Carlos Galán Pascual, PhD in Computer Science, lawyer and professor at the Carlos III University, Madrid, is an advisor to the Spanish National Cryptological Centre, Centro Criptológico Nacional (attached to the Spanish National Intelligence Centre, Centro Nacional de Inteligencia) on technological law, cybersecurity law, the National Security Scheme (ENS), and transposition of European directives, among other activities. He also participates as a member of the Group of Experts drafting the National Cybersecurity Strategy and is a member of the European Artificial Intelligence Alliance. Since 2016, he has combined this with his work as an expert in product certification (UNE-EN ISO/IEC 17065) at ENAC for the National Security Scheme and the EU Regulation of Electronic Identity and Trust Services.

In the following interview, Professor Dr. Carlos Galán analyzes the cybersecurity advances in Spain and the value accreditation provides to the adopted security measures.

 

As an expert in the field, what contribution has ENAC accreditation been making to cybersecurity in Spain?

A huge and absolutely essential one. At present, we can affirm, without a doubt, that Spain has the best cybersecurity assessment and certification scheme in Europe, built on the basis of Royal Decree 311/2022 regulating the National Security Scheme (ENS), of which I am honored to have been a member of its drafting team and whose application scope extends not only to all public sector bodies (public administrations and institutional public sector), but also to what has been called the "supply chain", and which includes all those private bodies that participate in providing electronic competency services to public bodies.

The 30 November is the International Day of Information Security. What role in this field does the National Security Scheme (ENS) and accreditation play in our country?

Spain, like the rest of Western countries, needs to provide itself with mechanisms capable of dealing with and responding to multiple incidents and aggressions, often deliberate, by hostile agents; whether criminal organizations, foreign states seeking to undermine our institutions or access relevant strategic information or hacktivist groups. All of them, especially the above-mentioned, become worrying adversaries for our country, its institutions, and its values. It is therefore necessary to have methods, procedures, and tools to prevent, detect and react to such aggressions, and mitigate the impact of such attacks, when it has not been possible to stop them in time.

Therefore, it has been necessary to build a model of cybersecurity guarantees - our National Security Scheme, which aims to provide the information systems used by the bodies within its application scope with the best guarantees to ensure services are available electronically, and to guarantee the processed information's integrity, confidentiality, authenticity, and traceability.

But that's not all. In addition to helping provide the systems with the best security guarantees, it is necessary, based on transparency and reliability, that it should preside over public bodies' actions, to have evidence capable of transmitting this confidence to the end-users of our efforts: citizens, professionals, companies, and institutions of our country. Therefore, in 2016 the ENS certification scheme was created, aiming to ensure that all those bodies that have passed the corresponding certification audit, carried out by an ENAC-accredited certification body, can display on their websites or electronic sites the corresponding distinction in accordance with the ENS, which will guarantee, erga omnes, the adequate adopted security measures and compliance with the ENS.

Having extensive experience in drafting schemes and strategies in the information security field, some of which need or require accreditation, how do you assess ENAC’s technical support to integrate accreditation into these schemes?

ENAC's participation throughout this process has been fundamental. When the Secretariat for Digital Administration (of the Secretary of State for Digitalization and Artificial Intelligence, at the Spanish Ministry of Economic Affairs and Digital Transformation) and the National Cryptological Centre (attached to the National Intelligence Centre, Spanish Ministry of Defense), made the decision to build an ENS certification scheme, it immediately became clear that ENAC had the certification and accreditation skills and experience. Their help, from the very start of the drafting of what today constitutes our certification scheme and subsequently developing, maintaining, and updating it, has been and continues to be essential to building the model of trust that public cybersecurity is based on.

A similar case has happened with the Qualified Trust Service Providers certification scheme, based on the regulations derived from the European eIDAS Regulation, whose regulation imposed the need to have conformity certification bodies, responsible for assessing and proposing certification to those bodies exceeding the requirements demanded by such regulations.

The eIDAS Regulation, or national schemes such as ENS or Lince, use accreditation to guarantee their information security objectives. Moreover, the Cybersecurity Act has established accreditation as a fundamental piece in the European cybersecurity strategy. In your opinion, what can we expect for the future?

Indeed, European regulation (such as the aforementioned Cybersecurity Act) or national regulation (such as the National Security Scheme or the LINCE model) insist on building cybersecurity based on mechanisms for adopting measures whose correct adequacy can be constantly assessed.

This monitoring and certification activity is the objective of conformity assessment evaluation schemes and certification schemes regarding security issues, and ENAC is fundamental as an expression of confidence being the maximum guarantor of its veracity. In addition, and regarding the National Security Scheme, it is also necessary to be permanently vigilant (what has been called continuous monitoring) to guarantee that, beyond periodic reviews, the system or systems concerned are permanently in the best security conditions.

I must add that Spain, as a result of all this work, during its mandate at the head of the European Union in the second half of next year, will promote a candidate for a European Cybersecurity Certification Scheme from the Public Sector, based on our National Security Scheme. The aim is for Europe, its Member States, and institutions to make use of the best possible and most up-to-date cybersecurity assurance model and its assessment within a reasonable period of time.

And at a personal level, how do you assess your collaboration with ENAC and with the Spanish accreditation system?

Well, the assessment that ENAC can make of my work as a technical auditor is something that I leave for ENAC. As far as I and all of us who are part of the CCN working team can say, collaborating with ENAC has meant a deep knowledge of certification models based on accrediting CABs, carried out by an independent national body with the necessary capabilities, and it has helped us to build a safer and especially more reliable model.

As you well know, security is a path that is traveled based on objective, and also subjective, elements.