Deliverable D 2.1: Report on security standards and certification in Europe - A historical/evolutionary perspective

Transcription

1 Project acronym: Project title: CRISP Evaluation and Certification Schemes for Security Products Grant number: Programme: Objective: Contract type: Seventh Framework Programme for Security Topic SEC Evaluation and certification schemes for security products Capability project Start date of project: 01 April 2014 Duration: Website: 36 months Deliverable D 2.1: Report on security standards and certification in Europe - A historical/evolutionary perspective Author(s): Contributor: Dr. Simone Wurster, Dr. Tim Pohlmann and Dr. Patrick Murphy (TU Berlin), Dr. Florian Fritz, Roger von Laufenberg (IRKS Research), Jolien van Zetten (NEN), Cristina Pauner, Artemi Rallo (UJI) and Rosario García Mahamut (UJI), Rosamunde van Brakel, Alessia Tanas (VUB) Trilateral Research and Consulting Dissemination level: Public Deliverable type: Final Version: 1 Submission date: 30 August 2014

2 TABLE OF CONTENTS List of figures... 5 List of selected abbreviations Introduction State of the art in research on conformity assessment, standardisation and accreditation Introduction Conformity assessment systems and their elements Standards as part of conformity assessment systems Introduction Characteristics and types of standards Standards used for conformity assessment Economic benefit of conformity assessments Economic benefits of standards and their use for conformity assessments General benefits Usability of different deliverables for conformity assessment Examples of the use of standards for conformity assessment Examples of conformity assessment without using standards Advantages of using standards for conformity assessment Economic benefit of mutual recognition of security-related conformity assessments General framework conditions in Europe General framework for certification and accreditation in Europe Conformity assessment and accreditation in the Voluntary Section Conformity assessment and accreditation in the Law Regulated Section Conformity assessment and accreditation in the Sovereignty Section The European co-operation for Accredition and the Multilateral Agreement General framework for standardisation in Europe Main features of the European standardisation policy Multinational collaborations in standards development Security standardisation and certification in Europe Introduction European efforts towards security-related CAC solutions The ESRIF report The European Security Research and Innovation Agenda Communication on reaction to ESRIF Communication towards an increased contribution from standardisation to innovation in Europe Page 2 of 170

3 Stockholm Programme Mandate M/ Action Plan for an innovative and competitive Security Industry Regulations and directives in selected security areas Overview Documents related to privacy and data protection Links between standards, certification and pre-commercial procurement Summary and conclusions State of the art in security standards in different sectors Work of European standardisation organisations Introduction Analysis of different standardisation organisations and their security-related standards European Committee for Standardisation (CEN) European Committee for Electrotechnical Standardisation (CENELEC) European Telecommunications Standards Institute (ETSI) Work of international standardisation organisations International organisation for standardisation (ISO) International Electrotechnical Commission (IEC) International Telecommunication Union (ITU) Work of specific technical committees Introduction CEN/CLC/TC 4 PC Services for fire safety and security systems CEN/TC 224 Personal identification, electronic signature, cards and their related systems and operations CEN/TC 278 Road transport and traffic telematics CEN/TC 325 Crime prevention by urban planning and building design CEN/TC 379 PC - Supply chain security CEN/TC 388 Perimeter protection CEN/TC 391 Societal and citizen security CEN/TC 417 Maritime and port security services CEN/TC 419 Forensic science services CLC/TC 79 Alarm systems Other security-related TCs Summary Correlate the general security areas and standardisation activities Correlate CRISP s WP1 matrix of security areas and standards Need for standards Page 3 of 170

4 5. Fields where the availability of open standards should be restricted State of harmonisation and mutual recognition National certification organisations in the security field General findings regarding the state of harmonization The situation in different security sectors CBRNE Airport screening equipment Air cargo Alarm systems Alarm systems in general Fire alarm systems Security services Need for action Certification bodies and schemes Introduction Common Criteria Certification SOG-IS Evaluation according to ITSEC ECAC CertAlarm EFSG Current activities National activities European activities Summary References Annex 1: Examples of European regulations in different security-related Areas Annex 2: CRISP s guideline for interviews at CEN and CLC TCs Annex 3: Topics of s to selected TCs at CEN and CLC Page 4 of 170

5 LIST OF FIGURES Figure 1: The elements of conformity assessment systems and quality infrastructure Figure 2: Kinds of standards in hierarchical order Figure 3: Overview of deliverables at CEN and CENELEC Figure 4: Sections of conformity assessment systems Figure 5: Possible forms of internalization of market imperfections Figure 6: Positive effects of different kinds of standards Figure 7: Selected reasons for certification Figure 8: Selected advantages of standards Figure 9: Modules of conformity assessment according to European Commission (2008) Figure 10: EN standards with requirements on conformity assessment bodies Figure 11: Relevance of the EN series in European conformity assessment Figure 12: Relevant areas of ESRIF for CRISP s activities Figure 13: Clusters of ESRIA Figure 14: Relevant items of COM (2008) Figure 15: Objectives of Mandate M/ Figure 16: Security areas based on Mandate M/ Figure 17: Selected elements of the action plan for the European security industry Figure 18: Year of establishment and published standards by security related CEN/CLC/TCs Figure 19: Establishment of security-related TCs at CEN and CENELEC Figure 20: Overview of the work of selected CEN TCs in the security field Figure 21: Overview of the work of selected CLC/TCs in the security field Figure 22: Overview of the work of selected TCs in ETSI s security cluster Figure 23: Overview of the work of selected ISO TCs in the security field Figure 24: Interrelation between CEN/CLC/TC 4 and the European certification landscape Figure 25: Interrelation between CEN/TC 224 and the European certification landscape Figure 26: Interrelation between CEN/TC 278 and the European certification landscape Figure 27: Interrelation between CEN/TC 235 and the European certification landscape Figure 28: Interrelation between CEN/TC 379 and the European certification landscape Figure 29: Interrelation between CEN/TC 388 and the European certification landscape Figure 30: Interrelation between CEN/TC 391 and the European certification landscape Page 5 of 170

6 Figure 31: Interrelation between CEN/TC 417 and the European certification landscape Figure 32: Interrelation between CEN/TC 419 and the European certification landscape Figure 33: Interrelation between additional security-related CEN TCs and the European certification landscape Figure 34: Summarized interrelation between selected security-related CEN/CLC/TCs and the European certification landscape Figure 35: Links between security sectors and the work of CEN and CENELEC Figure 36: Correlate of CRISP s WP1 matrix of security areas and standards Figure 37: Examples of security-related certification bodies in European Member States Figure 38: Perceived lack of harmonised certification procedures in Europe Figure 39: Options for an EU wide harmonized certification system for airport screening equipment Figure 40: European collaborations of VdS Figure 41: Collaborations of VdS with the U.S Figure 42: Multilateral recognition agreements in Europe in the security field Figure 43: German example of the CC certification process Figure 44: The quality marks of the EFSG System Figure 45: The EFSG process Figure 46: Examples for the nomination of test laboratories by a certifier of the EFSG group Figure 47: Parts of the EFSG agreement on components of intruder alarm systems Figure 48: Parts of the EFSG agreement on components of intruder alarm systems Figure 49: Exemplary test protocol of the EFSG partner CNPP Page 6 of 170

7 LIST OF SELECTED ABBREVIATIONS AFNOR BSI (D) BSI (GB) CAC CBRN CBRNE CC CCTV CEN CLC CENELEC CEOC COM CREATIF CWA DIN EA ECAC EEA EFAC EFSG EFTA EN ENISA EOTC ESOs ESRIA ESRIF ETSI IAF ICT IEC IIOC ILAC ISO IT ITSEC ITU IWA JTC MRA NSB Association Française de Normalisation Bundesamt für Sicherheit in der Informationstechnik British Standards Institution Conformity Assessments and Certifications Chemical, Biological, Radiological and Nuclear Chemical, Biological, Radiological, Nuclear and Explosive Common Criteria Closed-circuit television Comité Européen de Normalisation CENELEC Comité Européen de Normalisation Electrotechnique International Confederation of Inspection and Certification Organisations Communication Network of Testing Facilities for CBRNE detection equipment CEN Workshop Agreement Deutsches Institut für Normung European co-operation for Accredition European Civil Aviation Conference European Economic Area European Federation of Associations of Certification bodies European Fire and Security Group European Free Trade Association European Norm European Union Agency for Network and Information Security European Organisation for Testing & Certification European Standardisation Organisations European Security Research and Innovation Agenda European Security Research and Innovation Forum European Telecommunications Standards Institute International Accreditation Forum Information and communications technology International Electrotechnical Commission Independent International Organisation for Certification International Laboratory Accreditation Cooperation International Organization for Standardisation Information Technology Information Technology Security Evaluation Criteria International Telecommunication Union Internationale Workshop Agreement Joint Technical Committee Mutual Recognition Agreement National Standardisation Body Page 7 of 170

8 NEN PSS pren SC SMEs SOG-IS TC TR TS WTO NEderlandse Norm (National Standardisation Body of the Netherlands) products, systems and services project of European Norm Sub Committee Small- and Medium-sized Enterprises Senior Officials Group Information System Security Technical Committee Technical Report Technical Specification World Trade Organisation Page 8 of 170

9 1. INTRODUCTION Building on security-related definitions of the glossary and taxonomies in CRISP s Deliverables 1.1 (Glossary of security products and systems) and 1.2 (Taxonomy of security products, systems and services), this report provides a literature review and a historical perspective of security standards and certification in Europe. It introduces the rationale and need for standards and certification and outlines what is certified. Examples of standards and certification schemes in different security sectors covering different areas of certification are illustrated. In addition, opportunities to link standards and certification in the future are shown. This document consists of seven chapters: Chapter 2 reflects the state of the art in reasearch on conformity assessment, certification, standardisation and accreditation. Specific emphasis is put on the security field. In particular advantages of using standards in certification processes are shown. Chapter 3 describes general framework conditions in Europe and specific European documents related to security standardisation and certification. Chapter 4 gives detailed insight into the state of the art in European security standards in different sectors, standardisation organisations, technical committees and working groups and offers an overview of specific standards documents. Chapter 5 provides information on security fields where standards for certain security applications should only be made available to entities which have the required security clearances. A detailed analysis of the state of harmonisation and mutual recognition in Europe is given in Chapter 6. All findings are summarized in Chapter 7. This report is conceived of as a living document. This means that after this first submission, an extended version will be prepared which is benefited by additional information gained from other work packages, and in particular the preparation of Deliverable 2.2 (Consolidated report on security standards, certification and accreditation best practice and lessons learnt). Page 9 of 170

10 2. STATE OF THE ART IN RESEARCH ON CONFORMITY ASSESSMENT, STANDARDISATION AND ACCREDITATION 2.1. INTRODUCTION In the context of European harmonization, conformity assessment permits proof of compliance with laws, technical specifications or criteria. 1 This chapter provides an overview of most relevant academic theories, principles and findings addressing conformity assessment and certification as well as standardisation and accreditation CONFORMITY ASSESSMENT SYSTEMS AND THEIR ELEMENTS Conformity assessment refers to the acknowledgement that a product, a system, a person or a board fulfils a set of fixed requirements (EN ISO/IEC 17000:2005). 2 There are various conformity assessment bodies, such as test laboratories, calibration units, and inspection units in addition to certification and verification bodies. All confirm that the needed requirements are achieved. Those requirements are usually set through standards, laws, specifications and voluntary agreements among parties. On this basis, obtaining a certificate is proof that a product complies to (or conforms with ) specific legislation or other technical specifications or criteria. 3 Active conformity assessments play an important role for both international trade and the pursuit of a European single market. With the expansion of international trade, there have been great efforts to reduce and eliminate tariff barriers. As a result of the success of these efforts, the focus is now on non-tariff barriers. Through conformity assessments, trust among trading partners concerning quality and security can be protected and strengthened. The conformity assessment system offers structures and consistency and promotes mutual trust. To achieve a continuous and comparable quality of the assessment results, an independent board can assess and validate the competency of the conformity bodies. Those competency validations are specific for each sector. The independent board can either be set up by the state or be a completely independent accreditation body. To ensure the competency of the independent board, there are various possibilities. In case of the state having set up the board, the competency is assumed until proven otherwise. If the board is set up by an independent accreditation body, a system of continuous rotating assessment among those bodies can be established. Accreditation is defined by ISO/IEC as third-party attestation related to a conformity assessment body conveying formal demonstration of its competence to carry out specific conformity assessment tasks. 4 With those definitions as a basis, we now define three main elements which make up the conformity assessment system: 1 See Ensthaler, Jürgen, Kai Strübbe and Leonie Bock, Zertifizierung und Akkreditierung technischer Produkte, Ein Handlungsleitfaden für Unternehmen, Berlin, See Teichler, Thomas, Florian Berger, Thomas Heimer, James Stroyan and Inga Schlüter, Entwicklungsperspektiven der Konformitätsbewertung und Akkreditierung in Deutschland, Studie im Auftrag des Bundesministeriums für Wirtschaft und Technologie, 2013, pp See Ensthaler, et al., op. cit., See ISO/IEC, ISO/IEC Conformity assessment - General requirements for accreditation bodies accrediting conformity assessment bodies. Switzerland, 15. February Page 10 of 170

11 Establishing the requirements for products, services, systems, etc. which can be set through standards or agreements, for example. Conformity assessment through conformity assessment bodies, such as certification bodies Validation of the competence of the conformity assessment bodies From this listing it should be apparent that certification, standards and accreditation are part of the conformity assessment system. Furthermore the conformity assessment system is itself part of the quality infrastructure of a nation when combined with metrology (measurement systems). 5 Figure 1 shows the hierarchy and components of the quality infrastructure and of the conformity assessment system. Source: Own figure based on Teichler et al., 2013 and Frenz & Lambert, 2013 Figure 1: The elements of conformity assessment systems and quality infrastructure In this analysis we will only focus on the conformity assessment system on its own, and not as part of a bigger infrastructure. In this system, the establishing requirements and conformity assessment are carried out by private actors. Public actors may be involved, but as partners or contributors with equal or less influence. In contrast, competency validation is usually carried out by public actors such as the state or through a (sovereignty-granted) accreditation body. For the rest of this report, a distinction will be made between two markets. The first market, referred to as the basic market, is the market for security products, technologies, services 5 See Frenz, Marion and Ray Lambert, The Economics of Accreditation. London: Birkbeck, University of London March Archive/2013/Economics%20of%20Accreditation%20Final%20Report.pdf Page 11 of 170

12 and systems. The second market is the conformity market around the specific security solution. This distinction is necessary for two reasons. The first is that it helps clarify which actors, systems, dynamics, etc. are being referred to. The second is that through this distinction we can differentiate between various intervention mechanisms. This is particularly important, as it allows us now to examine market imperfections and how the conformity assessment system can be used to eliminate them. According to Chapter 2.4, the market imperfections are located in the basic market and are being mitigated through the conformity market STANDARDS AS PART OF CONFORMITY ASSESSMENT SYSTEMS INTRODUCTION European standardisation is a key instrument for the consolidation of the single market and for strengthening the competitiveness of European companies, thereby creating the conditions for economic growth. 6 According to CENs and CENELECs formal definition, a standard is a document, established by consensus decision making and approved by a recognized body that provides, for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context. 7 Standardisation takes place on three different levels. Worldwide standards are developed by ISO (International Organization for Standardisation), IEC (International Electrotechnical Committee) and ITU (International Telecommunication Union). European standards are developed by CEN (European Committee for Standardisation), CENELEC (European Committee for Electrotechnical Standardisation) and ETSI (European Telecommunications Standards Institute), also called the three European Standardisation Organisations (ESOs). Throughout this document, whenever ISO is mentioned, this also included IEC and whenever CEN is mentioned, this also included CENELEC. The third level of standardisation is the national level. Most countries in the world and all European countries have one National Standardisation Body (NSB). Differences in standards and technical regulations between countries, even when justified, may sometimes create technical barriers to trade. 8 On the other hand, a number of empirical studies highlight the positive effect of harmonized national standards on trade. 9 Members of CEN and CENELEC are the NSBs from every EU Member State, the Former Yugoslav Republic of Macedonia, Turkey and the three countries of the European Free Trade Association (EFTA) Iceland, Norway and Switzerland. The case of ETSI is different however. In ETSI Committees individuals, user groups and especially corporate organizations are members and not national representatives. 6 See CEN/CENELEC, European Standardisation, no date. 7 See CEN/CENELEC, What is a European Standard (EN)?, no date. 8 See Guasch, J. Luis, Jean-Louis Racine, Isabel Sánchez and Makhtar Diop, Quality Systems and Standards for a Competitive Edge, The World Bank, Washington, DC, 2007, p See Guasch et al., op. cit., 2007, p. 37 for an overview as well as Blind, Knut and Andre Jungmittag, Trade and the Impact of Innovations and Standards: The Case of Germany and the UK, Applied Economics, Vol. 37, pp Page 12 of 170

13 A summarized description of the nature of standardisation in Europe is given by CEN/CENELEC. 10 According to CEN/CENELEC, the main goal of standardisation is to agree upon common specifications and/or procedures that respond to the needs of business and meet consumer expectations. In addition, standards are part of the knowledge economy that underpins European industry and society. They facilitate innovation and promote the adoption of new technologies. 11 Before explaining standards in more detail, it is important to clarify some of the main rules related to the status and adoption of standards within Europe. All ISO standards are voluntary in use and in adoption. It is up to the NSBs to decide whether or not they adopt an ISO standard as a national standard. If the NSB decides to do so, the document will be published, for example as DIN-ISO in Germany or NEN-ISO in the Netherlands. If the NSB decides not to adopt the standard, it will only be published as an ISO standard in that country. Furthermore, NSB's have the possibility to develop and publish standards about a subject that is also standardised by an ISO standard. On a European level, CEN can decide to adopt an ISO standard and make it an EN-ISO. Conversely, ISO can decide to adopt an EN as well. The rules for adopting European standards on a national level differ from the rules for ISO standards. The European standardisation system is unique in the world. After the publication of a European Standard, each national standards body or committee is obliged to withdraw any national standard which conflicts with the new European Standard. Hence, one European Standard becomes the national standard in all the 33 member countries of CEN and/or CENELEC. 12 As soon as CEN decides to adopt an ISO standard as an EN, this document automatically has to be adopted by the member countries as well and becomes, for example, DIN-EN-ISO. A majority of European Standards are initiated by business and developed in partnership with other stakeholders. Around 30% are mandated by the European Commission in the framework of EU legislation CHARACTERISTICS AND TYPES OF STANDARDS Standards are developed and defined through a process of sharing knowledge and building consensus among technical experts nominated by interested parties and other stakeholders - including businesses, consumers and environmental groups, among others. A standard is not written by one expert, but reflects the input and knowledge of all parties concerned. Application fields of standards include the improvement of safety and performance, raising levels of energy efficiency as well as the protection of consumers, workers and the environment. According to CEN/CENELEC, they complement European and national policies in these areas, and make it easier for companies and other actors to respect relevant legislation See CEN/CENELEC, European Standardisation, no date. 11 See CEN/CENELEC, European Standardisation, no date 12 See CEN/CENELEC, What is a European Standard (EN)?, no date. 13 See CEN/CENELEC, European Standardisation, no date. Page 13 of 170

14 European Standards are regarded as a valuable tool for facilitating cross-border trade both within Europe s single market and with the rest of the world because they reduce unnecessary costs for both suppliers and purchasers of products and services. 14 There are several types of standards. CEN and ISO make a distinction between standards which include requirements and/or recommendations in relation to products, systems, processes and services. They also distinguish between standards which describe a measurement or test method or establish a common terminology within a specific sector. 15 Another way of defining different types of standards is explained by the CREATIF consortium in its report The future of testing security related products. 16 This report distinguishes four kinds of standards, according to Figure 2: Source: Own figure Figure 2: Kinds of standards in hierarchical order A fundamental standard is, for example, a terminology standard. Analysis and trial standards specify aspects such as measurement protocols and test conditions. Performance standards include laboratory, operational and human factors standards, e.g. regarding human-machine interfaces, while standard ISO 9001 Quality management systems 17 is an example of an organizational standard. Information on the importance of these standards in the security field of protection against Chemical, Biological, Radiological, Nuclear and Explosive (CBRNE) threats is given in Chapter See CEN/CENELEC, European Standardisation, no date. 15 See CEN/CENELEC, European Standardisation, no date 16 See Myers, P., F. Strebl, A. Plecis, R. Olivier and P. Wästerby, The future of testing security related products, D5.1 CRE- ATIF Project, July 2011, pp See ISO, ISO 9001:2008 Quality management systems, 15 November 2008 Page 14 of 170

15 STANDARDS USED FOR CONFORMITY ASSESSMENT Certification bodies use standards as the basis for their processes. It is the job of these bodies to confirm that a product, system, process or service meets the requirements that are set by standards. They have to meet certain requirements which are documented in conformity assessment standards like ISO and ISO The standardisation process can lead to different types of deliverables where the usability for certification differs. Below are the most used European deliverables. Besides general descriptions, further descriptions of their usability for certification are provided. Deliverable Standard (EN) Technical Specification (TS) Technical Report (TR) CEN Workshop Agreement (CWA) (figure continues) Characteristics Is the most commonly known deliverable in the standards context Is a normative document, which means that if parties decide to use the standard, they have to follow all the requirements set out in the standard Usually sets requirements to a product, system, process or service Can also provide terminology Is made available in at least the three official CEN languages (English, French, German) Does not conflict with the content of any other EN standard Its value derives from the main characteristics of its development: full consensus among the member countries, standstill (no national standards being developed in the same field), and obligatory implementation by member countries May form the basis for certification if it sets requirements Like an EN a normative document Main differences in its development process: no public consultation is needed, can be approved by the committee developing it Is usually established for specifications in evolving technologies and experimental markets May also be developed when there is insufficient support for public enquiry or no consensus before the formal voting procedure among the Member States exists Is an informal document which is developed to inform on the technical content of standardisation work Does not set requirements Can therefore not be used as a basis for certification Is developed through a different process than the deliverables mentioned above (which are developed in TCs consisting of representatives of NSBs) Is developed by workshops consisting of stakeholders (both individuals and organisations) Stakeholders only give their own input (not a national point of view) 18 See ISO/IEC, ISO/IEC 17025:2005 General requirements for the competence of testing and calibration laboratories, 15 May See ISO/IEC, ISO/IEC 17065:2012 Conformity assessment Requirements for bodies certifying products, processes and services, 15 September 2012 Page 15 of 170

16 CEN Workshop Agreement (CWA) Is approved by the workshop, does not have to go through public voting procedures Has a durability of three years Is less useful as a basis of certification due to its limited lifetime Source: Own figure Figure 3: Overview of deliverables at CEN and CENELEC As mentioned in Figure 3, CWAs are developed in specific processes and compared with ENs, they are characterized by a shorter developing period. CEN members do not have to adopt or publish CWA's, but can do so if they want to. After its expiration, a CWA can be confirmed for one more period of three years, or has to be withdrawn or put forward to a technical committee (TC) to be developed into another type of deliverable (EN/TS) ECONOMIC BENEFIT OF CONFORMITY ASSESSMENTS As described before, the main value of conformity assessment systems is their contribution to overcome market imperfections. Dynamic markets can easily fall prey to market imperfections which can have tremendous negative effects upon the market. 20 Conformity assessment systems and accreditation can be used to negate, or at least to minimize, those negative effects. This aspect of the conformity assessment system is part of the strongest arguments for its implementation. In the continuation of this section four different cases of market imperfections will be described as well as the effects of a conformity assessment system Information Asymmetry refers to the lack of equally distributed knowledge in a market among the various market actors. 22 This asymmetry causes the actors with lesser information to run the risk of making the wrong choices based on this incomplete information. Conformity assessments can even out those information asymmetries. This can be achieved for example by setting obligations to share certain information or through assessments by third parties. 2. Adverse Selection refers to situations where a negative selection accrues due to asymmetric information between buyer and seller. The consequence of this effect is that low quality products are more likely to be selected, since buyers have no means to proof good quality and are thus not willing to pay higher prices. Conformity assessments can make such situations more equitable by setting mandatory quality certificates that confirm good quality of products and thus allow the acceptance of higher prices. 20 See Akerlof, George A., The Market for "Lemons": Quality Uncertainty and the Market Mechanism, The Quarterly Journal of Economics, Vol. 84, No. 3, 1970, pp See Teichler et al., op. cit., 2013, pp. 19ff. 22 See Stiglitz, Joseph E., The contributions of the economics of information to twentieth century economics. The Quarterly Journal of Economics, Vol. 115, No. 4, pp Page 16 of 170

17 3. External Effects are (economic) consequences of actions and decisions of one market actor onto others without those consequences being compensated or taken into consideration by the market actors. 23 There are positive and negative external effects. An example for an external effect in the sector of civil security would be a new connection to the internet or of two servers that used to be independent. While some individual might profit from the new connection, the general security can suffer (hackers could now have access to before secure data). Conformity assessments can help internalize external effects and make them become part of the decision making process. One possibility would be through defining clear requirements and organizing regular checkins to ensure a high level of implementation. 4. Natural Monopoly is a state of a product or service market which is brought forward by very high fixed costs, low marginal costs and economies of scales. 24 Through this monopoly, the market loses its selective mechanisms and allows for a continuous lowering of quality from the monopolist. Conformity assessments can reestablish a competition market situation in ways such as by setting high quality demands which limit the possibility of the monopolist. 5. Public Goods are goods which are not excludable, meaning their use and/or access is not limited to one person. 25 This lack of excludability can be the result of technology (i.e., radio waves are available to everyone) or political. It can also result in a loss of quality and subsequently low costs. Conformity assessments can help here in the same way as with the natural monopoly, by setting certain quality levels as requirements and by their use for regular re-examinations. The internalization of market imperfections through conformity assessments offers certain advantages, 26 including: Preservation of quality High product safety Avoidance of damage and injuries Reduction of risks Higher specialization effect (which increases competition capabilities) 27 There are three ways to internalize market imperfections through conformity assessment and accreditation. These differences depend on which role the state plays. From these differences we identify three sections within the conformity assessment system (Figure 4). 23 See Mankiw, N. Gregory, Principles of Economics. Forth Worth, Texas: Dryden Press, See Stocker, Ferry, Moderne Volkswirtschaftslehre. Oldenbourg: Oldenbourg Wissenschaftsverlag, See Donges, Juergen B. and Klaus-Werner Schatz, Staatliche Interventionen in der Bundesrepublik Deutschland: Umfang, Struktur, Wirkungen. Leibniz: Kieler Diskussionsbeiträge, No. 119/120, See Jahn, Gabriele, Matthias Schramm and Achim Spiller, Zur Glaubwürdigkeit von Zertifizierungssystemen: Eine ökonomische Analyse der Kontrollvalidität. Göttingen: Institut für Agrarökonomie Georg-August Universität, See Ernst, Dieter, America's voluntary standards system: a "best practice" for innovation policy? Honolulu: East-West Center, Page 17 of 170

18 Section Voluntary Section Law Regulated Section Sovereignty Section Description Conformity happens on a purely voluntary level and is both initiated and implement by private actors. The state plays no major role and if, is a participant like all the others. Conformity is initiated by laws which are brought forward by the state. It is still implemented by private actors but according to the state. The state here regulates all three elements of the conformity assessment system Conformity is a pure state business. It is responsible for everything from setting definitions and requirements up to the implementation and surveillance. Private actors are no longer present. The state the agent responsible for the conformity assessment system. Source: Own figure based on Teichler et al. (2013) Figure 4: Sections of conformity assessment systems Figure 5 summarizes the three possible ways to internalize market imperfections, varying depending on the different roles taken by the state. 28 Source: Own figure based on Teichler et al. (2013) Figure 5: Possible forms of internalization of market imperfections 28 Ensthaler et al., op. cit., 2007 provide a detailed overview of the general possibilities of certification and accreditation in the public and private sectors as well as on the European accreditation systems, too. However, their work does not have a special focus on the Sovereignty section and security. Page 18 of 170

19 In Chapter 3 each of the three methods to internalize market imperfections will be described individually and in more detail. The practical economic benefit of conformity assessment is shown in numerous studies. Guash et al. 29 for example list 14 studies 11 studies indicated a positive impact of conformity assessment on firm performance while 3 failed to demonstrate such effects. Additional evidence is offered by BMWFJ. 30 According to an IAF survey, 31 certification (as part of the conformatity assessment) adds value and increases trust. Around 80% of the participants agree or strongly agree on a relevant statement that certification adds value. 25% state that it significantly increases sales and 37% state that a minor increase in sales. The OECD 32 has also published a study on conformity assessment bodies. The results hint at a strong tendency in which the exports profit from the conformity assessment, especially in terms of reducing information asymmetries. In addition, certification has a signaling function to proof quality. In a number of security areas selling products is not possible without the relevant certificates. At the same time, there are also negative effects which arise from using the conformity assessment system. Those mainly revolved around freezing the status quo, sometimes even leading up to lock-ins. 33 Conformity assessments set up requirements which can stop new and innovative solutions from spreading in case they do not match those requirements (yet). The optimal rate of standard replacement thus strikes a balance between the costs of standardisation and standard adoption on the one hand, and the opportunity cost of using an outdated technology on the other hand. The rate can deviate from the social optimum in both directions, yielding either excessive inertia (insufficient rate of standard replacement) or excessive momentum (excessive rate of standard replacement). In a similar way, conformity assessments can also create barriers to entry and therefore harm competition. 34 While those negative effects are known they do not outweigh the positive effects in the least. 35 Moreover, we will describe advanced certification solutions for innovative products, and will demonstrate the advantages of certification in innovative areas at the end of this document. 29 See Guash et al., op. cit., 2007, p See BMWFJ, Akkreditierung. Studie zur wirtschaftlichen Bedeutung der Akkreditierung für die österreichische Wirtschaft, no date. Akkreditierungsstudie.pdf. 31 See Frenz et al., op. cit., See Fliess, Barbara and Raymond Schonfeld, Trends in Conformity Assessment Practices and Barriers to Trade: Final Report on Survey of Cabs and Exporters, Trade Directorate tc/wp%282006%296/final, see also Teichler, et al., op. cit., See Arthur, William Brian, Competing Technologies, Increasing Returns, and Lock-In by Historical Events, The Economic Journal, Vol. 99(No. 394), S , March See Baumol, William J., Elizabeth E. Bailey, John C. Panzar, Robert D. Willing, Edward Zajac, Baumol, Panzar, and Willig s Theory of Contestable Markets and Industry Structure: A Summary of Reactions. Harcourt Brace Jovanovich, See Teichler et al., op. cit., 2013, p. 21 and the quoted sources there. Page 19 of 170

20 2.5. ECONOMIC BENEFITS OF STANDARDS AND THEIR USE FOR CONFORMITY ASSESSMENTS GENERAL BENEFITS Standardisation is an important catalyst for innovation and modern societies need to include new knowledge from the research field in standards, promoting innovation and competitiveness. 36 Based on their functions, four kinds of standards are distinguished: compatibility/interface standards, minimum quality/safety standards, standards for variety reduction and information standards. 37 General positive effects of standards are shown in Figure 6. Kinds of standards Compatibility/interface standards Minimum quality/ safety standards Standards for variety reduction Information standards Positive effects network externalities, avoidance of lock-ins, increased variety of systems products correction for adverse selection, reduced transaction costs, correction for negative externalities economies of scale, building focus and critical mass facilitate trade, reduce transaction costs Source: Blind (2004) Figure 6: Positive effects of different kinds of standards A detailed description of the potential role of standardisation to accelerate the sustainable growth of the European economy is given by European Commission (2011). 38 To stimulate lead markets for security-related technologies and services, standards and specifications may provide knowledge and technology transfer, connect relevant stakeholders, foster innovative demand, provide innovation-enhancing regulatory frameworks, intensify competition and increase exportability (see Blind, ). Certification can be based on standards developed by standardisation organizations. It is also possible to develop a certification system without using standards. Therefore, the main question is what advantages arise from using standards instead of other documents as a basis for certification? Answers will be provided in the next sections. 36 See Blind, Knut, Standardisation: a catalyst for innovation, Inaugural Address Series. Research in Management, Erasmus Universiteit, EXPRESS [Expert Panel for the Review of the European Standardisation System], Standardisation for a competitive and innovative Europe: a vision for 2020, Report delivered to the European Commission in February CEN CENELEC STAIR, The Operationalisation of the Integrated Approach, Submission of STAIR to the Consultation of the Green Paper From Challenges to Opportunities: Towards a Common Strategic Framework for EU Research and Innovation funding, cenelec_stair_joint_strategic_working_group.pdf. 37 See Blind, Knut, The Economics of Standards: Theory, Evidence, Policy. Cheltenham, 2004, pp. 14ff. 38 See European Commission, A strategic vision for European standards: Moving forward to enhance and accelerate the sustainable growth of the European economy by 2020, Communication from the Commission to the European Parliament, the Council and the European Economic and Social Committee, COM (2011)311 final, Brussels, See Blind, Knut, Standardisation and Standards in Security Research and Emerging Security Markets. Fraunhofer Symposium Future Security, 3rd Security Research Conference Karlsruhe, 10th - 11th September 2008, pp Page 20 of 170

21 USABILITY OF DIFFERENT DELIVERABLES FOR CONFORMITY ASSESSMENT As described in Chapter 2.3.3, certification bodies certify a product, system, process or service against requirements set out in a document. EN's (or ISO standards, ISO's ) are the most suitable to be used as a basis for certification for the following reason: Certification is based on requirements. Technical Reports cannot set requirements and are therefore not suitable for certification. CWAs have a limited lifetime. They can be used for certification, but since a CWA usually exists for three years (with possible extension to six), it is not a preferable option. If a CWA is transferred into an EN after three or six years, the content of the document has to go through public voting and more/different/further stakeholders can give their input. This often leads to major changes in the content of the document. If the CWA was the basis for certification, this transfer from CWA to EN may lead to major changes in the certification practice as well. In contrast, Technical Specifications can be the basis for certification, since they can contain requirements. For a certification system to be successful, it is important that stakeholders trust in the certification system as well as the requirements that are being certified. The one main distinctive feature of an EN is that the requirements which it sets are agreed upon by a very large community of interested parties. Often, the parties who have interest in the certification process (i.e. manufacturers, end-users) are involved in the development of the EN which makes it easier to value the requirements as well the quality of the document. When using a standard as the basis for certification, a certification scheme is needed. The standard sets the requirements and the certification scheme explains the steps to be taken in the certification process. A certification body can develop its own certification scheme for each standard it wants to certify. This means that each certification body may have its own certification scheme. From the point of comparability, transparency and efficiency, certification bodies may decide to bundle their forces and develop a harmonized certification scheme together EXAMPLES OF THE USE OF STANDARDS FOR CONFORMITY ASSESSMENT To illustrate the use of standards for certification, this sub-chapter gives two examples consisting of management systems standards and the ISO standard ISO Management systems standards Organizations and companies often want to get certified to ISO s management system standards (for example ISO , ISO , ISO ) although certification is not a requirement. The best reason for wanting to implement these standards is to improve the efficiency and effectiveness of company operations. According to Figure 7, a company may decide to seek certification for many reasons: 40 See ISO, op. cit., See ISO, ISO 14001:2004 Environmental management systems Requirements with guidance for use, 15 November See ISO, ISO 31000:2009 Risk Management Principles and guidelines, 15 November 2009 Page 21 of 170

22 Contractual or regulatory requirements Necessity to meet customer preferences Signaling competence Falling within the context of a risk management programme Helping motivate staff by setting a clear goal for the development of its management system Source: Own figure Figure 7: Selected reasons for certification According to ISO 43, ISO 9001:2008 sets out the criteria for a quality management system and is the only standard in its standards family that can be certified to. It can be used by any organization and is implemented by over one million companies and organizations in over 170 countries. The standard is based on a number of quality management principles including a strong customer focus, the motivation and implication of top management, the process approach and continual improvement. Using the standard helps ensure that customers get consistent, good quality products and services. Checking that the system works is a vital part of ISO 9001:2008. An organization must perform internal audits to check how its quality management system is working. An organization may decide to invite an independent certification body to verify that it is in conformity to the standard. Alternatively, it might invite its clients to audit the quality system for themselves. ISO The concepts, principles and requirements for IT security are established in the three parts of ISO This standard is accompanied by ISO 18045, 45 which was written specifically for evaluators and certifiers. ISO defines the minimum action to be performed by an evaluator in order to conduct an ISO evaluation. By setting these minimum actions in a standard, ISO ensures that evaluators work at least in a comparable way on the level of the minimum actions. More examples for the use of standards for certification will be provided in Chapter EXAMPLES OF CONFORMITY ASSESSMENT WITHOUT USING STANDARDS Certification is always based on a set of requirements. These requirements can be documented in a standard, but do not have to be. Certification without the use of standards is one of the practices in professional certification. In professional certification, a person is certified to be capable of completing a task or job, usually by passing an exam. The requirements for professional certification are often documented in documents from the school, the organization offering the exam or a sector organization. 43 See ISO, ISO Quality management, no date See ISO/IEC, ISO/IEC :2010 Information technology Security techniques Evaluation criteria for IT security Part 1: Introduction and general model, 15 December See ISO/IEC, ISO/IEC 18045:2008 Information technologies Security techniques Methodology for IT security evaluation, 15 August 2008 Page 22 of 170

23 A second type of certification without using standards is the certification based on sector requirements. Commonly known examples of these are the FSC 46 certificates for wood and sustainability labeling. In most of the cases of certification within a sector, the sector defines its own requirements and sometimes quality levels. Both in the case of professional certification and certification based on sector requirements, the certification itself can still be carried out by independent certification bodies. In addition there are fields in the software area in which no European standard exist and alternative documents are used for certification. This is in harmony with Regulation (EC) No 1025/2012 which lays down new rules for technical ICT specifications and highlights that ICT technical specifications are not adopted by the ESOs, international standardisation organisations or national standardisation bodies. Furthermore Rodrigues et al. (2014) 47 provide an overview of different privacy seals which are based on standards and other documents. More examples are given in Chapter ADVANTAGES OF USING STANDARDS FOR CONFORMITY ASSESSMENT An important difference between certification with standards and certification without standards lies in the fact that when using standards as a basis, it is known that the requirements have been agreed on by all parties concerned. This leads to transparent requirements and prevents any suspicion of partiality. According to Figure 8 and the following list, the use of standards offers four additional advantages: Source: Own figure Figure 8: Selected advantages of standards Trust and transparency An often heard comment about certification systems which are based on sector internal requirements is that manufacturers/providers set the requirements for their own product or service. The end-users, who have a very large interest in the quality level, do not always have a 46 See Forest Stewardship Council, "FSC Certification", no date See Rodrigues, Rowena, David Barnard-Wills, David Wright, Paul De Hert and Vagelis Papakonstantinou, EU privacy seals project. Inventory and analysis of privacy certification schemes. Final Report Study Deliverable 1.4, Page 23 of 170

24 say in the requirements. This fact may decrease the level of trust in the system and the value of the certificate. If standards are being used as the basis for certification, all parties concerned, including endusers, have set the requirements alltogether. This leads to an increased trust in the certification system and the value of the certificate. Blind 48 summarizes this principle as follows: In complex product and service markets, where conformity with a performance standard for the inter-operability of systems is not transparent to the consumers, the certification of conformity by independent testing institutions presents a dimension of quality competition among suppliers which has positive impacts on consumers surplus. Comparability By using standards as the basis for certification, the market can certify against the same set of requirements. This is a key prerequisite for comparable certificates: it is clear that certificates from different certification bodies have the same status, since they are all based on the same set of requirements. In contradiction, if within sectors different sets of requirements are established, the certificates are less comparable. This might also lead to a decrease in trusting certificates by the market players. Interchangeability If certification bodies all certify against the same set of requirements, manufacturers/providers are not bound to one certification body and can change from one certification body to another. Furthermore, if a standard set of requirements is used all over the EU, there is no need to certify a product or service in every country. Economic impact As mentioned above, the use of one set of standardised requirements as the basis for certification leads to interchangeability within the European market. This leads to a cost reduction for the manufacturers/providers. Furthermore, once a product or service has been certified, the step to enter the market in another European country will be easier since there is no need for another certification process. From an economic point of view, it will ease the international trade for manufacturers/providers and will make it easier for end users to buy products/services from abroad. Altogether, this leads to a more open European market and a decrease of the barriers to trade. With regard to the security field, the European Commission summarizes the advantages of using standards for certification as follows: Complementary to industrial standards is the need for more consistency in the regulation and certification of security-related equipment and services.this would provide certainty of technical reference for a wide range of stakeholders, from industry and technology innovators to end-users, regulators and policy makers. And it would go a long way toward helping create a single market and, above all, anchoring the conditions for interoperability of equipment across borders. 49 The following sub-chapters will describe the economic impact of conformity assessment. 48 See Blind, op. cit., 2004, p See European Commission, Regulatory & certification issues, , Page 24 of 170

25 2.6. ECONOMIC BENEFIT OF MUTUAL RECOGNITION OF SECURITY-RELATED CONFORMITY ASSESSMENTS Mutual recognition of conformity assessments is a specific issue of international trade. Guasch et al. (2007) describe the need for such arrangements as follows: Demonstrating compliance through conformity assessment is itself only useful if the testing and certification requirements are similar in the exporting country and the importing country. If testing laboratories are not recognized abroad, tests on products carried out in the exporting country have to be repeated by a recognized laboratory in each of the importing countries. An adverse test report in the importing country can result in the rejection of an entire shipment. Likewise, if certification in one country is not recognized abroad, domestic firms requiring quality system and environmental management certification for export purposes need to be certified by organizations in each of the importing countries. Conformity assessment procedures vary widely across countries and in many cases constitute a large barrier to market entry. Nonrecognition or nonharmonization of conformity assessment procedures do not persist due to inherent national differences, but because conformity assessment is particularly vulnerable to misuse if bureaucratic procedures are not transparent. 50 The specific extent of the economic benefits of mutual recognition and conformity assessment depends on the specific security field. This sub-chapter gives an impression of these advantages by presenting numbers from two market segments as examples. In the following, the markets for alarm systems and airport scanners are investigated. 51 Currently companies that market security alarm systems need to apply for certificates from different Member States to supply the products throughout Europe. The costs of certification of a system are on average at the level of ,000 for full access to Europe. Alternatively, the estimated cost for obtaining a mutually recognised certificate would amount to 40-60,000 according to analyses of the European Commission. 52 Therefore, it is expected that the total savings based on a common EU scheme for conformity assessment and certification would amount to , The total certification cost in the specific field of intruder alarm systems is estimated to range between 6.2 million and 13.2 million per year. It is assumed that a single European conformity assessment system reduces the cost by 75%. This would suggest a saving of 4.7 million to 9.9 million per year from certification of all intruder alarm systems See Guasch et al, op. cit., 2007, p The following explanations are based on European Commission, Commission Staff Working Paper Security Industrial Policy Accompanying the document Communication from the Commission to the European Parliament, the Council and the European Economic and Social Committee Security Industrial Policy Action Plan for an innovative and competitive Security Industry {COM(2012) 417 final}, SWD(2012) 233 final, Brussels, See European Commission (2012), Commission Staff Working Paper Security Industrial Policy Accompanying the document Communication from the Commission to the European Parliament, the Council and the European Economic and Social Committee Security Industrial Policy Action Plan for an innovative and competitive Security Industry {COM(2012) 417 final}, SWD(2012) 233 final, Brussels, See European Commission, op. cit., 2012 describes the calculation in more detail based on AFNOR-CNPP, Certification rules Electronic Security Equipment: Intrusion Detection, Access Control Management Systems NF324-H58-VERSION-ANGLAISE-OCTOBRE See European Commission, op. cit., 2012, p. 99. Page 25 of 170

26 With regard to the Explosive Detection System (EDS), the EU refers to an expert who estimated that the cost of a single test could be in the region of 65 thousand and for a liquid explosive system (LAGS) in a range between 30 and 75 thousand. These figures do not take into account any repeated testing that may be required. Certification costs of larger systems are estimated to be up to 700,000. They include estimated 100,000 for an imaging test for a cargo scanner as well as 500,000 for a biometric identity card model. A harmonisation of the certification of testing procedures for airport scanners would facilitate a cost reduction to 3 million (30 products * ). Based on a comparision with the current cost of 22 million, this implies cost savings to approximately 19 million per year. 55 Both examples show that harmonized solutions would provide the European security industry with substantial cost savings and consequently advantages to compete in the international market. The issue will be analized in more detail in CRISP WP See European Commission, op. cit., 2012, p Page 26 of 170

27 3. GENERAL FRAMEWORK CONDITIONS IN EUROPE This chapter provides a historical perspective of the general framework in European standardisation and certification and analyzes the legislative background of security standardisation and certification in depth GENERAL FRAMEWORK FOR CERTIFICATION AND ACCREDITATION IN EUROPE According to Chapter 2, conformity assessment consists of three sections: the Voluntary section, the Law Regulated section and the Sovereignty section CONFORMITY ASSESSMENT AND ACCREDITATION IN THE VOLUNTARY SECTION Conformity assessments are implemented on a voluntary basis (without any regulatory enforcement) for a large part of the trade market. The idea behind this principle is that operators will accept and rely upon a conformity assessment made by an independent body without having to review the assessments themselves. These conformity assessments could be for security, quality, products or services. Through such structure the economic relationships are strengthened and the market process is accelerated. Furthermore, through the use of a conformity assessment system, market imperfections can be internalized, reducing risks and costs as well as creating a differentiation possibility facilitating competition. Certificates are the best example. Certificates are used to inform the consumer about the characteristics of the products or services. They can also communicate that certain minimal requirements are being respected, for example in the fields of safety and security. To increase the credibility of the conformity assessments, the conformity assessment bodies can make use of accreditations, offered by an independent and neutral institution or body. Accreditation systems will be set up according to international standards and requirements, and are transparent in their criteria. The basis for the accreditation is the fulfilment of international standards. These not only cover requirements for the basic markets, they also set the requirements of the conformity assessment system. The accreditation increases the trust in the results of the conformity assessment bodies and the quality of their tested products and services. The accreditation is, mainly in the voluntary section, aimed at manufactures and their clients and not state institutions. Here the key function of the accreditation is here of an economical nature. The accreditation is and can be used as a differentiation or marketing tool in a market with high competition. There are also cases where such accreditations are unspoken requirements to enter the markets (for example in China or India). In cases of the accreditation failing, never taking place or being delayed, it results in high costs and losses for firms. Therefore there is an emphasis on a well-organized, quick and reliable accreditation system. The expectations towards the accreditation are not only those previously mentioned, but also that the relevant organisation offers a capable management of the evaluation process with clear steps (applying, assessment, accreditation, monitoring) See Teichler et al., op. cit., 2013, pp. 23ff. 57 See Teichler et al., op. cit., 2013, pp. 23ff. Page 27 of 170

28 As mentioned, the state acts as participant only. The requirements are set by and for private actors without any law enforcement. The state can be part of the procedure and formulate demands, in the same way all participants can. The rules for the conformity assessments are laid down by and are implemented by private actors. The state is a consumer of the assessment bodies like all others. The use of accreditation is voluntary a means to prove competency or to achieve higher recognition. Directive 1999/93/EC 58 on a Community Framework for Electronic Signatures offers an early example for the definition of European framework conditions for certification and voluntary accreditation in a specific technological field. In particular, Article 4 internal market principles and Article 11 notification are important. At the beginning of the document several prerequisites for the establishment of the framework are defined which offer interesting examples for dealing with these certification and accreditation issues. The most important passages for this analysis are: Certification service providers should be free to provide their services without prior authorisation; prior authorization includes not only any permission whereby the relevant certification service provider has to obtain a decision by national authorities before being allowed to provide its certification services, but also any other measures having the same effect; Voluntary accreditation schemes aiming at an enhanced level of service-provision may offer certification service providers the appropriate framework for developing their services further; Certification service providers should be free to adhere to and benefit from such accreditation schemes; and Certification services can be offered either by a public entity or a legal or natural person, when it is established in accordance with the national law; whereas Member States should not prohibit certification service providers from operating outside voluntary accreditation schemes; it should be ensured that such accreditation schemes do not reduce competition for certification services. 59 Parts of the relevant articles are shown below. Article 4 - Internal market principles Member States may not restrict the provision of certification-services originating in another Member State in the fields covered by the Directive. Member States shall ensure that electronic-signature products which comply with the Directive are permitted to circulate freely in the internal market. Article 11 Notification Member States shall notify to the Commission and the other Member States the following: 58 See European Parliament and the Council, Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures, 13 December 1999, See European Parliament and the Council, op. cit Page 28 of 170

29 information on national voluntary accreditation schemes, including any additional requirements pursuant to Article 3(7); the names and addresses of the national bodies responsible for accreditation and supervision as well as of the bodies referred to in Article 3(4); the names and addresses of all accredited national certification service providers. In addition, Article 7 International Aspects / Accreditation specifies aspects of similar activities outside Europe CONFORMITY ASSESSMENT AND ACCREDITATION IN THE LAW REGULATED SECTION With the growing use of accreditation to increase trust and quality by private actors, it also was increasingly implemented by the state. The prime focus in this case is the elimination of dangers to humans, the environment or society which may come up through for example fake products too low quality. To ensure a high quality and safety level, the state uses a combination of market access control and market monitoring. With the creation of the European single market, the EU has developed to be the central authority for laws touching upon conformity and accreditation. In 1985 the New Approach was established with the goals to tackle technical barriers and to ensure a common (high) level of safety for products. This is an important framework for the current regulatory instruments in the EU. On the basis of a Council Decision of May 1985, it creates a clear division of responsibilities of European lawmakers and standards bodies to facilitate a free movement of goods. EU directives thereby define the essential requirements to be fulfilled by goods and the European standards bodies have the task of creating the relevant technical specifications by adapting the essential requirements of the directives. 60 Chapter 3.2 describes the New Approach in more detail. The New Approach was expanded in 2008 with the New Legislative Framework (NLF), 61 which applied the New Approach principles to further fields and sectors of the European single market. It includes specific measures aiming at removing the remaining obstacles to the free circulation of products and providing a major boost for trade among the EU Member States. To increase confidence in conformity assessment and certification facilities, the instrument of accreditation was developed. Specific accreditation organizations were founded to certify the auditing competence of such entities. 62 The Regulation (EC) No 765/2008 states that the use of accreditation should be the preferred method to give proof of the competency of such notified bodies. With the changes made to the accreditation laws in 2010, this has also been widely put into practice (with exception of the medical sector 63 ). A further decision of the Regulation (EC) No 768/2008 deals with the 60 See Blind, Knut, Deutschlands Standardisierungsstrategien hin zum Leitmarkt "Sicherheit": Potenziale und Herausforderungen, in: Rolf Stober (ed.), Jahrbuch des Sicherheitsgewerberechts, Hamburg, Verlag Dr. Kovac (Schriften aus der Forschungsstelle Sicherheitsgewerbe 5), 2008, pp The relevant regulation is Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93 62 See Blind, Knut and Axel Mangelsdorf, The Trade Impact of ISO 9000 Certifications and International Cooperation in Accreditation, 2012, Proceedings of the 17th EURAS Annual Standardisation Conference - Standards and Innovation-, pp See Teichler et al., op. cit., 2013, p. 37. Page 29 of 170

30 presumption of conformity. It declares that if the notified bodies are accredited for fulfilling the European standards then it can be assumed that they are also fulfilling the requirements of the regulations and directives. Of course, in case of deviation of the requirements set by the standards and the regulations or directives, further examinations are necessary. Such deviations are expected in certain sectors, especially in the medical sector. In those cases the laws have priorities and those requirements have to be upheld. Further, specific requirements for the accreditation are to be tested separately. It is declared by Regulation (EC) No 765/2008 that the CE marking is the only making which declares conformity with harmonized Community regulations. According to the regulation, Member States shall ensure the correct implementation of the regime governing the CE marking and take appropriate action in the event of improper use of the marking. Other marking (which is has specific relevance in CRISP s context) may be applied onto products if they provide additional information, value or cover a domain outside the Community regulations. The NLF creates trust across the borders of the Member States of the EU and in their conformity assessment bodies. Since the requirements are coming from harmonized European standards, they are shared by all members and allow products and services to be imported without an addition national test being necessary at the border. At the same time, the requirements for the accreditation of the conformity assessment bodies are also set by the European standards and increase the trust in the results of the conformity assessment bodies of the other Member States. 64 With regards to the accreditation system in the law regulated section we can summarize as following: The basis of the competency validations are in the section of the European laws and standards. Accreditation may be, but is not mandatory, used to prove this competency; The accreditation can be found, when used, in the law regulated section, targeted to official institutions and governments of the Member States of the EU; The key function of the accreditation is to prove the competency of the conformity assessment bodies to the Member States of the EU; and The expectations towards the accreditation are, taking into account its key function, to preserve and test a level of competency dictated not only by the European standards but also by the laws and regulations. In law regulated section, the state is especially a regulator. The characteristic feature of this section is that the state creates the conformity assessment system by legislation. This can be done at all three levels of influence: Defining the requirements for products and services, e.g. by harmonized standard; Defining the conformity assessment by law, e.g. by a legal duty to carry out a conformity assessment and/or by statutory provisions of the nature and method of conformity assessment; and Confirming competence of the conformity assessment bodies See Röhl, Hans Christian and Yvonne Schreiber, Konformitätsbewertung in Deutschland. Konstanz: Universität Konstanz Fachbereich Rechtwissenschaft, See Teichler et al., op. cit., 2013, p. 29. Page 30 of 170

31 According to the European Parliament and the Council (2008) 66 and based on the specifc solutions of the companies concerned, conformity assessment procedures in the law regulated sector include 16 modules which are shown in Figure 9. Source: Own figure Figure 9: Modules of conformity assessment according to European Commission (2008) 67 Although the modules address production and products, CRISP s emphasis is put on productrelated assessments. According to the document, EC-type examination, for example, is the part of a conformity assessment procedure in which a notified body examines the technical design of a product and verifies and attests that the technical design of the product meets the requirements of the legislative instruments that apply to it. Based on this module, the manufacturer submits the following to the relevant notified body: Technical documentation; Supporting evidence for the adequacy of the technical design solution; and Specimen(s), representative of the production envisaged, as required. Whereas the notified body: 66 See European Commission, Decision European Commission No 768/2008/European Commission of the European Parliament and of the Council of 9 July 2008 on a common framework for the marketing of products, and repealing Council Decision 93/465/EEC, Brussels, See European Commission, op. cit., Page 31 of 170

32 Ascertains conformity with essential requirements; Examines technical documentation and supporting evidence to assess adequacy of the technical design for specimen(s): carries out tests, if necessary; and Issues EC-type examination certificate. Technical requirements on Notified Bodies are outlined by European Commission (1997). 68 According to the document, notified bodies that can prove their conformity with the harmonised EN standards series by submitting an accreditation certificate or other documentary evidence are presumed to conform to the requirements of the directives. The EN series includes, for example, the following five standards describing requirements on the conformity assessment bodies (Figure 10). Figure 11 shows the relevance of these standards for the conformity assessment modules described in Figure 9. EN General criteria for the operation of testing laboratories EN General criteria for the operation of various types of bodies performing inspection EN General requirements for bodies operating product certification systems EN General requirements for bodies operating assessment and certification/registration of quality system EN General requirements for bodies operating certification of personnel Source: Own figure based on European Commission (1997) Figure 10: EN standards with requirements on conformity assessment bodies Aa 1st option EN (+ ability to decide on conformity) or EN nd option EN (+ ability to decide on conformity) or EN B HS not applied: EN HS applied: EN (observe relevant requirements in EN and/or EN for testing, examinations required) or EN C st option EN (+ ability to decide on conformity) or EN nd option EN (+ ability to decide on conformity) or EN D EN (+product knowledge) E EN (+product knowledge) F EN or EN G HS not applied: HS applied: EN H EN (+product knowledge) Hbis EN Source: CERTIF 97/5 EN Figure 11: Relevance of the EN series in European conformity assessment 68 See European Commission, The EN Series of Standards and the Conformity Assessment. Procedures of the Global Approach, Working Document, CERTIF 97/5 EN, Brussels, 15 September Page 32 of 170

33 CONFORMITY ASSESSMENT AND ACCREDITATION IN THE SOVEREIGNTY SECTION The state has a long history of internalizing market imperfections by taking over the whole process of conformity assessment and then only allowing a product or service to enter the market. The actual conformity assessment system with private actors is not involved. The state takes over all three steps of the system. It formulates the requirements with precise details, as was previously done under the Old Approach. It specifies how the competency should be evaluated and finally does the evaluation itself. This situation is usually referred to as State Conformity Assessment. Examples are metal detectors and scanners at airports for both passengers and luggage. The requirements are set by the EU and international laws. The detectors and scanners are tested by the state institutions according to international laws and any additional existing national laws. The decisive argument for the state conformity assessment is the possibility to keep requirements and test procedures confidential. In addition, it allows for a concentration of testing areas with an efficient implementation of new methods. Even then, the state conformity assessment brings also negative effects, especially on an international market. Since the requirements are confidential, a producer has to let its products or services undergo testing in each new country. In addition, this approach requires a high amount of resources from the state, too. A key characteristic of the sovereignty section is that the state does not use the conformity assessment system but instead implements everything on its own, using its own personnel. In this case the competency of the assessment bodies is never really tested or confirmed. Accreditation is not used THE EUROPEAN CO-OPERATION FOR ACCREDITION AND THE MULTILATERAL AGREEMENT Facilitated by the EU Treaty for the European single market in the civilian sector, conformity assessment and accreditation in the law regulated section allowes for specific inter-european collaborations to reduce barriers to trade. The European co-operation for Accredition (EA) is an important institution in this regards. It is appointed by the European Commission to manage the accreditation infrastructure within the EU, EFTA and candidate countries. Established in 1997, the organisation is a non-profit association of nationally recognised accreditation bodies 69. Being responsible for harmonising accreditation within Europe, it coordinates and leads the European accreditation infrastructure to allow the results of conformity assessment services in one country to be accepted by regulators and the marketplace in another country without further examination" 70. A key instrument used by EA is the EA Multilateral Agreement (EA-MLA) which is a signed agreement whereby the signatories recognise and accept 69 See EA [European co-operation for Accreditation], Accreditation in Europe, Facilitating regulatory compliance and international trade See EA, EA s mission, 2014a, Page 33 of 170

34 the equivalence of the accreditation systems operated by the signing members, and also the reliability of the conformity assessment results provided by conformity assessment bodies accredited by the signing members 71. The participation of National Accreditation Bodies requires compliance with ISO/IEC Conformity assessment General requirements for accreditation bodies accrediting conformity assessment bodies. 72 The Multilateral Agreement complies fully with the World Trade Organisation (WTO) agreement on technical barriers to trade, which strongly encourages countries to recognise the results of other countries conformity assessments. Certificates provided by organisations accredited by EA MLA signatories are also recognized by the signatories of the International Laboratory Accreditation Cooperation (ILAC), and the International Accreditation Forum (IAF) multilateral agreements. 73 Although the EU Treaty for the European single market exists, obstacles for trading security solutions in the sovereignty section exist as mentioned briefly in Chapter The specific situation in this field is described in Chapter GENERAL FRAMEWORK FOR STANDARDISATION IN EUROPE MAIN FEATURES OF THE EUROPEAN STANDARDISATION POLICY From the old to the new approach to technical harmonization in Europe Standardisation in the EU contributes "in a significant way to the functioning of the single market, the protection of health and safety, the competitiveness of industry and the promotion of international trade, and has been supporting an increasing range of community policies" 74. When attempts started for the development of technical regulations applicable to the markets of Member States in the early 1970s, it quickly became evident that legislation was not the right instrument for the elaboration of common technical rules. An ad hoc method for the establishment of harmonized technical requirements for products in specific trade areas had to be designed. 75 In May 1985, the Council of Ministers adopted a resolution introducing this method under the form of the New Approach to technical harmonization and standards. 76 The New Approach moved away from the Old Approach, which tended to include detailed technical requirements into community legislation. Amongst other innovations, the New Approach limited legislative activities to requirements of a general nature inspired in particular by 71 See EA, The MLA, 2014b See EA, op. cit., See EA, op. cit., See Council of Ministers, Resolution of 28 October 1999 on the role of standardisation in Europe, OJ C 141/1, , [point 5]. 75 See European Commission, Standardisation and the Directive 98/34/EC Historical background, Vademecum on European Standardisation, Part I, General Framework, Chapter 1.1, 15 November 2003, p See Council of Ministers, Resolution of 7 May 1985 on a New Approach to technical harmonization and standards, OJ C 136, 04/06/1985. Page 34 of 170

35 health and safety principles. This implied that technical elements for product specification were covered in harmonized European standards that had to be developed by the ESOs and that were not disciplined by the legislation itself. 77 Responsibility for working on technical rules at the European level was therefore delegated to the standard organizations whilst public authorities committed themselves to not approve technical contents and standards even if such aspects were subject to regulation previously. 78 The set-up of a mechanism for information exchange in the field of technical regulations The New Approach established procedural conditions under which the European legislator monitored the role of standardisation organizations in the development of standards. This led to the adoption of the - so called - Transparency Directive, Directive 98/34/EC, which laid down a procedure for the exchange of information in the field of technical standards and regulations. More specifically, by consolidating and rationalizing an already existing procedure, 79 this Directive imposed the obligation upon Member States to notify to the Commission information on all draft technical regulations concerning products and information-society services before they were adopted into national law. 80 The procedure aimed at providing transparency with regard to these regulations. The Directive has partly been amended by Regulation 1025/ which is currently the latest and most comprehensive act adopted by the European legislator in the field of standardisation. The non-binding and voluntary nature of standards Standardisation is a form of self-regulation. Interested parties agree voluntarily on technical matters and decide whether or not to abide by these agreements. 82 The voluntary cooperation among stakeholders from industry, consumers, social and environmental organisations and public authorities takes place in the framework of the standardisation organisations. The role of the EU in coordinating standards development in support of the Union s legislation At the EU level, standardisation is handled by the three ESOs. They carry out their activities in particular in cooperation with the National Standardisation Bodies of the Member States and the European Commission. A standard can be developed under the initiative of one of the ESOs. However, the European Commission can also mandate the ESOs to draw up a standard related to products or services 77 See European Commission, Efficiency and Accountability in European Standardisation under the New Approach, Report from the Commission to the Council and the European Parliament, COM( 1998) 291 final, Brussels, , p See European Commission, op. cit., 1998, p In the field of standardisation, Directive 94/10/EC of the European Parliament and the Council of 23 March 1994 amending for the second time Directive 83/189/EEC, already simplified considerably the procedure for the provision of information in the field of technical standards and regulations previously laid down in Directive 83/189/EEC. These texts were consolidated by Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations. 80 In particular, the information procedure for standards established by Articles 2 to 7 of Directive 98/34/EC provided for the national standardisation bodies to notify the Commission, the ESOs and the other national standardisation bodies of any new subjects for which they had decided to prepare or amend a standard. 81 See European Parliament and the Council, Regulation (EC) No 1025/2012 of 25 October 2012, on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council, OJ L 316/12, See European Commission, European Standardisation in support of European Policies, Standardisation Setting and Governance, Vademecum on European Standardisation, Part II, Chapter 1, Brussels, 15 November 2003, p. 2. Page 35 of 170

36 or ask for a standard to be developed in a specific area when it believes this would be useful for the application of Union legislation on harmonisation. 83 The ESOs are therefore asked to meet requirements set in legislation in order to develop those standards which apart from having an economic nature also have a public interest dimension. 84 This is a direct consequence of the New Approach described above. Accountability and efficiency of the standardisation process The need to balance accountability and efficiency criteria in the standardisation processes has been a constant objective of European Institutions over the past two decades. On the one hand, fulfilling accountability criteria namely, an adequate level of openness, transparency and consensus amongst stakeholders - implies that there is a minimum amount of time needed for the development of standards. On the other hand the ever-decreasing product life cycles and rapid development of new technologies demand an increasingly efficient process for standards production. 85 In its conclusions on standardisation and innovation of 25 September 2008, the Council pointed out that the acceleration desired of the standardisation process is not necessarily detrimenetal to the principles of quality, transparency and consensus among all interested parties. 86 Accountability in European standardisation entails that the system is open and transparent, that the standard meets the consensus of all major interested parties and that it is applied in a uniform way throughout the territory of Member States. 87 Accountability is also associated to the standard organization which develops the standard and the effective involvement of interest groups in the process. In particular, the European Commission has already maintained in the past that the participation of societal stakeholders (those representing consumer, health, safety and environmental interests) in the standardisation process has a strong and important dimension of accountability. It reinforces the quality of the consensus and makes the standards more representative 88. Moreover, in its conclusions on standardisation and innovation of 2008, the Council asked European and national standardisation bodies to further facilitate participation in standardisation by all interested parties, in particular representatives of small and medium-sized enterprises, consumers, trade unions and bodies representing societal interests. A number of European programmes already provided for the possibility to financially support European organisations representing small and medium-sized enterprises (SMEs), consumers and environmental interests in standardisation, while specific grants were paid to European organisations representing social interests in standardisation. 89 Regulation 1025/2012 has partly repealed and 83 See European Commission, European standardisation in support of European policies - Role and preparation of mandates - Vademecum on European Standardisation, Part II, Chapter 4.1, 15 October 2009, p See European Commission, op. cit., 1998, p See European Commission, op. cit., 2003, p See Council of the European Union, Conclusions on standardisation and innovation, Brussels, 25 September 2008, [point 24, p. 4]. 87 Principles of accountability have for the first time been laid down in the General Guidelines for Co-operation between CEN and CENELEC and the European Commission, adopted in 1984 and in the Council Resolution of 18 June 1992 on the role of European standardisation in the European economy, OJ C 173 of See European Commission, The challenges for European standardisation, Staff Working Document, 18 October 2004, p Such Programmes where included in Decision No 1639/2006/EC of the European Parliament and of the Council of 24 October 2006 establishing a Competitiveness and Innovation Framework Programme from 2007 to 2013, Decision No 1926/2006/EC of the European Parliament and of the Council of 18 December 2006 establishing a programme of Community Page 36 of 170

37 rationalized those programmes and established that the Commission should be in a position to continue providing grants to those organizations. 90 Regarding efficiency, Regulation 1025/2012 sets the framework for effective cooperation among standardisation bodies. Recital 18 of the regulation reads that In order to speed up the decision-making process, national standardisation bodies and European standardisation organisations should facilitate accessible information on their activities through the promotion of the use of information and communication technologies (ICT) in their respective standardisation systems, for example by providing to all relevant stakeholders an easy-to-use online consultation mechanism for the submission of comments on draft standards and by organising virtual meetings, including by means of web conferencing or video conferencing, of technical committees 91. The international dimension of standardisation In a staff working paper titled European Policy Principles on International Standardisation issued in 2001, the Commission maintained that Europe has an interest in international standardisation because of its potential to eliminate technical barriers to trade and increase market access for all. International standardisation also offers the possibility to promote and disseminate technologies on a peer basis with others. 92 The EU aims at playing a proactive role in international standardisation. Recital 19 of Regulation (EC) No 1025/2012 explains that by driving the development of European or international standards for goods and technologies in the expanding markets in (major societal) areas, the Union could create a competitive advantage for its enterprises and facilitate trade, in particular for SMEs, which account for a large part of European enterprises. The union s core international commitments in standardisation are expressed through the WTO agreement on technical barriers to trade. This agreement establishes the principle that technical regulations shall not be more trade-restrictive than necessary to fulfil a legitimate objective. 93 It also recommends the recourse to international standards wherever possible while drafting technical regulation. 94 In line with this recommendation, the European Commission and the ESOs act in coordination with the outcomes of international standardisation bodies, namely the ISO, IEC and ITU when developing standards. International standardisation activities also receive EU support through ad hoc programmes relating to the technical assistance to, and cooperation with, third countries. 95 action in the field of consumer policy from 2007 to 2013 and Regulation (EC) No 614/2007 of the European Parliament and of the Council of 23 May 2007 concerning the Financial Instrument for the Environment (LIFE+). 90 See recital 41 of Regulation (EC) No 1025/2012 of 25 October 2012, on European standardisation, OJ L 316/12, See recital (18) of Regulation (EC) No 1025/2012 of 25 October 2012, on European standardisation, OJ L 316/12, See European Commission, European Policy Principles on International Standardisation, Staff Working Paper, SEC(2001) 1296, Brussels, , p See Art. 2.2 of WTO Agreement on Technical Barriers to Trade. According to this article, such legitimate objectives are, inter alia: national security requirements; the prevention of deceptive practices; protection of human health or safety, animal or plant life or health, or the environment. 94 See Art. 2.4 of WTO Agreement on Technical Barriers to Trade. 95 See recital (42) of Regulation (EC) No 1025/2012 of 25 October 2012, on European standardisation, OJ L 316/12, Page 37 of 170

38 EU financing of standardisation activities European standardisation is largely financed by industry and private undertakings. However, the European Commission also grants financial contributions to the ESOs and other actors involved in the process of developing standards in support of Union s legislation. This is a way to ensure that participation of small medium enterprises and societal stakeholders, which is important for accountability, is not hampered by a lack of resources. The European legislator has provided for an ad hoc framework allowing the Union to finance standardisation activities that are required to implement its policies. Decision 1673/2006/EC on the financing of European standardisation was the first compilation of rules establishing such a framework. This decision was repealed by Regulation 1025/2012, which lays down the rules that are currently in force in this area. The regulation establishes the legal basis for the financial support provided by the union to the European standardisation system (Articles 15, 16 and 17). Union financing can be granted to the ESOs, NSBs or other bodies cooperating with the ESOs and to stakeholder organizations meeting the eligibility criteria for union s financing set out in the Annex III of the regulation itself. Financial support mainly consists of grants. Regulation (EC) No 1025/2012 and its main innovation As mentioned above, Regulation (EC) No 1025/2012 currently provides a general and overarching regulatory framework for European standardisation. This regulation lays down the rules governing the cooperation between national and European standardisation bodies and the European Commission and it also stipulates how stakeholders from business, industry and representatives of consumers, environmental or social organisations should be involved in developing standards. Apart from the provisions already mentioned in this paper, the regulation lays down new rules for technical ICT specifications. It is also designed to encourage wider use of standards in the services sector. It addresses ICT technical specifications because such specifications are not adopted by European standardisation organizations, International Standardisation Organisations or national standardisation bodies; they are developed by other standards development organizations and do not fall in any of the categories of standards and approvals laid down in Union s public procurement legislation. 96 As a consequence, the regulation lays down a procedure for the identification of selected ICT technical specifications eligible for referencing in public procurement (Article 13). According to recital 31 of the Regulation, the requirements for the identification of ICT technical specifications should ensure that public policy objectives and societal needs are respected ( ). Compared to past rules, the regulation also introduces innovations regarding standards related to service. It covers the means by which voluntary standards for services in areas such as health care, social and social security services may be drawn up and adopted by Member States. Summary Standardisation in the EU contributes in a significant way to the functioning of the single market. When attempts began for the development of technical regulations applicable to the markets of Member States in the early 1970s, it quickly became evident that legislation was 96 ETSI produces a large number of technical specification of which only some are accreditated as an ES. Page 38 of 170

39 not the right instrument for the elaboration of common technical rules. An ad hoc method for the establishment of such rules had to be designed. In May 1985, the Council of Ministers introduced such a method, which became famous under the name of New Approach to technical harmonization and standards. The New Approach marked a major turning point in the evolution of standardisation policies and rules in the EU. This is principally because it moved away from the Old Approach, which tended to include detailed technical requirements into legislation. As a consequence, responsibility for working on technical rules at the EU level was delegated to the ESOs. Therefore, ESOs can receive from the European Commission mandates to develop standards based on EU legislation. This means that apart from having an economic nature, such standards have a public interest dimension. The following section provides a general overview on major policy and regulatory developments in the field of standardisation in the EU since early 1970s. It also focuses on the reasons why the need to balance accountability and efficiency criteria in the standardisation processes has been a constant objective of European Institutions. Finally, this section deals with some of the main provisions of Regulation (EC) No 1025/2012 that currently represents the most extensive and overarching regulatory text on standardisation in Europe MULTINATIONAL COLLABORATIONS IN STANDARDS DEVELOPMENT According to Chapter 2.3.1, multinational collaboration in standardisation has priority on both a national and a European level. An example for national principles is given by Germany and the German standardisation organization DIN. After receiving an application for the implementation of a standardisation project, the DIN clarifies, among other things, whether the processing should take place at the national, European or international level. Where appropriate, an implementation on an international or European level is preferred. If similar standardisation work on the same subject is already implemented at European level, implementation of national standardisation measures is not possible due to a "standstill agreement" 97. On a European level, the ESOs CEN and CENELEC closely cooperate internationally with the ISO and the IEC. This close cooperation has been reflected by the signature of the Vienna Agreement (ISO-CEN) and the Dresden Agreement (IEC-CENELEC). The Vienna Agreement was signed in It was drawn up with the aim of preventing duplication of effort and reducing time when preparing standards. As a result, new standards projects are jointly planned between CEN and ISO. The Dresden Agreement was signed in 1996 with the same purpose. As a result, new electrical standards projects are now jointly planned between CENELEC and IEC, and where possible most are carried out at international level. This means that CENELEC will first offer a New Work Item (NWI) to its international counterpart. If accepted, CENELEC will cease working on the NWI. If IEC refuses, CENELEC will work on the standards content development, keeping IEC closely informed and giving IEC the opportunity to comment at the public enquiry stage. The Dresden Agreement also determines that CENELEC and IEC vote in parallel (both organisations are voting in the same time) during the standardisation process. If the outcome of 97 See DIN, Entstehung einer nationalen Norm, no date. Page 39 of 170

40 the parallel voting is positive, CENELEC will ratify the European standard and the IEC will publish the international standard. 98 This close cooperation has resulted in some 75% of all European standards adopted by CENELEC being identical or based on IEC standards. This high proportion of aligned standards is regarded as an indicator of the implementation of the WTO Agreement on Technical Barriers to Trade. The CEN-ISO cooperation is an efficient division of labour where both organizations can refer to the expertise and resources of each other. This is especially important for cases of complement expert knowledge. The cooperation facilitates the technical exchange between both organizations and meanwhile increases the global recognition of both organizations. The ratification on the European as well as on the international level furthermore increases transparency and supports the harmonization process SECURITY STANDARDISATION AND CERTIFICATION IN EUROPE INTRODUCTION Compared with products and services in general, requirements on products and services for civil security include several specifics. Therefore their testing and approval is based on two aspects: an evaluation of product safety in general and a specific security assessment. The general evaluation covers, for example, product or operational safety, environmental safety, etc. In addition, an assessment is needed on how products, services and service providers are capable of fulfilling their intended security function. These functions include, for example, warning or protection. Here, minimum levels are determined by the state to build the foundation of the testing and certification processes. Since the state has the right to determine what to protect and how to protect it, it defines the performance requirements for some devices and technologies. 99 The secrecy of certain information about the requirements for equipment and technology justifies additional preventive protection measures, although this contradicts with the aim of open and transparent standardisation, certification and accreditation. 100 As described in Chapter 2.6, no common European market for security products exists compared with other areas. The market is highly fragmented and suffers from timeconsuming and costly national certifications. 101 Member States have their own national certification systems in place. Nearly no mutual recognition of certifications exists. A need for European Conformity Assessments and Certifications (CAC) is significant See CEN/CENELEC, ISO and IEC, no date See Teichler et al., op. cit., 2013, p See Teichler et al., op. cit., 2013, p. 134f. 101 See Thoma, Klaus, Positionspapier des wissenschaftlichen Programmausschusses zum nationalen Sicherheitsforschungsprogramm, ECORYS, Security Regulation, Conformity Assessment & Certification. Final Report-Vol.I., 2011a. 1_main_report_en.pdf 102 See ECORYS, op. cit. 2011a. Page 40 of 170

41 In addition, a large number of different standards and certification procedures exist and a manufacturer that operates throughout Europe needs to acquire six to ten national certificates, usually based on separate and distinct test processes. Some Member States have implemented certification procedures for certain products, while other Member States have no approach to certify such products. 103 A key reason for the problem is the absence of common standards. ECORYS describes the problem as follows: In the absence of agreement on common standards, it is unlikely that Member States would (voluntarily) agree to any procedure for mutual recognition of certification/approval of security products 104. The main problems are the fragmentation of the EU security market for airport screening equipment and the lack of harmonised certification procedures and standards. At least 27 different security markets exist. This is a particular problem for SMEs 105. The absence of appropriate solutions to certify security solutions in other Member States let to high barriers to market entry and true economies of scale are nearly impossible. In summary, the development of CACs is characterized by numerous challenges. ECORYS 106 identified the following issues in particular: Highly fragmented European market, challenges regarding future growth; No common (single) framework that applies to security products and the market for security products as a whole; Absence of common certification systems for security products; No mechanism of mutual recognition across countries of products certified at a national level; and Slow speed of response and adaptation of certification procedures, notably where new security threats require the implementation of new security solutions and technologies. Only a few solutions exist in small areas of the European security markets. The SOGIS-MRA for example has long been existed in this sensitive area. Common Criteria (CC), as another good example, will be described in Chapter In addition, several steps to solve the existing problems in the other security fields have been taken but even these accomplishments bear weaknesses: Some steps have been taken towards the development of EU-wide systems, for example the ECAC Common Evaluation Process in the aviation sector, though this applies only to certain categories of equipment and stops short of a procedure for mutual recognition of approved/certified equipment See European Commission, Action Plan for an innovative and competitive Security Industry {SWD(2012) 233 final}, Communication from the Commission to the European Parliament, the Council and the Economic and Social Committee, COM(2012) 417 final, Brussels, , p See ECORYS, op. cit., 2011a, p See DG ENTR, Roadmap Establish an EU harmonised certification system for airport screening equipment, screening_equipment_en.pdf. 106 See ECORYS, op. cit., 2011a 107 See ECORYS, op. cit., 2011a, p Page 41 of 170

42 Solutions to certify security solutions in other Member States are needed. In Germany, this was documented in 2011 in a workshop at DIN, which was attended by about 100 experts. Supported by the European industry and based on common interests of its members, the withdrawal of national certification marks was recommended. In addition preserving existing levels of quality and the simplification of test procedures (one-stop testing, one-stop certification) was regarded as important 108 (see Chapter also). Such a solution is also described by ECORYS by suggesting "an EU-wide accepted certification scheme with one unique label" 109. With regard to CBRNE, the members of the European project CREATIF developed a joint testing facility concept, although this has not been accepted by the stakeholder community due to different reasons 110. A need for elaborating and developing appropriate solutions remains and will be addressed in this project. The European Commission has developed precisely defined objectives and the areas in which such measures have the highest priority. It recommends starting with airport screening (detection) equipment and alarm systems. 111 The next sub-chapter presents key documents which outline specific goals to facilitate the certification and accreditation landscape for security solutions in Europe. They illustrate the historic development of the field as well as present accomplishments EUROPEAN EFFORTS TOWARDS SECURITY-RELATED CAC SOLUTIONS THE ESRIF REPORT Many initiatives have begun in the EU since the Council Resolution of 28 October 1999 on "the Role of Standardisation in Europe," 112 in which the Council acknowledged the important role of standards and invited the Commission to analyse the current situation of European standardisation and to respond to challenges facing the European standards system. 113 In this sense, standardisation is an integral part of the EU policies to increase the competitiveness of enterprises and to remove barriers to trade by carrying out better regulation and by simplifying legislation. Focusing on security standardisation in Europe, the document that marks a turning point is the Mandate M/487 of 17 February 2011 addressed to CEN, CENELEC and ETSI to establish 108 See DIN, Koordinierungsstelle Sicherheitschaft im DIN, Workshop Zertifizierung 2011, no date See ECORYS, op. cit., 2011a, p. 18: stakeholder contribution, taken from the Public Consultation 110 See Myers, op. cit., 2011, p. 2f. 111 See DG ENTR., op. cit., See Council Council of the European Union, Resolution of 28 October 1999 on the role of European standardisation in the Europe, OJ C 141, At that moment, the regulatory framework of standardisation in Europe essentially consists of three pieces of legislation: Directive 98/34/EC of the European Parliament and the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on Information Society services, OJ L 204, ; Decision 1673/2006/EC of the European Parliament and of the Council of 24 October 2006 on the financing of European standardisation, OJ L 315/9, and Council Decision 87/95/EEC of 22 December 1986 on the Standardisation in the field of information technology and telecommunications, OJ L 36, Page 42 of 170

43 security standards. The Mandate aims at developing a work programme for the definition of European Standards and other standardisation deliverables in the area of security. It takes account of the legislative background and the drawing of a security standardisation map covering the most relevant national standards, the full range of available EU standards as well as ISO and IEC to ensure protection and security of the citizens (as the Mandate has an exclusively civil application focus). The legislative background on security is formed by several documents. In light of modern security concerns, the European Security Research and Innovation Forum (ESRIF) was established in 2007 to develop a European Security Research and Innovation Agenda (ESRIA). 114 With a view to improving coherence at European, national and regional levels, the agenda provides a common strategic roadmap for security research and innovation with a 2030 horizon to frame. On 23nd November, ESRIF adopted its key findings and recommendations. The ESRIF report finalized in December 2009 highlighted the importance of an integrated approach to security in order to embrace, among others, four areas as seen in Figure 12. Topics of ESRIF Interoperability Standardisation, certification, validation Research and innovation Transparency and exchange of best practices Explanation Implies that the resources of different Members States and EU organizations operate together effectively to carry out security tasks and missions as foreseen via common EU capability planning. Facilitate interoperability of equipment, products, processes, and allow substitution of equipment, (i)n Europe s fragmented security market ; Can contribute to building more harmonization to improve (the) region s position on the world market. Relevant EU programmes should support peacekeeping, humanitarian and crisis management tasks, including joint initiatives with other regions and international organisations, notably as regard the development of global standards. Means that the early engagement of all stakeholders and transparency of the regulatory environment, including standards to stimulate private sector investments in security research, (if) upcoming regulations are understood early on, a return on security investments can be foreseen and investments can thus be expected to take place. Source: Own figure based on the ESRIF report Figure 12: Relevant areas of ESRIF for CRISP s activities THE EUROPEAN SECURITY RESEARCH AND INNOVATION AGENDA The European Security Research and Innovation Agenda [ESRIA, COM (2009) 691] is the final result of the two-year analysis carried out by ESRIF on security challenges facing Eu- 114 See European Security Research and Innovation Forum, ESRIF Final Report. European Security Research and Innovation Agenda (ESRIA), European Commission Publications, December Page 43 of 170

44 rope. The ESRIA includes a security R&D roadmap for the next 15 years, along with systemic requirements. According to Figure 13, the ESRIA proposal has been organized into five content clusters and differentiates research topics according to short-, medium- or long-term needs: Cluster Cluster 1 Cluster 2 Cluster 3 Cluster 4 Cluster 5 Description Centres on the classic security cycle of preventing, protecting, preparing, responding and recovering; and Focuses on the securing of people, civil preparedness and crisis management. Deals with countering different means of attack, as a way of dealing with specific, known and projected future risks; Examines ways to detect and identify conventional as well as nonconventional attacks, unintended impacts of other actions, and naturally occurring incidents to mitigate their effects; and Analyzes potential dangers inherent to coming technologies. Aims at securing critical assets, such as energy, transport and other crucial infrastructures; and Examines security economics and outlines the necessity to analyze and cope with limited access to critical natural resources and to secure key manufacturing capabilities and capacities in Europe. Is about securing identity, access and movement of people and goods; and Mainly centres on border security and secure identity management. Lists cross-cutting enablers of special interest, due to cross-cutting characteristics or prior political strategic decisions; Examines the crucial role of Information and Communication Technologies (ICT); and Deals with security implications of European space programs. Source: Own figure based on ESRIA (2009) Figure 13: Clusters of ESRIA ESRIA sets out policy and operational recommendations for achieving stronger security research and innovation results: Enhanced transnational cooperation; Stronger articulation of demand and delivery of the most appropriate solutions, Integrated approach to security; Global dimension of EU s civil security as a collective responsibility touching governments, societal organisations; Industrial and individual citizens; and Transparency involving all stakeholders to implement ESRIA and reevaluation of the roadmap. The nature of the integrated approach is described as follows: Effective civil security must embrace interoperability, standardisation, certification, validation, communication with the public, education & training, exchange of best practices, consultations on privacy issues and Page 44 of 170

45 other factors that cut across public and private spheres and provide synergies between civil security and defence research fields COMMUNICATION ON REACTION TO ESRIF The Communication COM (2009) 691, 21 December 2009, "A European Security Research and Innovation Agenda - Commission's initial position on ESRIF's key findings and recommendations" 116 essentially summarized the ESRIF report and the ESRIA proposal. Notably, it remarked that in order to harvest innovation and growth tomorrow it is required to invest now in an ambitious industrial policy for the security sector. The most relevant conclusions of the preliminary reaction on both documents are: Security is first and foremost human and societal: One of the EU s main objectives is to preserve and develop the European values of justice, freedom, and security whilst addressing the increasingly complex security challenges. The EU must strengthen the legal and ethical dimensions of all security solutions to guarantee the rights and freedoms of individuals, particularly as they relate to privacy. In addition, it [the EU] must reinforce the societal dimension of security technologies to ensure that they allow societies to effectively respond to risks and losses ( societal resilience ). 117 Improve the competitiveness of the European Security Industry by Putting in place certification, standardisation and validation, notably as regards the applicability and efficacy of a "European Security Label"; Creating the possibility to bring the most innovative security sectors into the Lead Market Initiative 118 ; and Providing a Security Research and Development (R&D) roadmap for security missions and priorities either within the framework of the current FP7 or in preparation of the future framework programme. The goals in the fields of certification, standardisation and validation are described as follows: "Based on the requirements of the end-users and the results of research, new technologies and solutions need not only to be validated; they should also be certified and where appropriate standardised, so they can become part of an effective response to security threats. R&D activities should be linked to a clear validation and procurement strategy that takes into account the relevant policy issues as well as economic interests. This should promote the crea- 115 European Security Research and Innovation Agenda (ESRIA), op. cit., December See European Commission, A European Security Research and Innovation Agenda - Commission's initial position on ESRIF's key findings and recommendations, Communication from the Commission,.COM (2009) 691 final, Brussels, See European Commission, op. cit., 2009, p The Lead Market Initiative (LMI) was launched by the European Commission on December 2007 following the EU s 2006 broad based Innovation Strategy. It aims to foster the emergence of lead markets with high economic and societal value (ehealth, protective textils, sustainable construction, recycling, bio-based products and renewable energies) and sets up diversified policy instruments to facilitate the translation of technological and non-technological innovation into commercial products and services (legislation, public procurement, standardisation, labeling and certification and other complementary instruments). Source: European Commission, A lead market initiative for Europe, Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions, COM (2007) 860 final, Brussels, Page 45 of 170

46 tion of a European security market and better cooperation among security stakeholders at national and European levels) COMMUNICATION TOWARDS AN INCREASED CONTRIBUTION FROM STANDARDISATION TO INNOVATION IN EUROPE The Communication Towards an Increased Contribution From Standardisation to Innovation in Europe [COM (2008) 133] 120 responds to the increasingly attention that Europe is paying to innovation issues and underlines the contribution that standards could and should make to innovation (policy). The contribution of standardisation to innovation follows from the fact that Standardisation complements market-based competition, typically in order to achieve objectives such as the interoperability of complementary products/services, and to agree on test methods and on requirements for safety, health, organisational and environmental performance. Standardisation also has a dimension of public interest, in particular whenever issues of safety, health, security and of the environment are at stake. Finally, it is stated that The appropriate use of standards in public procurement may foster innovation, while providing administrations with the tools needed to fulfil their tasks. Instead of prescribing particular technical solutions, the use of technology-neutral standards allows contracting authorities to call for advanced performance and functional requirements (e.g. relating to environmental aspects or to accessibility for all), thus stimulating the search for innovative technologies that provide best value for money in the long term, while ensuring safety and interoperability. The Commission notes that The European identity and the visibility of European standardisation, both inside Europe and in the world, need to be reinforced. In order to uphold the responsibility for the continuous improvement of European standardisation, the Commission identified nine key elements for focussing EU standardisation policy on innovation. In the context of this report the items of Figure 14 are important: 119 See European Commission, op. cit., p See European Commission, Towards an increased contribution from standardisation to innovation in Europe, Communication from the Commission to the Council, the European Parliament and the European Economic and Social Committee, COM (2008) 133 final, Brussels, Page 46 of 170

47 Source: Own figure based on European Commission (2008) 121 Figure 14: Relevant items of COM (2008) 133 Altough the role of standards is highlighted, this Communication as well as related documents does not concern the importance of harmonized conformity assessment STOCKHOLM PROGRAMME The Stockholm Programme, 122 adopted by the European Council in December 2009, provides a roadmap for EU work in the area of justice, freedom and security for the period The Programme invites the Council and Commission to develop the Internal Security Strategy (ISS), with a vision of improving the protection of citizens and the fight against organised crime and terrorism by ensuring that the strategy s priorities are tailored to the real needs of users and focus on improving interoperability. 123 Pursuant to this, the European Commission published a Communication in November 2010 aiming to put the EU Internal Security Strategy into action. The Communication COM (2010) 121 See European Commission, op. cit., 2008, div. pages. 122 See European Commission, Delivering an area of freedom, security and justice for Europe s citizens. Action Plan Implementing the Stockholm Programme, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, COM 2010 (171) final, Brussels, European Commission, op. cit., 2009, p. 19. Page 47 of 170

48 envisages five key strategic objectives for the EU s internal security for the period : disrupt organised crime, prevent terrorism, raise levels of security in cyberspace, strengthen external borders management and increase the EU s resilience to natural disasters. Security research plays a crucial role in achieving those goals MANDATE M/487 The need for a more harmonized European framework to enhance the competitiveness of the EU security industry was concluded by the Research for a Secure Europe (2004) 125 and the 2009 ECORYS 126 and 2011 ECORYS 127 studies on security competitiveness and regulation. More harmonized European regulatory frameworks and standards have begun to take shape in the field of security, encouraged by the development of the EU Security Industrial Policy. 128 In particular, this is taking place within the CEN/CENELEC/ETSI framework under Mandate M/487 on Security Standards 129 to develop a work programme for the definition of European Standards and other standardisation deliverables in the area of security (where security refers to protection against threats by terrorism, serious and organized cross-border crime, natural disasters, pandemics and major technical accidents, excluding defence and space technologies). M/487 is a mandate issued to ESOs in February 2011, including two phases: Identification of priority areas for standardisation (2011 to May 2012) 130 and identification of the specific standardisation needs in the selected areas and development standardisation programmes with roadmaps per sector (January November 2013). Its overall objectives are shown in Figure See European Commission, The EU Internal Security Strategy in Action: Five steps towards a more secure Europe, Communication from the Commission to the European Parliament and the Council, COM (2010) 673 final, Brussels, See European Commission, Report of the Group of Personalities in the field of Security Research, Research for a Secure Europe, European Communities, Rapporteur Burkard Schmitt, Luxembourg, See ECORYS, Study on the Competitiveness of the EU security industry. Within the Framework Contract for Sectoral Competitiveness Studies ENTR/06/054, Final Report, Brussels, 15 November See ECORYS, Security Regulation, Conformity Assessment & Certification. Final Report Volume I: Main Report, Brussels, October _main_report_en.pdf. 128 See European Commission, op. cit., See European Commission, Programming Mandate Addressed to CEN, CENELEC and the European Telecommunications Standards, M/487, Brussels, ftp://ftp.cencenelec.eu/cenelec/europeanmandates/m_487.pdf. 130 To this aim, CEN is coordinating, through CEN/TC 391 Societal and citizen security, the response to M/487. The Committee investigated with several industry players and public authorities priorities for future standardisation activities in three security thematic areas set out in the above mentioned European Commission, Security Industrial Policy. Action Plan for innovative and competitive security industry, European Commission, op. cit., 2012: (1) Chemical, Biological, Radiological, Nuclear and Explosives (CBRN-E); (2) Border Security automated border control systems (ABC), as well as biometric identifiers; (3) Crisis Management and Civil Protection including communication and organizational interoperability. Page 48 of 170

49 Source: Own figure Figure 15: Objectives of Mandate M/487 The Commission document states that work for developing and setting these standards "should be undertaken in close cooperation with the widest possible range of interested groups" and with the involvement of the different stakeholders and operators, particularly end users and SMEs. According to Figure 16, the Mandate defines three security areas: Security field Security of the Citizens Security of infrastructures and utilities Border Security Description Protection against organized crime, terrorism as well as chemical, biological, radiological and nuclear threats, explosives and fire hazard (Protection of) building design, energy/transport communication grids, surveillance and supply chains Security of land borders/check points, sea borders and air borders Source: Own figure Figure 16: Security areas based on Mandate M/ ACTION PLAN FOR AN INNOVATIVE AND COMPETITIVE SECURITY INDUSTRY The Action Plan for an Innovative and Competive Security Industry [COM(2012) 417] was communicated in July 2012 and has three particular objectives: overcoming the fragmentation of the EU security market, reducing the gap from research to market and better integration of Page 49 of 170