time for negotiations), etc. An important advantage of the EFSG approach is the wide acceptance in large (national) parts of the internal market. This acceptance will also increase with each extension regarding topics and members. But an important challenge remains: as long as there is no com-mon/uniform EFSG quality mark, there will be no real competition in the European market. However, an important advantage is the independence of EFSG and its processes of the inter-ests of the manufacturers.324

323 See Aris, op. cit., 2012. 324 See Teichler et al., op. cit., 2013, p. 147.


of 170

6.5. CURRENT ACTIVITIES 6.5.1. NATIONAL ACTIVITIES With regard to national activities, an interesting example is given by the German security industry. In January 2011, the workshop ‘Certification of Security Technologies and Services’ took

place in Berlin at the DIN Deutsches Institut für Normung e.V. Around 100 people from gov-ernment, industry, academia and associations attended the event. Four priorities for action were defined325:

European Security Label harmonization of minimum requirements for the private operation of critical infra-

structures (e.g. energy networks) certification system integration (management/systems/processes) certification of services (service, education, training).

As shown, a certification is considered as appropriate for products, systems and processes. The structuring of certification programs should build on existing structures. According the press release of the conference, a roof structure could be formed on the certification of man-agement systems (e.g. the ISO 9000 standard series on quality management). Following the summary of the workshop326, this could be supported by industry-related system certifications (e.g. ISO/IEC 27001 and ISO 28000327). In the third stage, the certification for product and service standards could follow. Infrastructures, processes, people and information have been identified as core topics. Security services, on the other hand, are far more heterogeneous than technologies and prod-ucts. This has led to the recommendation of a sectoral approach to certification. Therefore, the certification focus here should be on processes and training. Major topics for security services are crisis management, handling of incidents, securing infrastructure and Business Continuity Management. 6.5.2. EUROPEAN ACTIVITIES With regard to European activities, ERNCIP, the European Reference Network for Critical Infrastructure Protection is an important player. Its draft objectives for 2013-14 cover six areas in particular, with the following issues:328

325 See DIN, Koordinierungsstelle Sicherheitschaft im DIN, “Workshop Zertifizierung 2011”, no date. http://www.sicherheitswirtschaft.din.de/cmd?cmsrubid=134411&level=tpl-rubrik&languageid=de 326 See footnote 325 327 ISO/IEC, “ISO/IEC 27001:2013 Information technology -- Security techniques -- Information security management systems – Requirements”, 2013 and ISO, “ISO 28000:2007 Specification for security management systems for the supply chain”, 2007. 328 ERNCIP: “ERNCIP background information”, 2014.


of 170

Aviation Security Detection Equipment: Assessing existing test methodologies for suitability for a future EU certification system; survey of test procedures used today; and review of state-of-the-art for explosive trace detection.

Explosives Detection Equipment for non-aviation contexts: Defining EU needs for explosives detection for mass land transport, marine transport, large public events etc., analysis of available technologies, first elements of a European common test methodology for non-aviation contexts.

CB Risks in the Water Sector: Harmonizing test methods of innovative and rapid alarm systems and screening techniques, which make it possible to quickly identify a change of the drinking water quality after an incident.

Resistance of Structures against Explosions: Guidelines for harmonizing test pro-cedures of structural elements, starting with resistance of glass against far field blast loading.

Industrial Automated Control Systems incl. Smart grid: Current priorities are to identify the barriers to certification and testing of IACS, including the analysis of ex-isting cyber security testing facilities for IACS and Smart Meter components, and consideration of how to reduce the risks to cyber security from human factors.

Resistance of Structures against Seismic Risks: Common qualification of research infrastructures on earthquake engineering, including implementation and maintenance of a Distributed Database of test results.

ERNCIP’s activities appear to be most advanced in the fields of ‘CB Risks in the Water Sec-tor’ and ‘Resistance of Structures against Explosives’ because harmonizing test methods. The definition of guidelines for harmonizing test procedures is targeted in 2014. However, there are also gaps. Although ERNCIP is active in seleted areas of the CBRNE field, a need for solutions remains and is stressed by the European Commission:329 testing and certification rules are not comparable in the Member States and manufacturers have to physically transport and re-certify their equipment in each separate market. Although the need for a harmonized approach in the field of alarm systems is often highlight-ed, ERNCIP is not active there. In addition, the analysis shows that ERNCIP does not have a specific focus on privacy issues and data protection although the importance of privacy-specific solutions is highlighted by many European documents. Therefore the need for action described in the Mandate M/487 Final Report Phase 1 which is even more complex remains: “(I)n the absence of a clear EU

framework in this area (of privacy and data protection) there is a lack of clear guidelines for equipment/technology providers with respect to accepted and acceptable performance re-quirements” (p. 27). CRISP builds on several current developments in the privacy field which will be described in detail in further deliverables.

329 European Commission, op. cit., 05.02.2013.


of 170

7. SUMMARY This report offers an analysis of the state of the art of security standards and certification in Europe. Following the introduction in Chapter 1, Chapter 2 describes conformity assess-ment systems and explaines the economic benefits of its elements. Advantages of conformity assessment are discussed in general and specifics in the security field and the economic value of mutual recognition are highlighted in particular. General advantages include the assurance of high levels of quality and product safety, the avoidance of damage and injuries, such as the reduction of risks and higher specialization effects. With regard to mutual recognition, poten-tial cost savings were highlighted specifically. The most important benefits of using standards in certification include four aspects: trust and transparency, comparability, interchangeability and economic impact. In Chapter 3 specific insight on the framework conditions of security certification in Europe are given and security-related documents which a) determine the current security certifica-tion landscape and b) build the foundation for future improvements in the marketplace are explained. In Chapter 4 specific security-related standards and technical committees in Europe are described and current and potential interrelations between standards and certification are shown. Possible needs for new security-related standards are also identified. Chapter 4.4 shows that there are very few European standardization initiatives in the Counter-Terror In-telligence sector. A few international and European standards and activities exist in the sub-field of cyber security but they do not address all areas of that sector. On a functional level, Chapter 4.5 shows that security standards for the detain function are scarce and that the de-taining function executed by private security services is fragmented within the Member States. Therefore, an analysis of a potential need for European standards is regarded as neces-sary. Furthermore, (nearly) no European standard on software/ICT which is integrated in security products exists according to an interviewee. This is in harmony with the diagnosis in Regula-tion 1025/2012 and hinders security-related certification based on standards. Given the fact that EN standards are usually developed in three to four years, the first ICT-related standards based on Regulation 1025/2012 will not be published before 2015. After the introductions of the new standards, mechanisms are needed to facilitate their optimal use for certification pro-cesses. Field research revealed that fostering more standards-based certification requires stimulation by appropriate European directives. The European Directive for Fire Protection is mentioned as a good example for that. In addition, a need for more and similar documents in the areas of CCTV, access control, protection of critical infrastructures and smart grids is expressed. With regard to the interrelation of standardisation and certification, information was gained from interviewees and emails from CEN/TCs and analyses of the work of a number of certi-fication bodies. Extended analyses in this regards will be provided by CRISP Deliverable 2.2. An interesting approach regarding the interrelation of standardisation and certification has been used by CEN/CLC TC 4. In cooperation with the EURALARM service section and the EURALARM Working Group CERT the chairman of the TC is organizing a series of meet-


of 170

ings with certification bodies to present the current version of EN 16763 and to exchange views on its future use for certification. The work of additional selected CEN TCs was described in detail. Selected findings are given here: There are many security solutions and application areas in the field of perimeter protection. The relevant CEN TC is not active at the moment. This has in particular two reasons: 1. the Member States focus on national solutions and 2. financial recources for further activities on a European level are missing. Inconsistent national standards bear the risk of future market fragmentation. The definition of potential solutions requires further research efforts. Oppor-tunities for public funding have to be analyzed, too. The activities of several CEN/TCs could not be linked with certification services. An exam-ple is CEN/TC 278. Although privacy is a major topic in almost all standards developed by the TC no certification body seems to be active in this field. Several standards are used by international certification bodies. Their activities in the differ-ent Member States require further analyses. In addition, EN-ISO 27799 gives an example for a privacy-related standard used for certification in the Netherlands. The use of the standard for certification in other countries needs to be analysed in more detail. Many security-related TCs are quite new and new standards are under development. There-fore it is recommended to seek collaborations with certification bodies in early stages. In ad-dition, there are national certification bodies which participate in national mirror committees of CEN/CENELEC/TCs. They also provide a good example for the establishment of interre-lations between both fields. National certification bodies will be investigated in more detail in Deliverable 2.2. First talks with experts from these organizations show that there are institu-tions which are aware of the advantages of participating in standardisation, but that they are still too few. In Chapter 5 security areas in which the use of open standards is limited are analyzed. In particular, the fields of digital signatures, airport screening equipment and air cargo are rele-vant. Usually several different governmental authorities and security authorities are responsi-ble for these topics in a Member State, making the European landscape very complex in this regard. Although databases exist that show all national certification bodies which are accred-ited by a national EA member, databases of non-EA members are not available. Therefore an extension of current databases or creating an additional database is recommended. An additional area in which standards are not used for certification is related to innovative solutions for which standards do not exist yet. Representing the core of this document, Chapter 6 gives a detailed overview of the state of harmonization and mutual recognition in Europe and describes suggested concepts of “one stop testing” and “multiple certification”. This approach is highly recommended for new product classes, new requirements and related standards. With regard to existing certifi-cation services, alternative solutions may also offer advantages. First of all, there are fields in which appropriate certification solutions are missing in general, for example in areas of complex security systems.


of 170

With regards to fields with existing certification services in which common solutions are missing, it was expressed that the key obstacle is often not the use of alternative documents for certification instead of common standards. Differences between the certificates are rather caused by documents which are used in addition to standards. Therefore, needs for additional standards in these fields as well as their potential usability for certification must be analyzed. In addition, the extent to which the European market for security certificates should keep providing opportunities to compete based on differentiation and the quality of the certificates should be investigated. In other words, it should be analyzed whether the marketplace should maintain the freedom of using ambitious evaluation guidelines in addition to common stand-ards. Making the certification landscape convenient for all players in the market on such a basis would require transparency and the development of databases which allow comparisons between the different certificates based on appropriate criteria. Offering a European database to security certification bodies to provide information on the characteristics of their certificates might help these market players to identify potential for collaboration with other institutes and for mutual recognition. Despite the advantages of competing based on quality and differentiation, this option bears challenges, too. A provider whose certificate is too unique – with specific requirements in addition to common standards – may face difficulties in finding collaboration partners. This means that the customers need additional certificates abroad. To avoid extra efforts, they might decide to choose another certification service provider whose certificates are valid in other Member States, too. Alternatively, a database that offers information on certificates related to different quality levels can provide an opportunity to accept the certificates with the highest level of quality in a relevant area in all Member States.330 Besides the advantages of a European certification database for the specific security areas, there are potential obstacles, too. Certification bodies might resist the introduction of an in-strument which makes them comparable. Therefore the potential success of such an offer needs to be analyzed in more detail. In addition, there are security issues which are shaped by different national preferences in Member States. EN 50131 which includes specific national amendments provides an example for that. It shows that there are areas which should not be covered by general harmonized solutions but by complementary certification. The number of these areas is to be kept as small as possible. The previous chapters offered interesting examples for European collaborations in security certification, too. They include the agreement of the Senior Officials Group Information Sys-tem Security (SOG-IS) and the European Fire and Security Group (EFSG). Like the interna-tional CC Recognition Arrangement, SOG-IS provides mutual recognition for certificates on information systems security. Nevertheless, many needs for further action remain. Quality is a key issue in the certification context. EFSG builds on European standards, and its members compare their test results regularly by round robin tests. The group is also active in standardisation, although its attractive offer to obtain multiple quality marks with minimal duplication and cost is not usable in all European countries yet. In general, mutual recogni-

330 Example from another field: certificates that certify security up to EAL level 7 for IT products might be also accepted when only EAL 6 is required.


of 170

tion is often practiced by large, industrialized Member States with a large security market and industry. EFSG’s members include partners from France, Germany, Great Britain, Italy and

Sweden. Authorizing countries of CC certificates include France, Germany, Great Britain, Italy, Netherlands, Norway, Spain and Sweden, while consuming countries include Austria, Greece, Czech Republic, Denmark, Finland and Hungry. Efforts to date have been unsuccessful in removing barriers to greater harmonization. A ma-jor obstacle for the expansion of EFSG is, among others, the perceived quality of other na-tional certificates in the relevant fields, which again highlights the quality issue. The market segments in which EFSG is active are neither dominated by certificates that certify “good” quality, nor exceptional certificates that certify “excellent” quality. Several market players perceive fundamental differences between two groups of certificates in this regard: a number of certificates whose content is comparable on a high level of quality and “other European certificates”. Several European countries are perceived as providers of high quality products and solutions, and there are even companies which advertise with the slogan “made in country [X]”. Specif-ic concerns exist that collaborations with providers of “other” certificates whose requirements are less advanced bear the risk of diluting the image of their own certificate. The high level of quality which is certified by their specific marks and the excellent image of their certificates have to be kept. Therefore, measures to analyse and improve the quality infrastructure in the relevant other Member States (mostly new Member States) as well as improvements of the image of the relevant certificates, are needed. Obstacles regarding mutual recognition are also caused by organizational barriers. Smaller Member States with a small number of security companies may lack advanced infrastructures to offer these companies attractive certificates. In addition, the smallness of a national securi-ty industry hinders the recognition of a certificate by foreign certification bodies and is also a barrier to building trust. Countries with few organizations responsible for certification also have problems to become partners for multinational negotiation processes. In summary, sev-eral countries face the problem of a small security industry, the absence of well-known na-tional quality seals and the lack of foreign trust in these seals needed to enter into multina-tional negotiations. A solution might be a collaborative arrangement of countries with un-known seals/quality marks for security products and the creation of a new additional seal “quality in new Member States” based on European standards and managed by a specific institution allowing the entering in collaborations with organizations such as EFSG. This op-tion needs further analysis in areas including potential cost and financial resources. In addi-tion, the opinions of security providers that should apply for such certificates as well as of countries and institutes that should accept these certificates need to be analysed. This goes beyond the focus of the CRISP project, but further steps will be investigated in CRISP’s

Work Package 6. Other fields of interest include CBRNE products and aviation screening equipment. One ap-proach to meeting specific needs in the aviation field may consist of two elements: 1) pre-tests to get a CBRNE label for a device which can be harmonized; and 2) scenario tests which are carried out by the national security authorities, governmental institutions or together with semi-public organizations.


of 170

Additional suggestions and recommended steps include:

An investigation of options to offer common certification solutions for innovative products and services;

An investigation of areas where no standards exist; The development of concepts to overcome these gaps (both together with the relevant

stakeholders); A deeper investigation of the certification landscape in new Member States; An in-depth investigation of the different levels of quality certified by the different

European certification seals; and Providing an overview of all these seals for all interesting parties in Europe.

Finally, this report included several general observations. Independently of specific issues regarding certification, a need for several new security-related standards was highlighted; their development is hindered by a lack of resources. Chapter 3 described that the EU offers funding opportunities for standardisation activities. The need for such measures is to be ana-lyzed in more detail together with the relevant stakeholders and the European Commission. The establishment of EFSG was a successful step towards harmonization. Instruments used by the group include, for example, round robin exercises. To facilitate harmonization in other security fields, too it is recommended to use this instrument alike. As mentioned before, EFSG is an example of good practice in many areas. Nevertheless it has not yet reached its full potential. A number of issues remain and require solutions. The findings of this deliverable include many additional useful observations for further work packages of CRISP in which specific strategic concepts for the European security certifica-tion landscape will be developed. ITSEC’s specific levels of trust and effectiveness for ex-ample offer interesting input for CRISP’s Work Package 4 in which the core certification dimensions security, trust, efficiency and freedom infringements will be analyzed. In addi-tion, CEN/TC 224 gives an example of how aspects of trust can be included in European standards.


of 170

REFERENCES 3GPP, no date. http://www.3gpp.org/ 3GPP, “CT WG6”, no date. http://www.3gpp.org/specifications-groups/ct/wg6 Akerlof, George A., The Market for “Lemons”: Quality Uncertainty and the Market

Mechanism, The Quarterly Journal of Economics, Vol. 84, No. 3, 1970, pp. 488-500. http://links.jstor.org/sici?sici=0033-5533%28197008%2984%3A3%3C488%3ATMF%22QU%3E2.0.CO%3B2-6 Aris, Martin, EFSG Quality Marking for European and Worldwide Markets, 2012 Presenta-tion Arthur, William Brian, Competing Technologies, Increasing Returns, and Lock-In by Historical Events, The Economic Journal, Vol. 99, No. 394, pp.116-131, March 1989. http://www.jstor.org/stable/2234208 Austrian Standards, 2014. https://www.austrian-standards.at/home/ Basin, David, Cas Cremers, Kunihiko Miyazaki, Sasa Radomirovic, and Dai Watanabe, Im-proving the Security of Cryptographic Protocol Standards, 2013. http://www.cs.ox.ac.uk/people/cas.cremers/downloads/papers/BCMRW2013-standards-draft.pdf Baumol, William J., Elizabeth E. Bailey, John C. Panzar, Robert D. Willing, Edward Zajac, Baumol, Panzar, and Willig’s Theory of Contestable Markets and Industry Structure: A Summary of Reactions. Harcourt Brace Jovanovich, 1982. http://mpra.ub.uni muenchen.de/41974/1/MPRA_paper_41974.pdf Blind, Knut, The Economics of Standards: Theory, Evidence, Policy. Cheltenham, 2004. Blind, Knut, Standardisation and Standards in Security Research and Emerging Security Markets. Fraunhofer Symposium ‘Future Security’, 3rd Security Research Conference Karls-ruhe, 10th - 11th September 2008. Blind, Knut, Deutschlands Standardisierungsstrategien hin zum Leitmarkt "Sicherheit": Po-tenziale und Herausforderungen, in: Rolf Stober (ed.), Jahrbuch des Sicherheitsgewerbe-rechts, Hamburg, Verlag Dr. Kovac (Schriften aus der Forschungsstelle Sicherheitsgewerbe 5), 2008, pp. 183-212. Blind, Knut, Standardisation: a catalyst for innovation, Inaugural Address Series. Research in Management, Erasmus Universiteit, 2009. http://repub.eur.nl/res/pub/17558/EIA-2009-039-LIS.pdf Blind, Knut and Axel Mangelsdorf, The Trade Impact of ISO 9000 Certifications and Inter-national Cooperation in Accreditation, 2012, Proceedings of the 17th EURAS Annual Stand-ardisation Conference - Standards and Innovation-, pp. 21-34.


of 170

Blind, Knut and Andre Jungmittag, Trade and the Impact of Innovations and Standards: The Case of Germany and the UK, Applied Economics, Vol. 37, Issue 12, 2005. pp. 1385–98. BMWFJ, "Akkreditierung. Studie zur wirtschaftlichen Bedeutung der Akkreditierung für die österreichische Wirtschaft, no date. https://www.bmwfw.gv.at/TechnikUndVermessung/Akkreditierung/Documents/Endbericht%20KMU-Akkreditierungsstudie.pdf Bundesamt für Sicherheit in der Informationstechnik, „Internationale Anerkennung von IT-Sicherheitszertifikaten“, no date. https://www.bsi.bund.de/DE/Themen/ZertifizierungundAnerkennung/ZertifizierungnachCCundITSEC/InternatAnerkennung/interanerkennung.html Bundesamt für Sicherheit in der Informationstechnik, „IT-Sicherheitskriterien und Evaluie-rung nach ITSEC“, no date. https://www.bsi.bund.de/DE/Themen/ZertifizierungundAnerkennung/ZertifizierungnachCCundITSEC/ITSicherheitskriterien/ITSEC/itsec_eval.html CEN, European Committee for Standardisation, 28 August 2014. http://www.cen.eu/Pages/default.aspx CEN, CEN/CLC/TC 4 - Project Committee - Services for fire safety and security systems, 2014. http://standards.cen.eu/dyn/www/f?p=204:7:0::::FSP_ORG_ID:812864&cs=1BDD0E27597AB260500F3549DAA66C8E6 CEN, CEN/TC 325 – Crime prevention through building, facility and area design, CEN/TC 325 Scope, 2014. http://standards.cen.eu/dyn/www/f?p=204:7:0::::FSP_ORG_ID:6306&cs=133518429ECB0D4DDB06C8583A7A5CD0D CEN/CENELEC, “European Standardisation”, no date.

http://www.cencenelec.eu/standards/Pages/default.aspx CEN/CENELEC, “What is a European Standard (EN)?”, no date. http://www.cencenelec.eu/standards/DefEN CEN/CENELEC, “ISO and IEC”, no date. http://www.cencenelec.eu/intcoop/StandardizationOrg/Pages/default.aspx CEN‐CENELEC STAIR, The Operationalisation of the Integrated Approach’, Submission of

STAIR to the Consultation of the Green Paper “From Challenges to Opportunities: Towards

a Common Strategic Framework for EU Research and Innovation funding, 2011. http://ec.europa.eu/research/horizon2020/pdf/contributions/post/european_organisations/ -cen-elec_stair_joint_strategic_working_group.pdf. CEN/CENELEC/ETSI, Recommendations for a Strategy on European Cyber Security Stand-ardisation, Cyber Security Coordination Group (CSCG) White Paper No. 01, 21 March 2014. http://www.cscg.focusict.de/sixcms_upload/media/3829/CSCG%20White%20paper.171536.pdf


of 170

CENELEC, CLC/TC79 “Alarm Systems, EU Directives”, no date. http://www.cenelec.eu/dyn/www/f?p=104:22:410182068472201::::FSP_ORG_ID,FSP_LANG_ID:1257171,25#4 CENELEC, CLC/TC79 “Alarm Systems, Scope”, no date. http://www.cenelec.eu/dyn/www/f?p=104:7:209325682901601::::FSP_LANG_ID,FSP_ORG_ID:25,1257171#1 CENELEC, IEC - CENELEC Agreement on Common planning of new work and parallel voting, Guide n° 13, no date. http://www.iec.ch/about/globalreach/partners/regional/iec_cenelec_agreement.htm CertAlarm, 100th CertAlarm certificate published, 2013, http://www.certalarm.org/ca/content/100th-certalarm-certificate-published COM, 691 A European security Research and Innovation Agenda – Commission’s initial

position on ESRIF’s key findings and recommendations, 2009. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2009:0691:FIN:EN:PDF Common Criteria, “The Common Criteria: Common Criteria”, no date. http://www.commoncriteriaportal.org/ Council of the European Union, Conclusions on standardisation and innovation, Brussels, 25 September 2008, [point 24, p. 4]. Council of the European Union, Resolution of 28 October 1999 on the role of European standardisation in the Europe, OJ C 141, 19.05.2000. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2000:141:0001:0004:en:pdf Council of Ministers, Resolution of 7 May 1985 on a New Approach to technical harmoniza-tion and standards, OJ C 136, 04/06/1985 Council of Ministers, Resolution of 28 October 1999 on the role of standardisation in Eu-rope, OJ C 141/1, 19.05.2000, [point 5] Court of Justice of the European Union, Judgement in Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others, Press Release No 54/14, Luxembourg, 8 April 2014. http://curia.europa.eu/jcms/upload/docs/application/pdf/2014-04/cp140054en.pdf. DG ENTR, Roadmap Establish an EU harmonised certification system for airport screening equipment, 2013. http://ec.europa.eu/smart-regulation/impact/planned_ia/docs/2014_entr_004_harmonized_ certification_airport_screening_equipment_en.pdf. DIN, Entstehung einer nationalen Norm, no date. http://www.din.de/cmd?level=tpl-artikel&languageid=de&cmstextid=54278


of 170

DIN, Koordinierungsstelle Sicherheitschaft im DIN, “Workshop Zertifizierung 2011”, no

date. http://www.sicherheitswirtschaft.din.de/cmd?cmsrubid=134411&level=tpl-rubrik&languageid=de Donges, Juergen B., Klaus-Werner Schatz, Staatliche Interventionen in der Bundesrepublik Deutschland: Umfang, Struktur, Wirkungen. Leibniz: Kieler Diskussionsbeiträge, No. 119/120, 1986. http://hdl.handle.net/10419/48101 EA [European co-operation for Accreditation], Accreditation in Europe. Facilitating regulato-ry compliance and international trade. 2013. http://www.european-accreditation.org/brochure/ea-accreditation-in-europe. EA, “EA’s mission”, 2014a. http://www.european-accreditation.org/mission EA, “The MLA”, 2014b. http://www.european-accreditation.org/the-mla. ECAC, “Member States”, no date. https://www.ecac-ceac.org//about_ecac/ecac_member_states ECAC, “Common Evaluation Process for Security Equipment”, 20 March 2014. https://www.ecac-ceac.org//activities/security/cip_for_security_equipment ECORYS, Security Regulation, Conformity Assessment & Certification. Final Report-Vol.I., 2011a. http://ec.europa.eu/enterprise/policies/security/files/doc/secerca_final_report_volume__1_main_report_en.pdf. ECORYS, Security Regulation, Conformity Assessment & Certification, Final Report-Volume I:Main Report, Brussels, October 2011. ec.europa.eu/enterprise/policies/security/files/doc/secerca_final_report_volume__1_main_report_en.pdf ECORYS, Study on the Competitiveness of the EU security industry; Within the Framework Contract for Sectoral Competitiveness Studies – ENTR/06/054, Final Report, Brussels, 15 November 2009. http://ec.europa.eu/enterprise/newsroom/cf/itemshortdetail.cfm?item_id=3931 ECORYS, Study on pre-commercial procurement in the field of Security Within the Frame-work Contract of Security Studies – ENTR/09/050 Final report. Report for the European Commission, DG Enterprise and Industry 2011, 2011b. http://ec.europa.eu/enterprise/policies/security/files/doc/pcp_sec_finalreport_en.pdf EFSG, EFSG Agreement on the Components of Intruder Alarm Systems, 24 November 2013. http://www.efsg.org/images/pdf/IAS%20EFSG_Agreement_Nov%202013.pdf EFSG, “Product Certification”, no date. http://www.efsg.org/product-certification Ensthaler, Jürgen, Kai Strübbe and Leonie Bock, Zertifizierung und Akkreditierung techni-scher Produkte, Ein Handlungsleitfaden für Unternehmen, Berlin, 2007


of 170

ERNCIP, ERNCIP background information, 2014. http://ipsc.jrc.ec.europa.eu/fileadmin/repository/sta/cinet/docs/erncip/downloads/ERNCIP_standard_presentation.pdf Ernst, Dieter, America's voluntary standards system: a "best practice" for innovation policy? Honolulu: East-West Center, 2012. http://www.eastwestcenter.org/publications/americas-voluntary-standards-system-best-practice-model-asian-innovation-policies European Security Research & Innovation Forum, ESRIF Final Report, Final Report, De-cember 2009. http://ec.europa.eu/enterprise/policies/security/files/esrif_final_report_en.pdf EURALARM, “Section Members Meeting Services”, no date. https://www.euralarm.org/organisation/section-committee-service/ European Committee for Electrotechnical Standardisation, 2014. http://www.cenelec.eu/index.html European Committee for Standardisation, “Technical Board” 28 August 2014. http://boss.cen.eu/TechnicalStructures/Pages/BT.aspx European Committee for Standardisation, “Project Committee”, 28 August 2014, http://boss.cen.eu/TechnicalStructures/Pages/ProjCmte.aspx European Committee for Standardisation, “CEN/TC 379 - Project Committee - Supply Chain Security”, 2014. http://standards.cen.eu/dyn/www/f?p=204:110:0::::FSP_PROJECT:37479&cs=1B8FBECE122B062F971553C5921A9E113 European Commission, The EN 45000 Series of Standards and the Conformity Assessment. Procedures of the Global Approach, Working Document, CERTIF 97/5 EN, Brussels, 15 September 1997. http://ec.europa.eu/enterprise/policies/single-market-goods/files/mra/certif_97_5_en.pdf European Commission, Efficiency and Accountability in European Standardisation under the New Approach, Report from the Commission to the Council and the European Parliament, COM (1998) 291 final, Brussels, 13.05.1998, p. 2 European Commission, Enterprise and Industry, “Standardisation, Mandates”, no date a. http://ec.europa.eu/enterprise/standards_policy/mandates/database/index.cfm?fuseaction=search.detail&id=364# European Commission, European Policy Principles on International Standardisation, Staff Working Paper, SEC(2001) 1296, Brussels, 26.07.2001, p. 4. European Commission, European Free Trade Association, CEN, CENELEC, ETSI, General Guidelines for the co-operation between CEN, CENELEC and ETSI and the European Commission and the European Free Trade Association, 28.03.2003.

http://boss.cen.eu/TechnicalStructures/Pages/BT.aspx

http://boss.cen.eu/TechnicalStructures/Pages/ProjCmte.aspx

http://boss.cen.eu/TechnicalStructures/Pages/ProjCmte.aspx


of 170

European Commission, European Standardisation in support of European Policies, Standardi-sation Setting and Governance, Vademecum on European Standardisation, Part II, Chapter 1, Brussels, 15 November 2003, p. 2. European Commission, Standardisation and the Directive 98/34/EC Historical background, Vademecum on European Standardisation, Part I, General Framework, Chapter 1.1, 15 No-vember 2003, p. 2. European Commission, Critical Infrastructure Protection in the fight against terrorism (COM/2004/0702), 2004, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2004:0702:FIN:EN:PDF. European Commission, on the Role of European standardisation in the framework of Europe-an policies and legislation, Communication from the Commission to the European Parliament and the Council, COM (2004) 674 final, Brussels, 18.10.2004. European Commission, Report of the Group of Personalities in the field of Security Research, Research for a Secure Europe, European Communities, Luxembourg, 2004. http://ec.europa.eu/enterprise/policies/security/files/doc/gop_en.pdf. European Commission, The challenges for European standardisation, Staff Working Docu-ment, 18 October 2004, p. 5. European Commission, A lead market initiative for Europe, Communication from the Com-mission to the Council, the European Parliament, the European Economic and Social Com-mittee and the Committee of the Regions, COM (2007) 860 final, Brussels, 21.12.2007. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2007:0860:fin:en:pdf European Commission, Mandate M/419 Standardisation Mandate Addressed to CEN for the development of a Series of Standards on Supply Chain Security, 23.11.2007. http://ec.europa.eu/enterprise/standards_policy/mandates/database/index.cfm?fuseaction=search.detail&id=391# European Commission, Mandate M/487 to Establish Security Standards. Final Report Phase 1. Analysis of the Current Security Landscape, 09. May 2012. European Commission, Decision European Commission No 768/2008/European Commission of the European Parliament and of the Council of 9 July 2008 on a common framework for the marketing of products, and repealing Council Decision 93/465/EEC, Brussels, 13.08.2008. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32008D0768&from=EN European Commission, Towards an increased contribution from standardisation to innovation in Europe,Communication from the Commission to the Council, the European Parliament and the European Economic and Social Committee, COM (2008) 133 final, Brussels, 11.03.2008. European Commission, A European security Research and Innovation Agenda – Commis-sion’s initial position on ESRIF’s key findings and recommendations, Communication from the Commission, COM (2009) 691 final, Brussels, 21.12.2009. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2009:0691:FIN:EN:PDF



of 170

European Commission, Communication from the Commission to the European Parliament and the Council of 24 June 2009 on Strengthening Chemical, Biological, Radiological and Nuclear Security in the European Union – an EU CBRN Action Plan, June 2009, http://europa.eu/legislation_summaries/justice_freedom_security/fight_against_terrorism/jl0030_en.htm European Commission, European standardisation in support of European policies - Role and preparation of mandates - Vademecum on European Standardisation, Part II, Chapter 4.1, 15 October 2009, p. 3 European Commission, Standardisation mandate to the European standardisation organisa-tions CEN, CENELEC and ETSI in the field of information and communication technologies applied to electronic signatures, European Commission (2009) M/460 EN, Brussels, 22.12.2009. http://www.etsi.org/images/files/ECMandates/m460.pdf European Commission, Delivering an area of freedom, security and justice for Europe’s citi-zens. Action Plan Implementing the Stockholm Programme, Communication from the Com-mission to the European Parliament, the Council, the European Economic and Social Com-mittee and the Committee of the Regions, COM 2010 (171) final, Brussels, 29.04.2010. European Commission, The EU Internal Security Strategy in Action: Five steps towards a more secure Europe, Communication from the Commission to the European Parliament and the Council, COM (2010) 673 final, Brussels, 02.11.2010. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0673:fin:en:pdf European Commission, A strategic vision for European standards: Moving forward to en-hance and accelerate the sustainable growth of the European economy by 2020, Communica-tion from the Commission to the European Parliament, the Council and the European Eco-nomic and Social Committee, COM (2011)311 final, Brussels, 1.6.2011. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2011:0311:FIN:EN:PDF European Commission, Programming Mandate Addressed to CEN, CENELEC and ETSI to Establish Security Standards, European Commission (2011) M/487 EN, Brussels, 17.2.2011. http://www.etsi.org/images/files/ECMandates/m487.pdf European Commission, DG Enterprise and Industry, Security Research and Development, Mandate M/487 to Establish Security Standards, Final Report Phase 1 Analysis of the Cur-rent Security Landscape, 2012. http://standards.cen.eu/dyn/www/f?p=204:110:0::::FSP_PROJECT:30474&cs=1DC596AC378112DEAA73B0BD03D2B377B and http://standards.cen.eu/dyn/www/f?p=204:110:0::::FSP_PROJECT:34082&cs=1AA89C0488D68938C415AF7F162C579F4 European Commission, Commission Staff Working Paper Security Industrial Policy Accom-panying the document Communication from the Commission to the European Parliament, the Council and the European Economic and Social Committee Security Industrial Policy Action Plan for an innovative and competitive Security Industry {COM(2012) 417 final}, SWD(2012) 233 final, Brussels, 26.07.2012.



of 170

European Commission, Action Plan for an innovative and competitive Security Industry {SWD(2012)233 final}, Communication from the Commission to the European Parliament, the Council and the European Economic and Social Committee, COM(2012) 417 final, Brus-sels, 26.07.2012. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012DC0417&from=EN European Commission, A New Deal for European Defence Implementation Roadmap for Communication COM (2013) 542; Towards a more competitive and efficient defence and security sector, July 2013. http://ec.europa.eu/enterprise/sectors/defence/files/communication_defence_en.pdf European Commission, European Qualifications Framework for lifelong learning, no date b. http://ec.europa.eu/eqf/home_en.htm European Commission, M/460 standardisation mandate to the European standardisation or-ganisations CEN, CENELEC and ETSI in the field of information and communication tech-nologies applied to electronic signatures. http://ec.europa.eu/enterprise/standards_policy/mandates/database/index.cfm?fuseaction=search.detail&id=442# European Commission, Mandate M/487 to Establish Security Standards. Final Report Phase 1. Analysis of the Current Security Landscape, 09.05. 2012. European Commission, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 2012. http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf European Commission, Regulatory & certification issues, 05.02.2013. http://ec.europa.eu/enterprise/policies/security/industrial-policy/issues/index_en.htm European Council, Council Decision 87/95/EECof 22 December 1986 on the Standardisation in the field of information technology and telecommunications, OJ L 36, 07.02.1987. European Council, Council Resolution of 18 June 1992 on the role of European standardisa-tion in the European economy, OJ C 173, 09.07.1992. European Council, Council Resolution of 28 October 1999 on the role of European standardi-sation in the Europe, OJ C 141, 19.05.2000. European Parliament and the Council, Decision 1673/2006/ECof 24.10.2006, on the financ-ing of European standardisation, OJ L 315/9, 15.11.2006. European Parliament and the Council, ‘Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures’,

13 December 1999, 1999. http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31999L0093&from=EN


of 170

European Parliament and the Council, Directive 98/34/European Commission of the Europe-an Parliament and of the Council of 22 June 1998 (“laying down a procedure for the provi-sion of information in the field of technical standards and regulations and of rules on Infor-mation Society services”), 1998. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG: 1998L0034:20070101:EN:PDF European Parliament and the Council, Directive 98/34/European Commission of 22.06.1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on Information Society services, OJ L 204, 21.07.1998. European Parliament and the Council, Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connec-tion with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, OJ L-105, 13.4.2006. European Parliament and the Council, Directive 2006/123/EC of the European Parliament and the Council of 12 December 2006 on services in the internal market, 2006. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32006L0123&qid=1403700059918&from=DE European Parliament and the Council, Regulation (EC) No 1025/2012 of 25 October 2012, on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council, OJ L 316/12, 14.11.2012. European Telecommunications Standards Institute, 2014. http://www.etsi.org/ European Telecommunications Standards Institute, “3GPP”, 2014. http://www.etsi.org/about/our-global-role/3gpp?highlight=YToxOntpOjA7czo0OiIzZ3BwIjt9 European Telecommunications Standards Institute, “Different types of ETSI standards”, 2014. http://www.etsi.org/standards/different-types-of-etsi-standards European Telecommunications Standards Institute, “ETSI Harmonized Standards for Radio & Telecommunications Terminal Equipment Directive 1999/5/EC”, 2014. http://www.etsi.org/standards/list-of-harmonized-standards European Telecomunnications Standards Institute, ETSI GS QKD 002, Quantum Key Distri-bution; Use Cases, V1.1.1, June 2010. http://www.etsi.org/deliver/etsi_gs/qkd/001_099/002/01.01.01_60/gs_qkd002v010101p.pdf European Telecommunications Standards Institute, ETSI GS QKD 003, Quantum Key Distri-bution (QKD); Components and Internal Interfaces, V1.1.1, December 2010. http://www.etsi.org/deliver/etsi_gs/QKD/001_099/003/01.01.01_60/gs_QKD003v010101p.pdf

http://www.etsi.org/deliver/etsi_gs/qkd/001_099/002/01.01.01_60/gs_qkd002v010101p.pdf

http://www.etsi.org/deliver/etsi_gs/qkd/001_099/002/01.01.01_60/gs_qkd002v010101p.pdf

http://www.etsi.org/deliver/etsi_gs/QKD/001_099/003/01.01.01_60/gs_QKD003v010101p.pdf



of 170

European Telecommunications Standards Institute, ETSI GS QKD 005, Quantum Key Distri-bution (QKD); Security Proofs, V1.1.1, December 2010. http://www.etsi.org/deliver/etsi_gs/QKD/0K01_099/005/01.01.01_60/gs_QKD005v010101p.pdf, European Telecommunications Standards Institute, ETSI GS QKD 008, Quantum Key Distri-bution (QKD); QKD Module Security Specification, V1.1.1, December 2010. http://www.etsi.org/deliver/etsi_gs/QKD/001_099/008/01.01.01_60/gs_QKD008v010101p.pdf. European Telecommunications Standards Institute, ETSI TS 101 331, Lawful Interception (LI); Requirements of Law Enforcement Agencies, 2001. http://www.etsi.org/deliver/etsi_ts/101300_101399/101331/01.01.01_60/ts_101331v010101p.pdf European Telecommunication Standard Institute, ETSI TS 102 900, Emergency Communica-tions (EMTEL); European Public Warning System (EU-ALERT) using the Cell Broadcast Service, 2010. http://www.etsi.org/deliver/etsi_ts/102900_102999/102900/01.01.01_60/ts_102900v010101p.pdf European Telecommunications Standards Institute, “Lawful interception”, 2014. http://www.etsi.org/technologies-clusters/technologies/security/lawful-interception European Telecommunications Standards Institute, “Public Safety”, 2014. http://www.etsi.org/technologies-clusters/clusters/public-safety European Telecommunications Standards Institute, “Public Safety, Our roles and activities”, no date. http://www.etsi.org/technologies-clusters/technologies/safety/public-safety?highlight=YToxOntpOjA7czo2OiJzYWZldHkiO30= European Telecommunications Standards Institute, “Quantum Key Distribution”, 2014. http://www.etsi.org/index.php/technologies-clusters/technologies/quantum-key-distribution European Telecommunications Standards Institute, Quantum Key Distribution Leaflet, no date. http://www.etsi.org/images/files/ETSITechnologyLeaflets/QuantumKeyDistribution.pdf European Telecommunications Standards Institute, “Security”, 2014. http://www.etsi.org/technologies-clusters/clusters/security EXPRESS [Expert Panel for the Review of the European Standardisation System], Standard-isation for a competitive and innovative Europe: a vision for 2020, Report delivered to the European Commission in February 2010. http://ec.europa.eu/enterprise/policies/european-standards/files/express/exp_384_express_report_final_distrib_en.pdf,




http://www.etsi.org/index.php/technologies-clusters/technologies/quantum-key-distribution

http://www.etsi.org/index.php/technologies-clusters/technologies/quantum-key-distribution

http://www.etsi.org/images/files/ETSITechnologyLeaflets/QuantumKeyDistribution.pdf

http://www.etsi.org/images/files/ETSITechnologyLeaflets/QuantumKeyDistribution.pdf


of 170

Fliess, Barbara, Raymond Schonfeld, Trends in Conformity Assessment Practices and Barriers to Trade: Final Report on Survey of Cabs and Exporters, Trade Directorate 2006. http://www.oecd.org/officialdocuments/publicdisplaydocumentpdf/?doclanguage=en&cote=td/tc/wp%282006%296/final Fraunhofer FOKUS, “Common Criteria Certification Lab. Evaluation Monitoring for CC Certification Procedures”, no date. http://www.fokus.fraunhofer.de/de/fokus_testbeds/common_criteria_certification_lab/index.html Frenz, Marion and Ray Lambert, The Economics of Accreditation. London: Birkbeck, University of London March 2013. http://www.ukas.com/Library/Media-Centre/News/News-Archive/2013/Economics%20of%20Accreditation%20Final%20Report.pdf Fritz, Florian, Reinhard Kreissl, Roger von Laufenberg, Paul de Hert, Alessia Tanas, Rosamunde van Brakel, Simone Wurster, Glossary of Security Products and Systems, D1.1 CRISP project, 31st July 2014. Forest Stewardship Council, "FSC Certification", no date. https://ic.fsc.org/certification.4.htm GAO, Information Assurance: National Partnership Offers Benefits, but Faces Considerable Challenges. Report GAO-06-392. United States Government Accountability Office, 2006, http://www.gao.gov/new.items/d06392.pdf Guasch, J. Luis, Jean-Louis Racine, Isabel Sánchez, and Makhtar Diop, ‘Quality Systems and Standards for a Competitive Edge’, The World Bank, Washington, DC, 2007 Hatto, Peter, Standards and Standardization Handbook, European Commission, Brussels, 2010. http://www.iec.ch/about/globalreach/academia/pdf/academia_governments/handbook-standardisation_en.pdf International Electrotechnical Commission, 2014. http://www.iec.ch/index.htm International Electrotechnical Commission, “IEC/SC45A Instrumentation and control (and electrical) systems for nuclear facilities”, no date. http://www.iec.ch/dyn/www/f?p=103:7:0::::FSP_ORG_ID,FSP_LANG_ID:1358,25 International Electrotechnical Commission, “TC 79 Alarm and electronic security systems”, 2014. http://www.iec.ch/dyn/www/f?p=103:22:0::::FSP_ORG_ID:1269 International Organisation for Standardisation, no date. http://www.iso.org/iso/home.htm International Telecommunication Union, no date. http://www.itu.int. International Telecommunication Union, 2014. http://www.itu.int/en/Pages/default.aspx

http://www.iec.ch/dyn/www/f?p=103:7:0::::FSP_ORG_ID,FSP_LANG_ID:1358,25


of 170

International Telecommunication Union, “ICT Security Standard "ITU-T X.509 | ISO/IEC 9594-8" details”, 2010. http://www.itu.int/itu-t/security/task_details.aspx?isn=3188&isnView=1&from=b1_2!b2_15!b3_-1!t1_-1!k_X.509 International Telecommunication Union, “ITU-T Study Groups (Study Period 2013 - 2016)”, 2014. http://www.itu.int/en/ITU-T/studygroups/2013-2016/Pages/default.aspx International Telecommunication Union, “Part 2: Approved ICT Security Standards”, 2014. http://www.itu.int/en/ITU-T/studygroups/2013-2016/17/ict/Pages/ict-part02.aspx International Telecommunication Union, Part 3: “Security standards under development”, 2014. http://www.itu.int/en/ITU-T/studygroups/2013-2016/17/ict/Pages/ict-part03.aspx IEC, IEC 60839-5, Alarm systems - Part 5: Requirements for alarm transmission systems, 1991. IEC, IEC 60839-10-1:1995, Alarm systems - Part 10: Alarm systems for road vehicles - Sec-tion 1: Passenger cars, 1995. IEC, IEC 60839-11-1:2013, Alarm and electronic security systems - Part 11-1: Electronic access control systems - System and components requirements, 2013. IEC, IEC 62642:2010-2011, Alarm systems - Intrusion and hold-up systems, Part 1 – Part 8, 2011. IEC, IEC 62676:2013, Video surveillance systems for use in security application – Part 1 – Part 4, 2013. ISO, ISO 9000 - Quality management, no date. http://www.iso.org/iso/home/standards/management-standards/iso_9000.htm ISO, ISO 9001:2008 Quality management systems, 15 November 2008 ISO, ISO 14001:2004 Environmental management systems – Requirements with guidance for use, 15 November 2004 ISO, ISO 28000:2007 Specification for security management systems for the supply chain, 2007. ISO, ISO 31000:2009 Risk Management – Principles and guidelines, 15 November 2009 ISO, ISO/IEC JTC 1 Information technology, no date. http://www.iso.org/iso/iso_technical_committee?commid=45020 ISO, CEN, Agreement on technical co-operation between ISO and CEN (Vienna Agreement), no date, p. 1. http://isotc.iso.org/livelink/livelink/fetch/2000/2122/4230450/4230458/Agreement_on_Technical_Cooperation_between_ISO_and_CEN_%28Vienna_Agreement%29.pdf?nodeid=4230688&vernum=-2

http://www.itu.int/en/ITU-T/studygroups/2013-2016/17/ict/Pages/ict-part03.aspx


of 170

ISO/IEC, ISO/IEC 17011 Conformity assessment — General requirements for accreditation bodies accrediting conformity assessment bodies. Switzerland, 15. 02.2005. ISO/IEC, ISO/IEC 17025:2005 General requirements for the competence of testing and cali-bration laboratories, 15 May 2005 ISO/IEC, ISO/IEC 17065:2012 Conformity assessment – Requirements for bodies certifying products, processes and services, 15 September 2012 ISO/IEC, ISO/IEC 15408-1:2010 Information technology – Security techniques – Evaluation criteria for IT security – Part 1: Introduction and general model, 15 December 2009 ISO/IEC, ISO/IEC 18045:2008 Information technologies – Security techniques – Methodolo-gy for IT security evaluation, 15 August 2008 ISO/IEC, ISO/IEC 19784-1:2006 Information technology -- Biometric application program-ming interface -- Part 1: BioAPI specification, 2006. ISO/IEC, ISO/IEC 19784-2:2007, Information technology -- Biometric application pro-gramming interface -- Part 2: Biometric archive function provider interface, 2007. ISO/IEC, ISO/IEC 19784-4:2011, Information technology -- Biometric application pro-gramming interface -- Part 4: Biometric sensor function provider interface, 2011. ISO/IEC, ISO/IEC 19794-2:2011, Information technology -- Biometric data interchange formats -- Part 2: Finger minutiae data, 2011. ISO/IEC, ISO/IEC 19794-3:2006, Information technology -- Biometric data interchange formats -- Part 3: Finger pattern spectral data, 2006. ISO/IEC, ISO/IEC 19794-4:2011, Information technology -- Biometric data interchange formats -- Part 4: Finger image data, 2011. ISO/IEC, ISO/IEC 19794-5:2011, Information technology -- Biometric data interchange formats -- Part 5: Face image data, 2011. ISO/IEC, ISO/IEC 19794-6:2011, Information technology -- Biometric data interchange formats -- Part 6: Iris image data, 2011. ISO/IEC, ISO/IEC 19794-7:2014, Information technology -- Biometric data interchange formats -- Part 7: Signature/sign time series data, 2014. ISO/IEC, ISO/IEC 19794-9:2011, Information technology -- Biometric data interchange formats -- Part 9: Vascular image data, 2011. ISO/IEC, ISO/IEC 19794-8:2011, Information technology -- Biometric data interchange formats -- Part 8: Finger pattern skeletal data, 2011. ISO/IEC, ISO/IEC 19794-10:2007, Information technology -- Biometric data interchange formats -- Part 10: Hand geometry silhouette data, 2007.


of 170

ISO/IEC, ISO/IEC 19794-11:2013, Information technology -- Biometric data interchange formats -- Part 11: Signature/sign processed dynamic data, 2013. ISO/IEC, ISO/IEC 19794-14:2013, Information technology -- Biometric data interchange formats -- Part 14: DNA data, 2013. ISO/IEC, ISO/IEC 24713-1:2008, Information technology -- Biometric profiles for interop-erability and data interchange -- Part 1: Overview of biometric systems and biometric pro-files, 2008. ISO/IEC, ISO/IEC 24713-2:2008, Information technology -- Biometric profiles for interop-erability and data interchange -- Part 2: Physical access control for employees at airports, 2008. ISO/IEC, ISO/IEC 24713-3:2009, Information technology -- Biometric profiles for interop-erability and data interchange -- Part 3: Biometrics-based verification and identification of seafarers, 2009. ISO/IEC, ISO/IEC 27001:2013 Information technology -- Security techniques -- Information security management systems – Requirements, 2013. ITU, ITU-T X.509: Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks. ITU, ITU-T X.1082, Telebiometrics related to human physiology, 11.2007; amended in 10.2009 and in 05.2010a. ITU, ITU-T X.1082, The telebiometric multimodal model – A framework for the specification of security and safety aspects of telebiometrics, 10.2011. ITU, ITU-T X.1084, Telebiometrics system mechanism - General biometric authentication protocol and profile on telecommunication system, 05.2010b. ITU, ITU-T X.1088, Telebiometrics system mechanism - General biometric authentication protocol and profile on telecommunication system, 05.2008a. ITU, ITU-T X.1089, Telebiometrics authentication infrastructure, 05.2008b. ITU, ITU-T X.1171, Threats and requirements for protection of personally identifiable in-formation in applications using tag-based identification, 02.2009. ITU, ITU-T X.1208, A cybersecurity indicator of risk to enhance confidence and security in the use of telecommunication/information and communication technologies, 2014. ITU, ITU-T X.1303, Common alerting protocol (CAP 1.1), 09.2007. ITU, ITU-T X.1313, Security requirements for wireless sensor network routing, 10.2012. ITU, ITU-T X.1500, Cybersecurity information exchange techniques, 04.2011; amended in 03.2012, 09.2012, 04.2013, 09.2013, 01.2014.


of 170

ITU, ITU-T X.1520, Common vulnerabilities and exposures, 01.2014. ITU, ITU-T X.1580, Real-time inter-network defence, 09.2012. Jahn, Gabriele, Matthias Schramm and Achim Spiller, Zur Glaubwürdigkeit von Zertifizierungssystemen: Eine ökonomische Analyse der Kontrollvalidität. Göttingen: Institut für Agrarökonomie Georg-August Universität, 2003. http://www.uni-goettin-gen.de/de/sh/download/69d421644c49352d9b303174aedd84ca.pdf/Diskussionsbeitrag0304.pdf. Matsuo, Shin’ichiro, Kunihiko Miyazaki, Akira Otsuka, and David Basin, “How to Evaluate the Security of Real-life Cryptographic Protocols? The cases of ISO/IEC 29128 and CRYPTREC”, Proceedings of the 14th international conference on Financial cryptograpy and data security, Springer-Verlag Berlin, Heidelberg, 2010, pp. 182-194. http://www.inf.ethz.ch/personal/basin/pubs/rlcps10.pdf Mankiw, N. Gregory, Principles of Economics. Forth Worth, Texas: Dryden Press, 1998. Myers, P., F. Strebl, A. Plecis, R., Olivier and P. Wästerby, The future of testing security re-lated products, D5.1 CREATIF project, July 2011. Official Journal of the European Communities, Commission Decision of 29 November 2001 amending its internal Rules of Procedure (notified under document number C(2001) 3031), Volume 44, 3.12.2001. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32001D0844 Official Journal of the European Union, Commission Regulation (EU) No 185/2010 of 4 March 2010 laying down detailed measures for the implementation of the common basic standards on aviation security (1), Volume 53, 5.3.2010. http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32010R0185 Official Journal of the European Communities, Council Decision of 19 March 2001 adopting the Council’s security regulations, Volume 44 , Brussels, 11.4.2001. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32001D0264 Official Journal of the European Union, Regulations, Commission Regulations (EU) No 185/2010 of 4 March 2010 laying down detailed measures for the implementation of the common basic standards on aviation security, Brussels, 5.3.2010. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32010R0185&from=EN ONVIF, “About Us”, 2014. http://www.onvif.org/About/Organization.aspx Pastuszka, Hans-Martin, European Security Standardisation & Certification. Presentation at the 1st ERNCIP Conference JRC, Ispra, Italy 12 – 13 December 2012, http://ipsc.jrc.ec.europa.eu/fileadmin/repository/sta/cinet/docs/erncip/1sterncipconference/Opening-Hans-Martin_Pastuszka.pdf.


of 170

prEN 50849:2014, Sound systems for emergency purposes. Recital 18 of Regulation (EC) No 1025/2012 of 25 October 2012, on European standardisa-tion, OJ L 316/12, 14.11.2012.

Recital 41 of Regulation (EC) No 1025/2012 of 25 October 2012, on European standardisa-tion, OJ L 316/12, 14.11.2012. Recital 42 of Regulation (EC) No 1025/2012 of 25 October 2012, on European standardisa-tion, OJ L 316/12, 14.11.2012. Report of the Group of Personalities in the field of Security Research, Research for a Secure Europe, European Communities, Rapporteur Burkard Schmitt, Luxembourg, 2004. http://ec.europa.eu/enterprise/policies/security/files/doc/gop_en.pdf. Rodrigues, Rowena, David Barnard-Wills, David Wright, Paul De Hert and Vagelis Papa-konstantinou, EU privacy seals project. Inventory and analysis of privacy certification schemes. Final Report Study Deliverable 1.4, 2014. http://bookshop.europa.eu/en/eu-privacy-seals-project-pbLBNA26190/ Röhl, Hans Christian and Yvonne Schreiber, Konformitätsbewertung in Deutschland. Konstanz: Universität Konstanz Fachbereich Rechtwissenschaft, 2006. http://nbn-resolving.de/urn:nbn:de:bsz:352-opus-19333 Secret Intelligence Service MI6, “What is Security Clearance?”, no date. https://www.sis.gov.uk/careers/working-for-us/security-vetting/what-is-security-clearance.html Sveinsdottir, Thordis, Rachel Finn, Rowena Rodrigues, Kush Wadhwa, Florian Fritz, Rein-hard Kreissl, Roger von Laufenberg, Paul de Hert, Alessia Tanas, Rosamunde van Brakel, Taxonomy of Security Products, Systems and Services, D1.2, CRISP project, 31st July 2014. SOG-IS, “Introduction”, no date. http://www.sogisportal.eu Stiglitz, Joseph E., The contributions of the economics of information to twentieth century economics. The Quarterly Journal of Economics, Vol. 115, No. 4, pp. 1441-1478. http://ricardo.ecn.wfu.edu/~cottrell/papers/stiglitz.pdf Stocker, Ferry, Moderne Volkswirtschaftslehre. Oldenbourg: Oldenbourg Wissenschaftsverlag, 2009. Teichler, Thomas, Florian Berger, Thomas Heimer, James Stroyan and Inga Schlüter, “Ent-wicklungsperspektiven der Konformitätsbewertung und Akkreditierung in Deutschland”, Stu-die im Auftrag des Bundesministeriums für Wirtschaft und Technologie, 2013. Thoma, Klaus, Positionspapier des wissenschaftlichen Programmausschusses zum nationa-len Sicherheitsforschungsprogramm, 2010. http://www.bmbf.de/pubRD/WPA_Positionspapier_2010.pdf


of 170

UK Government, “Government Security Classifications April 2014”, Cabinet Office, Version 1.0, 4.2014. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/251480/Government-Security-Classifications-April-2014.pdf UK Government, “Guidance: Innovation Standardisation: Standardisation”, 16 January 2014 (Updated) https://www.gov.uk/innovation-standardisation--4 VdS, International Certification Partners, 2011. http://vds.de/en/certifications/products/international-certification-partners/ Wenzel, Stephan, „DIN 14675 Zertifizierung für BMA und Sprachmeldeanlagen“, 2012,

http://www.din-14675.de/din14675_home.html Wurster, Simone, „Ethics and Privacy Issues of Critical Infrastructure Protection – Risks and Possible Solutions Through Standardization“, Praxis der Informationsverarbeitung und Kommunikation, Fachzeitschrift für den Einsatz von Informationssystemen, Special issue on ICT standardization, Forthcoming.


of 170

ANNEX 1: EXAMPLES OF EUROPEAN REGULATIONS IN DIFFERENT SECURITY-RELATED AREAS

Commerce agreements

EFTA Surveillance Authority Decision No 228/05/COL of 21 September 2005 issuing a No-tice entitled "Guidelines on the application of Article 53 of the EEA Agreement to technolo-gy transfer agreements" Energy

Directive 2005/89/European Commission of the European Parliament and of the Council of 18 January 2006 concerning measures to safeguard security of electricity supply and infra-structure investment Telecommunications

Directive 2006/24/European Commission of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provi-sion of publicly available electronic communications

Regulation (European Commission) No 526/2013 of the European Parliament and of the Council of 21 May 2013 concerning the European Union Agency for Network and Infor-mation Security (ENISA) and repealing Regulation (European Commission) No 460/2004

Commission Recommendation of 9 March 2012 on preparations for the roll-out of smart metering systems Traffic security

Directive 2005/65/European Commission of the European Parliament and of the Council of 26 October 2005 on enhancing port security

Regulation (European Commission) No 1072/2009 of the European Parliament and of the Council of 21 October 2009 on common rules for access to the international road haulage market

Regulation (European Commission) No 1073/2009 of the European Parliament and of the Council of 21 October 2009 on common rules for access to the international market for coach and bus services, and amending Regulation (European Commission) No 561/2006

Commission Regulation (European Commission) No 611/2012 of 9 July 2012 amending An-nex II to Regulation (European Commission) No 1073/2009 of the European Parliament and of the Council on common rules for access to the international market for coach and bus services

Commission Regulation (European Commission) No 612/2012 of 9 July 2012 amending An-nexes II and III to Regulation (European Commission) No 1072/2009 of the European Par-liament and of the Council on common rules for access to the international road haulage market


of 170

Council Regulation (European Commission) No 2252/2004 of 13 December 2004 on stand-ards for security features and biometrics in passports and travel documents issued by Member States (data protection)

Commission Regulation (European Commission) No 324/2008 of 9 April 2008 laying down revised procedures for conducting Commission inspections in the field of maritime security

Regulation (European Commission) No 725/2004 of the European Parliament and of the Council of 31 March 2004 on enhancing ship and port facility security Air traffic safety and security

Commission Regulation (European Commission) No 622/2003 laying down measures for the implementation of the common basic standards on aviation security

Commission Regulation (European Commission) No 1321/2007 of 12 November 2007 laying down implementing rules for the integration into a central repository of information on civil aviation occurrences exchanged in accordance with Directive 2003/42/European Commission of the European Parliament and of the Council

Commission Regulation (European Commission) No 1448/2006 of 29 September 2006 amending Regulation (European Commission) No 622/2003 laying down measures for the implementation of the common basic standards on aviation security

Commission Regulation (European Commission) No 1477/2007 of 13 December 2007 amending Regulation (European Commission) No 622/2003 laying down measures for the implementation of the common basic standards on aviation security

Commission Regulation (European Commission) No 1546/2006 of 4 October 2006 amending Regulation (European Commission) No 622/2003 laying down measures for the implementa-tion of the common basic standards on aviation security

Commission Regulation (European Commission) No 1862/2006 of 15 December 2006 amending Regulation (European Commission) No 622/2003 laying down measures for the implementation of the common basic standards on aviation security

Commission Regulation (European Commission) No 272/2009 of 2 April 2009 supplement-ing the common basic standards on civil aviation security laid down in the Annex to Regu-lation (European Commission) No 300/2008 of the European Parliament and of the Council

Corrigendum to Commission Regulation (European Commission) No 272/2009 of 2 April 2009 supplementing the common basic standards on civil aviation security laid down in the Annex to Regulation (European Commission) No 300/2008 of the European Parliament and of the Council

Regulation (European Commission) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repeal-ing Regulation (European Commission) No 2320/2002

Corrigendum to Regulation (European Commission) No 300/2008 of the European Parlia-ment and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (European Commission) No 2320/2002


of 170

Commission Regulation (European Commission) No 358/2008 of 22 April 2008 amending Regulation (European Commission) No 622/2003 laying down measures for the implemen-tation of the common basic standards on aviation security

Commission Regulation (European Commission) No 781/2005 of 24 May 2005 amending Regulation (European Commission) No 622/2003 laying down measures for the implemen-tation of the common basic standards on aviation security

Commission Regulation (European Commission) No 831/2006 of 2 June 2006 amending Regulation (European Commission) No 622/2003 laying down measures for the implemen-tation of the common basic standards on aviation security

Regulation (European Commission) No 849/2004 of the European Parliament and of the Council of 29 April 2004 amending Regulation (European Commission) No 2320/2002 es-tablishing common rules in the field of civil aviation security

Commission Regulation (European Commission) No 857/2005 of 6 June 2005 amending Regulation (European Commission) No 622/2003 laying down measures for the implemen-tation of the common basic standards on aviation security

Commission Regulation (European Commission) No 915/2007 of 31 July 2007 amending Regulation (European Commission) No 622/2003 laying down measures for the implemen-tation of the common basic standards on aviation security

Commission Implementing Regulation (European Commission) No 1082/2012 of 9 Novem-ber 2012 amending Regulation (European Commission) No 185/2010 in respect of EU avia-tion security validation

Commission Implementing Regulation (European Commission) No 1087/2011 of 27 October 2011 amending Regulation (European Commission) No 185/2010 laying down detailed measures for the implementation of the common basic standards on aviation security in respect of explosive detection systems

Commission Implementing Regulation (European Commission) No 1147/2011 of 11 No-vember 2011 amending Regulation (European Commission) No 185/2010 implementing the common basic standards on civil aviation security as regards the use of security scan-ners at EU airports

Commission Implementing Regulation (European Commission) No 173/2012 of 29 February 2012 amending Regulation (European Commission) No 185/2010 as regards clarification and simplification of certain specific aviation security measures

Commission Regulation (European Commission) No 185/2010 of 4 March 2010 laying down detailed measures for the implementation of the common basic standards on aviation secu-rity

Corrigendum to Commission Regulation (European Commission) No 185/2010 of 4 March 2010 laying down detailed measures for the implementation of the common basic standards on aviation security



of 170


Commission Regulation (European Commission) No 293/2010 of 8 April 2010 amending Regulation (European Commission) No 820/2008 laying down measures for the implementa-tion of the common basic standards on aviation security

Commission Regulation (European Commission) No 297/2010 of 9 April 2010 amending Regulation (European Commission) No 272/2009 supplementing the common basic stand-ards on civil aviation security

Corrigendum to Commission Regulation (European Commission) No 297/2010 of 9 April 2010 amending Regulation (European Commission) No 272/2009 supplementing the com-mon basic standards on civil aviation security

Commission Regulation (European Commission) No 334/2011 of 7 April 2011 amending Regulation (European Commission) No 185/2010 laying down detailed measures for the im-plementation of the common basic standards on aviation security

Commission Regulation (European Commission) No 357/2010 of 23 April 2010 amending Regulation (European Commission) No 185/2010 of 4 March 2010 laying down detailed measures for the implementation of the common basic standards on aviation security

Commission Regulation (European Commission) No 358/2010 of 23 April 2010 amending Regulation (European Commission) No 185/2010 of 4 March 2010 laying down detailed measures for the implementation of the common basic standards on aviation security

Commission Regulation (European Commission) No 573/2010 of 30 June 2010 amending Regulation (European Commission) No 185/2010 laying down detailed measures for the im-plementation of the common basic standards on aviation security

Commission Regulation (European Commission) No 72/2010 of 26 January 2010 laying down procedures for conducting Commission inspections in the field of aviation security

Commission Regulation (European Commission) No 983/2010 of 3 November 2010 amend-ing Regulation (European Commission) No 185/2010 laying down detailed measures for the implementation of the common basic standards on aviation security

Corrigendum to Commission Regulation (European Commission) No 983/2010 of 3 Novem-ber 2010 amending Regulation (European Commission) No 185/2010 laying down detailed measures for the implementation of the common basic standards on aviation security

Commission Regulation (European Commission) No 1254/2009 of 18 December 2009 setting criteria to allow Member States to derogate from the common basic standards on civil avia-tion security and to adopt alternative security measures

Commission Regulation (European Commission) No 18/2010 of 8 January 2010 amending Regulation (European Commission) No 300/2008 of the European Parliament and of the Council as far as specifications for national quality control programmes in the field of civil aviation security are concerned


of 170

Commission Implementing Regulation (European Commission) No 654/2013 of 10 July 2013 amending Regulation (European Commission) No 185/2010 in respect of EU aviation security validation checklists for third country entities (air traffic safety)

Commission Implementing Regulation (European Commission) No 711/2012 of 3 August 2012 amending Regulation (European Commission) No 185/2010 laying down detailed measures for the implementation of the common basic standards on aviation security as regards the methods used for screening persons other than passengers and items car-ried

Corrigendum to Commission Implementing Regulation (European Commission) No 711/2012 of 3 August 2012 amending Regulation (European Commission) No 185/2010 lay-ing down detailed measures for the implementation of the common basic standards on avia-tion security as regards the methods used for screening persons other than passengers and items carried (air traffic safety)

Commission Regulation (European Commission) No 720/2011 of 22 July 2011 amending Regulation (European Commission) No 272/2009 supplementing the common basic stand-ards on civil aviation security as regards the phasing-in of the screening of liquids, aerosols and gels at EU airports

Commission Implementing Regulation (European Commission) No 859/2011 of 25 August 2011 on amending Regulation (European Commission) No 185/2010 laying down detailed measures for the implementation of the common basic standards on aviation security in respect of air cargo and mail

Corrigendum to Commission Implementing Regulation (European Commission) No 859/2011 of 25 August 2011 on amending Regulation (European Commission) No 185/2010 laying down detailed measures for the implementation of the common basic standards on aviation security in respect of air cargo and mail

Commission Implementing Regulation (European Commission) No 1035/2011 of 17 October 2011 laying down common requirements for the provision of air navigation services and amending Regulations (European Commission) No 482/2008 and (EU) No 691/2010


of 170

ANNEX 2: CRISP’S GUIDELINE FOR INTERVIEWS AT CEN AND CLC TCS 1. Please provide a short overview of the TC including its scope, structure, year of estab-

lishment and reasons for its establishment.

2. What are the most important security-related standards of your TC?

3. Which security-related trends are relevant in the TC and what are its most recent securi-ty-related standards and standardisation projects?

4. Which security-related standards of your TC form the basis of testing and certification processes?

5. What is standardised? (please select and give examples: products, component, material, processes, procedures, system or service)

6. Which security-related standards of your TC are related to European directives or regula-tions?

7. Please describe the major topics of the standards including beyond security, such as trust, efficiency and freedom infringements.

8. What are the problems/challenges of standardisation processes in the context of security-related certification in respect to topics, agenda setting, stakeholder participation etc.

9. What are the main effects on the market/relevant sector so far? What are the expecta-tions? Better security? More reliability and accountability of acting?

10. Which certification organizations are responsible for issuing such certificates as men-tioned in question 4?

11. Please give examples how the standards are used in these processes.

12. Which additional security-related standards of the TC might form the basis of testing and certification processes (why/how?)

13. Which certification organizations might be responsible for issuing such certificates (why/how?)

14. Which future plans does your TC have in the security field?

15. Which suggestions do you have to improve the certification landscape for security prod-ucts/technologies/systems/services?

16. Do you have additional comments? (please specify)


of 170

ANNEX 3: TOPICS OF EMAILS TO SELECTED TCS AT CEN AND CLC What has been standardised by the TC in the security field so far? (component, material, processes, procedures, systems or services) Which security-related standards of the TC are related to European directives or regulations Major topics of the security-related standards including beyond security, such as trust, effi-ciency and freedom infringement Security-related standards of the TC which form the basis of testing and certification pro-cesses Certification organizations that are responsible for issuing such certificates Additional security-related standards of the TC that might form the basis of testing and certi-fication processes Certification organizations that might be responsible for issuing these certificates Suggestions to improve the European certification landscape for security prod-ucts/technologies/systems/services