Project acronym: CRISP
Project title: Evaluation and Certification Schemes for Security Products
Grant number: 607941
Programme: Seventh Framework Programme for Security
Objective: Topic SEC-2013.5.4-1 Evaluation and certification schemes for secu-rity products
Contract type: Capability project Start date of project: 01 April 2014
Duration: 36 months
Website: www.crispproject.eu
Deliverable D 2.1:
Report on security standards and certification
in Europe - A historical/evolutionary
perspective
Author(s):Contributor:
Dr. Simone Wurster, Dr. Tim Pohlmann and Dr. Patrick Mur-phy (TU Berlin), Dr. Florian Fritz, Roger von Laufenberg (IRKS Research), Jolien van Zetten (NEN), Cristina Pauner, Artemi Rallo (UJI) and Rosario García Mahamut (UJI), Rosamunde van Brakel, Alessia Tanas (VUB)
Trilateral Research and Consulting Dissemination level: Public
Deliverable type: Final
Version: 1
TABLE OF CONTENTS
List of figures ... 5
List of selected abbreviations ... 7
1. Introduction ... 9
2. State of the art in research on conformity assessment, standardisation and accreditation ... 10
2.1. Introduction ... 10
2.2. Conformity assessment systems and their elements ... 10
2.3. Standards as part of conformity assessment systems ... 12
2.3.1. Introduction ... 12
2.3.2. Characteristics and types of standards ... 13
2.3.3. Standards used for conformity assessment ... 15
2.4. Economic benefit of conformity assessments ... 16
2.5. Economic benefits of standards and their use for conformity assessments ... 20
2.5.1. General benefits ... 20
2.5.2. Usability of different deliverables for conformity assessment ... 21
2.5.3. Examples of the use of standards for conformity assessment ... 21
2.5.4. Examples of conformity assessment without using standards ... 22
2.5.5. Advantages of using standards for conformity assessment... 23
2.6. Economic benefit of mutual recognition of security-related conformity assessments ... 25
3. General framework conditions in Europe ... 27
3.1. General framework for certification and accreditation in Europe ... 27
3.1.1. Conformity assessment and accreditation in the Voluntary Section ... 27
3.1.2. Conformity assessment and accreditation in the Law Regulated Section ... 29
3.1.3. Conformity assessment and accreditation in the “Sovereignty” Section ... 33
3.1.4. The European co-operation for Accredition and the Multilateral Agreement ... 33
3.2. General framework for standardisation in Europe ... 34
3.2.1. Main features of the European standardisation policy ... 34
3.2.2. Multinational collaborations in standards development ... 39
3.3. Security standardisation and certification in Europe ... 40
3.3.1. Introduction ... 40
3.3.2. European efforts towards security-related CAC solutions ... 42
3.3.2.1. The ESRIF report ... 42
3.3.2.2. The European Security Research and Innovation Agenda ... 43
3.3.2.3. Communication on reaction to ESRIF ... 45
3.3.2.4. Communication towards an increased contribution from standardisation to innovation in Europe ... 46
3.3.2.5. Stockholm Programme ... 47
3.3.2.6. Mandate M/487 ... 48
3.3.2.7. Action Plan for an innovative and competitive Security Industry ... 49
3.3.3. Regulations and directives in selected security areas ... 50
3.3.3.1. Overview ... 50
3.3.3.2. Documents related to privacy and data protection ... 51
3.3.4. Links between standards, certification and pre-commercial procurement ... 54
3.3.5. Summary and conclusions ... 54
4. State of the art in security standards in different sectors ... 56
4.1. Work of European standardisation organisations ... 56
4.1.1. Introduction ... 56
4.1.2. Analysis of different standardisation organisations and their security-related standards ... 58
4.1.2.1. European Committee for Standardisation (CEN) ... 58
4.1.2.2. European Committee for Electrotechnical Standardisation (CENELEC) ... 62
4.1.2.3. European Telecommunications Standards Institute (ETSI) ... 64
4.2. Work of international standardisation organisations ... 67
4.2.1. International organisation for standardisation (ISO) ... 67
4.2.2. International Electrotechnical Commission (IEC) ... 69
4.2.3. International Telecommunication Union (ITU) ... 70
4.3. Work of specific technical committees ... 72
4.3.1. Introduction ... 72
4.3.2. CEN/CLC/TC 4 PC Services for fire safety and security systems ... 73
4.3.3. CEN/TC 224 Personal identification, electronic signature, cards and their related systems and operations ... 75
4.3.4. CEN/TC 278 Road transport and traffic telematics ... 80
4.3.5. CEN/TC 325 Crime prevention by urban planning and building design ... 82
4.3.6. CEN/TC 379 PC - Supply chain security ... 83
4.3.7. CEN/TC 388 Perimeter protection ... 84
4.3.8. CEN/TC 391 Societal and citizen security ... 86
4.3.9. CEN/TC 417 Maritime and port security services ... 88
4.3.10. CEN/TC 419 Forensic science services ... 89
4.3.11. CLC/TC 79 Alarm systems ... 91
4.3.12. Other security-related TCs ... 92
4.3.13. Summary ... 95
4.4. Correlate the general security areas and standardisation activities ... 99
4.5. Correlate CRISP’s WP1 matrix of security areas and standards ... 102
5. Fields where the availability of open standards should be restricted ... 110
6. State of harmonisation and mutual recognition ... 116
6.1. National certification organisations in the security field ... 116
6.2. General findings regarding the state of harmonization ... 118
6.3. The situation in different security sectors ... 120
6.3.1. CBRNE ... 120
6.3.2. Airport screening equipment ... 122
6.3.3. Air cargo ... 124
6.3.4. Alarm systems ... 124
6.3.4.1. Alarm systems in general ... 124
6.3.4.2. Fire alarm systems ... 125
6.3.5. Security services ... 126
6.3.6. Need for action ... 126
6.4. Certification bodies and schemes ... 127
6.4.1. Introduction ... 127
6.4.2. Common Criteria Certification ... 128
6.4.3. SOG-IS ... 130
6.4.4. Evaluation according to ITSEC ... 131
6.4.5. ECAC ... 131 6.4.6. CertAlarm ... 132 6.4.7. EFSG ... 132 6.5. Current activities ... 140 6.5.1. National activities ... 140 6.5.2. European activities ... 140 7. Summary ... 142 References ... 147
Annex 1: Examples of European regulations in different security-related Areas ... 164
Annex 2: CRISP’s guideline for interviews at CEN and CLC TCs ... 169
LIST OF FIGURES
Figure 1: The elements of conformity assessment systems and quality infrastructure ... 11
Figure 2: Kinds of standards in hierarchical order ... 14
Figure 3: Overview of deliverables at CEN and CENELEC ... 16
Figure 4: Sections of conformity assessment systems ... 18
Figure 5: Possible forms of internalization of market imperfections ... 18
Figure 6: Positive effects of different kinds of standards... 20
Figure 7: Selected reasons for certification ... 22
Figure 8: Selected advantages of standards ... 23
Figure 9: Modules of conformity assessment according to European Commission (2008) ... 31
Figure 10: EN 45000 standards with requirements on conformity assessment bodies ... 32
Figure 11: Relevance of the EN 45000 series in European conformity assessment ... 32
Figure 12: Relevant areas of ESRIF for CRISP’s activities ... 43
Figure 13: Clusters of ESRIA ... 44
Figure 14: Relevant items of COM (2008) 133 ... 47
Figure 15: Objectives of Mandate M/487 ... 49
Figure 16: Security areas based on Mandate M/487 ... 49
Figure 17: Selected elements of the action plan for the European security industry ... 50
Figure 18: Year of establishment and published standards by security related CEN/CLC/TCs ... 57
Figure 19: Establishment of security-related TCs at CEN and CENELEC ... 58
Figure 20: Overview of the work of selected CEN TCs in the security field ... 61
Figure 21: Overview of the work of selected CLC/TCs in the security field ... 63
Figure 22: Overview of the work of selected TCs in ETSI’s security cluster ... 66
Figure 23: Overview of the work of selected ISO TCs in the security field ... 68
Figure 24: Interrelation between CEN/CLC/TC 4 and the European certification landscape ... 75
Figure 25: Interrelation between CEN/TC 224 and the European certification landscape ... 79
Figure 26: Interrelation between CEN/TC 278 and the European certification landscape ... 81
Figure 27: Interrelation between CEN/TC 235 and the European certification landscape ... 83
Figure 28: Interrelation between CEN/TC 379 and the European certification landscape ... 84
Figure 29: Interrelation between CEN/TC 388 and the European certification landscape ... 86
Figure 30: Interrelation between CEN/TC 391 and the European certification landscape ... 87
Figure 31: Interrelation between CEN/TC 417 and the European certification
landscape ... 89
Figure 32: Interrelation between CEN/TC 419 and the European certification landscape ... 90
Figure 33: Interrelation between additional security-related CEN TCs and the European certification landscape... 94
Figure 34: Summarized interrelation between selected security-related CEN/CLC/TCs and the European certification landscape ... 98
Figure 35: Links between security sectors and the work of CEN and CENELEC ... 101
Figure 36: Correlate of CRISP’s WP1 matrix of security areas and standards ... 105
Figure 37: Examples of security-related certification bodies in European Member States ... 118
Figure 38: Perceived lack of harmonised certification procedures in Europe ... 119
Figure 39: Options for an EU wide harmonized certification system for airport screening equipment ... 123
Figure 40: European collaborations of VdS ... 126
Figure 41: Collaborations of VdS with the U.S. ... 126
Figure 42: Multilateral recognition agreements in Europe in the security field ... 127
Figure 43: German example of the CC certification process ... 129
Figure 44: The quality marks of the EFSG System ... 133
Figure 45: The EFSG process ... 135
Figure 46: Examples for the nomination of test laboratories by a certifier of the EFSG group ... 135
Figure 47: Parts of the EFSG agreement on components of intruder alarm systems -1- ... 136
Figure 48: Parts of the EFSG agreement on components of intruder alarm systems -2- ... 137
LIST OF SELECTED ABBREVIATIONS
AFNOR Association Française de Normalisation
BSI (D) Bundesamt für Sicherheit in der Informationstechnik BSI (GB) British Standards Institution
CAC Conformity Assessments and Certifications CBRN Chemical, Biological, Radiological and Nuclear
CBRNE Chemical, Biological, Radiological, Nuclear and Explosive
CC Common Criteria
CCTV Closed-circuit television
CEN Comité Européen de Normalisation
CLC CENELEC
CENELEC Comité Européen de Normalisation Electrotechnique CEOC International Confederation of Inspection and Certification
Organisations
COM Communication
CREATIF Network of Testing Facilities for CBRNE detection equip-ment
CWA CEN Workshop Agreement
DIN Deutsches Institut für Normung
EA European co-operation for Accredition ECAC European Civil Aviation Conference
EEA European Economic Area
EFAC European Federation of Associations of Certification bodies EFSG European Fire and Security Group
EFTA European Free Trade Association
EN European Norm
ENISA European Union Agency for Network and Information Security
EOTC European Organisation for Testing & Certification ESOs European Standardisation Organisations
ESRIA European Security Research and Innovation Agenda ESRIF European Security Research and Innovation Forum ETSI European Telecommunications Standards Institute IAF International Accreditation Forum
ICT Information and communications technology IEC International Electrotechnical Commission
IIOC Independent International Organisation for Certification ILAC International Laboratory Accreditation Cooperation ISO International Organization for Standardisation
IT Information Technology
ITSEC Information Technology Security Evaluation Criteria ITU International Telecommunication Union
IWA Internationale Workshop Agreement
JTC Joint Technical Committee
MRA Mutual Recognition Agreement
NEN NEderlandse Norm (National Standardisation Body of the Netherlands)
PSS products, systems and services
prEN project of European Norm
SC Sub Committee
SMEs Small- and Medium-sized Enterprises
SOG-IS Senior Officials Group Information System Security
TC Technical Committee
TR Technical Report
TS Technical Specification
1. INTRODUCTION
Building on security-related definitions of the glossary and taxonomies in CRISP’s Delivera-bles 1.1 (Glossary of security products and systems) and 1.2 (Taxonomy of security products, systems and services), this report provides a literature review and a historical perspective of security standards and certification in Europe. It introduces the rationale and need for stand-ards and certification and outlines what is certified. Examples of standstand-ards and certification schemes in different security sectors covering different areas of certification are illustrated. In addition, opportunities to link standards and certification in the future are shown. This docu-ment consists of seven chapters:
Chapter 2 reflects the state of the art in reasearch on conformity assessment, certification,
standardisation and accreditation. Specific emphasis is put on the security field. In particular advantages of using standards in certification processes are shown.
Chapter 3 describes general framework conditions in Europe and specific European
docu-ments related to security standardisation and certification.
Chapter 4 gives detailed insight into the state of the art in European security standards in
different sectors, standardisation organisations, technical committees and working groups and offers an overview of specific standards documents.
Chapter 5 provides information on security fields where standards for certain security
appli-cations should only be made available to entities which have the required security clearances. A detailed analysis of the state of harmonisation and mutual recognition in Europe is given in
Chapter 6. All findings are summarized in Chapter 7.
This report is conceived of as a living document. This means that after this first submission, an extended version will be prepared which is benefited by additional information gained from other work packages, and in particular the preparation of Deliverable 2.2 (Consolidated report on security standards, certification and accreditation – best practice and lessons learnt).
2. STATE OF THE ART IN RESEARCH ON CONFORMITY ASSESSMENT, STANDARDISATION AND ACCREDITATION
2.1. INTRODUCTION
In the context of European harmonization, conformity assessment permits proof of compli-ance with laws, technical specifications or criteria.1 This chapter provides an overview of most relevant academic theories, principles and findings addressing conformity assessment and certification as well as standardisation and accreditation.
2.2. CONFORMITY ASSESSMENT SYSTEMS AND THEIR ELEMENTS
Conformity assessment refers to the acknowledgement that a product, a system, a person or
a board fulfils a set of fixed requirements (EN ISO/IEC 17000:2005).2 There are various con-formity assessment bodies, such as test laboratories, calibration units, and inspection units in addition to certification and verification bodies. All confirm that the needed requirements are achieved. Those requirements are usually set through standards, laws, specifications and vol-untary agreements among parties. On this basis, obtaining a certificate is proof that a product complies to (or “conforms with”) specific legislation or other technical specifications or crite-ria.3
Active conformity assessments play an important role for both international trade and the pur-suit of a European single market. With the expansion of international trade, there have been great efforts to reduce and eliminate tariff barriers. As a result of the success of these efforts, the focus is now on non-tariff barriers. Through conformity assessments, trust among trading partners concerning quality and security can be protected and strengthened. The conformity assessment system offers structures and consistency and promotes mutual trust.
To achieve a continuous and comparable quality of the assessment results, an independent board can assess and validate the competency of the conformity bodies. Those competency
validations are specific for each sector. The independent board can either be set up by the
state or be a completely independent accreditation body. To ensure the competency of the independent board, there are various possibilities. In case of the state having set up the board, the competency is assumed until proven otherwise. If the board is set up by an independent accreditation body, a system of continuous rotating assessment among those bodies can be established.
Accreditation is defined by ISO/IEC 17011 as “third-party attestation related to a conformity assessment body conveying formal demonstration of its competence to carry out specific con-formity assessment tasks”.4 With those definitions as a basis, we now define three main ele-ments which make up the conformity assessment system:
1
See Ensthaler, Jürgen, Kai Strübbe and Leonie Bock, Zertifizierung und Akkreditierung technischer Produkte, Ein Hand-lungsleitfaden für Unternehmen, Berlin, 2007.
2
See Teichler, Thomas, Florian Berger, Thomas Heimer, James Stroyan and Inga Schlüter, Entwicklungsperspektiven der Konformitätsbewertung und Akkreditierung in Deutschland, Studie im Auftrag des Bundesministeriums für Wirtschaft und Technologie, 2013, pp. 16-23.
3
See Ensthaler, et al., op. cit., 2007.
4
See ISO/IEC, ISO/IEC 17011. Conformity assessment - General requirements for accreditation bodies accrediting conformity assessment bodies. Switzerland, 15. February 2005.
Establishing the requirements for products, services, systems, etc. which can be set through standards or agreements, for example.
Conformity assessment through conformity assessment bodies, such as certification bodies
Validation of the competence of the conformity assessment bodies
From this listing it should be apparent that certification, standards and accreditation are part of the conformity assessment system. Furthermore the conformity assessment system is itself part of the quality infrastructure of a nation when combined with metrology (measurement systems).5 Figure 1 shows the hierarchy and components of the quality infrastructure and of the conformity assessment system.
Source: Own figure based on Teichler et al., 2013 and Frenz & Lambert, 2013 Figure 1: The elements of conformity assessment systems and quality infrastructure
In this analysis we will only focus on the conformity assessment system on its own, and not as part of a bigger infrastructure. In this system, the establishing requirements and conformity assessment are carried out by private actors. Public actors may be involved, but as partners or contributors with equal or less influence. In contrast, competency validation is usually carried out by public actors such as the state or through a (sovereignty-granted) accreditation body. For the rest of this report, a distinction will be made between two markets. The first market, referred to as the “basic market,” is the market for security products, technologies, services
5
See Frenz, Marion and Ray Lambert, The Economics of Accreditation. London: Birkbeck, University of London March
2013.
and systems. The second market is the conformity market around the specific security solu-tion. This distinction is necessary for two reasons. The first is that it helps clarify which ac-tors, systems, dynamics, etc. are being referred to. The second is that through this distinction we can differentiate between various intervention mechanisms. This is particularly important, as it allows us now to examine market imperfections and how the conformity assessment system can be used to eliminate them. According to Chapter 2.4, the market imperfections are located in the basic market and are being mitigated through the conformity market.
2.3. STANDARDS AS PART OF CONFORMITY ASSESSMENT SYSTEMS
2.3.1. INTRODUCTION
European standardisation is a key instrument for the consolidation of the single market and for strengthening the competitiveness of European companies, thereby creating the conditions for economic growth.6
According to CENs and CENELECs formal definition, a standard is a “document, established by consensus decision making and approved by a recognized body that provides, for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context”.7
Standardisation takes place on three different levels. Worldwide standards are developed by ISO (International Organization for Standardisation), IEC (International Electrotechnical Committee) and ITU (International Telecommunication Union). European standards are de-veloped by CEN (European Committee for Standardisation), CENELEC (European Commit-tee for Electrotechnical Standardisation) and ETSI (European Telecommunications Standards Institute), also called the three “European Standardisation Organisations” (ESOs). Throughout this document, whenever ISO is mentioned, this also included IEC and whenever CEN is mentioned, this also included CENELEC.
The third level of standardisation is the national level. Most countries in the world and all European countries have one National Standardisation Body (NSB). Differences in standards and technical regulations between countries, “even when justified, may sometimes create technical barriers to trade”.8 On the other hand, a number of empirical studies highlight the positive effect of harmonized national standards on trade.9
Members of CEN and CENELEC are the NSBs from every EU Member State, the Former Yugoslav Republic of Macedonia, Turkey and the three countries of the European Free Trade Association (EFTA) – Iceland, Norway and Switzerland. The case of ETSI is different how-ever. In ETSI Committees individuals, user groups and especially corporate organizations are members and not national representatives.
6
See CEN/CENELEC, “European Standardisation”, no date. http://www.cencenelec.eu/standards/Pages/default.aspx
7
See CEN/CENELEC, “What is a European Standard (EN)?”, no date. http://www.cencenelec.eu/standards/DefEN
8
See Guasch, J. Luis, Jean-Louis Racine, Isabel Sánchez and Makhtar Diop, Quality Systems and Standards for a Competi-tive Edge, The World Bank, Washington, DC, 2007, p. 81.
9
See Guasch et al., op. cit., 2007, p. 37 for an overview as well as Blind, Knut and Andre Jungmittag, “Trade and the Impact of Innovations and Standards: The Case of Germany and the UK”, Applied Economics, Vol. 37, pp. 1385–1398.
A summarized description of the nature of standardisation in Europe is given by CEN/CENELEC.10 According to CEN/CENELEC, the main goal of standardisation is to agree upon common specifications and/or procedures that respond to the needs of business and meet consumer expectations. In addition, standards are part of the knowledge economy that underpins European industry and society. They facilitate innovation and promote the adoption of new technologies.11
Before explaining standards in more detail, it is important to clarify some of the main rules related to the status and adoption of standards within Europe.
All ISO standards are voluntary in use and in adoption. It is up to the NSBs to decide whether or not they adopt an ISO standard as a national standard. If the NSB decides to do so, the document will be published, for example as DIN-ISO in Germany or NEN-ISO in the Nether-lands. If the NSB decides not to adopt the standard, it will only be published as an ISO stand-ard in that country. Furthermore, NSB's have the possibility to develop and publish standstand-ards about a subject that is also standardised by an ISO standard. On a European level, CEN can decide to adopt an ISO standard and make it an EN-ISO. Conversely, ISO can decide to adopt an EN as well.
The rules for adopting European standards on a national level differ from the rules for ISO standards. The European standardisation system is unique in the world. After the publication of a European Standard, each national standards body or committee is obliged to withdraw any national standard which conflicts with the new European Standard. Hence, one European Standard becomes the national standard in all the 33 member countries of CEN and/or CENELEC.12 As soon as CEN decides to adopt an ISO standard as an EN, this document au-tomatically has to be adopted by the member countries as well and becomes, for example, DIN-EN-ISO.
A majority of European Standards are initiated by business and developed in partnership with other stakeholders. Around 30% are mandated by the European Commission in the frame-work of EU legislation.
2.3.2. CHARACTERISTICS AND TYPES OF STANDARDS
Standards are developed and defined through a process of sharing knowledge and building consensus among technical experts nominated by interested parties and other stakeholders - including businesses, consumers and environmental groups, among others. A standard is not written by one expert, but reflects the input and knowledge of all parties concerned.
Application fields of standards include the improvement of safety and performance, raising levels of energy efficiency as well as the protection of consumers, workers and the environ-ment. According to CEN/CENELEC, they complement European and national policies in these areas, and make it easier for companies and other actors to respect relevant legislation.13
10
See CEN/CENELEC, “European Standardisation”, no date.
11
See CEN/CENELEC, “European Standardisation”, no date
12
See CEN/CENELEC, “What is a European Standard (EN)?”, no date.
13
European Standards are regarded as a valuable tool for facilitating cross-border trade – both within Europe’s single market and with the rest of the world because they reduce unnecessary costs for both suppliers and purchasers of products and services.14
There are several types of standards. CEN and ISO make a distinction between standards which include requirements and/or recommendations in relation to products, systems, pro-cesses and services. They also distinguish between standards which describe a measurement or test method or establish a common terminology within a specific sector.15 Another way of defining different types of standards is explained by the CREATIF consortium in its report “The future of testing security related products.”16
This report distinguishes four kinds of standards, according to Figure 2:
Source: Own figure
Figure 2: Kinds of standards in hierarchical order
A fundamental standard is, for example, a terminology standard. Analysis and trial standards specify aspects such as measurement protocols and test conditions. Performance standards include laboratory, operational and human factors standards, e.g. regarding human-machine interfaces, while standard ISO 9001 Quality management systems 17 is an example of an or-ganizational standard. Information on the importance of these standards in the security field of protection against Chemical, Biological, Radiological, Nuclear and Explosive (CBRNE) threats is given in Chapter 6.3.1.
14
See CEN/CENELEC, “European Standardisation”, no date.
15
See CEN/CENELEC, “European Standardisation”, no date
16
See Myers, P., F. Strebl, A. Plecis, R. Olivier and P. Wästerby, The future of testing security related products, D5.1 CRE-ATIF Project, July 2011, pp 16-17.
17
2.3.3. STANDARDS USED FOR CONFORMITY ASSESSMENT
Certification bodies use standards as the basis for their processes. It is the job of these bodies to confirm that a product, system, process or service meets the requirements that are set by standards. They have to meet certain requirements which are documented in conformity as-sessment standards like ISO 1702518 and ISO 17065.19 The standardisation process can lead to different types of deliverables where the usability for certification differs. Below are the most used European deliverables. Besides general descriptions, further descriptions of their usability for certification are provided.
Deliverable Characteristics
Standard (EN) Is the most commonly known deliverable in the standards context Is a normative document, which means that if parties decide to use
the standard, they have to follow all the requirements set out in the standard
Usually sets requirements to a product, system, process or service Can also provide terminology
Is made available in at least the three official CEN languages (English, French, German)
Does not conflict with the content of any other EN standard
Its value derives from the main characteristics of its development: full consensus among the member countries, standstill (no national standards being developed in the same field), and obligatory implementation by member countries
May form the basis for certification if it sets requirements
Technical Specification (TS)
Like an EN a normative document
Main differences in its development process: no public consultation is needed, can be approved by the committee developing it
Is usually established for specifications in evolving technologies and experimental markets
May also be developed when there is insufficient support for public enquiry or no consensus before the formal voting procedure among the Member States exists
Technical Report (TR)
Is an informal document which is developed to inform on the technical content of standardisation work
Does not set requirements
Can therefore not be used as a basis for certification
CEN Workshop Agreement (CWA)
Is developed through a different process than the deliverables mentioned above (which are developed in TCs consisting of representatives of NSBs)
Is developed by workshops consisting of stakeholders (both individuals and organisations)
Stakeholders only give their own input (not a national point of view)
18
See ISO/IEC, ISO/IEC 17025:2005 General requirements for the competence of testing and calibration laboratories, 15 May 2005
19
See ISO/IEC, ISO/IEC 17065:2012 Conformity assessment – Requirements for bodies certifying products, processes and services, 15 September 2012
CEN Workshop Agreement (CWA)
Is approved by the workshop, does not have to go through public voting procedures
Has a durability of three years
Is less useful as a basis of certification due to its limited lifetime Source: Own figure
Figure 3: Overview of deliverables at CEN and CENELEC
As mentioned in Figure 3, CWAs are developed in specific processes and compared with ENs, they are characterized by a shorter developing period. CEN members do not have to adopt or publish CWA's, but can do so if they want to. After its expiration, a CWA can be confirmed for one more period of three years, or has to be withdrawn or put forward to a technical committee (TC) to be developed into another type of deliverable (EN/TS).
2.4. ECONOMIC BENEFIT OF CONFORMITY ASSESSMENTS
As described before, the main value of conformity assessment systems is their contribution to overcome market imperfections. Dynamic markets can easily fall prey to market imperfec-tions which can have tremendous negative effects upon the market.20 Conformity assessment systems and accreditation can be used to negate, or at least to minimize, those negative ef-fects. This aspect of the conformity assessment system is part of the strongest arguments for its implementation. In the continuation of this section four different cases of market imperfec-tions will be described as well as the effects of a conformity assessment system.21
1. Information Asymmetry refers to the lack of equally distributed knowledge in a
market among the various market actors.22 This asymmetry causes the actors with lesser information to run the risk of making the wrong choices based on this incom-plete information.
Conformity assessments can even out those information asymmetries. This can be achieved for example by setting obligations to share certain information or through assessments by third parties.
2. Adverse Selection refers to situations where a negative selection accrues due to
asymmetric information between buyer and seller. The consequence of this effect is that low quality products are more likely to be selected, since buyers have no means to proof good quality and are thus not willing to pay higher prices. Conformity assess-ments can make such situations more equitable by setting mandatory quality certifi-cates that confirm good quality of products and thus allow the acceptance of higher prices.
20
See Akerlof, George A., “The Market for "Lemons": Quality Uncertainty and the Market Mechanism”, The Quarterly Journal of Economics, Vol. 84, No. 3, 1970, pp. 488-500.
http://links.jstor.org/sici?sici=0033-5533%28197008%2984%3A3%3C488%3ATMF%22QU%3E2.0.CO%3B2-6
21
See Teichler et al., op. cit., 2013, pp. 19ff.
22
See Stiglitz, Joseph E., “The contributions of the economics of information to twentieth century economics”. The Quarterly Journal of Economics, Vol. 115, No. 4, pp. 1441-1478. http://ricardo.ecn.wfu.edu/~cottrell/papers/stiglitz.pdf
3. External Effects are (economic) consequences of actions and decisions of one market
actor onto others without those consequences being compensated or taken into consid-eration by the market actors.23
There are positive and negative external effects. An example for an external effect in the sec-tor of civil security would be a new connection to the internet or of two servers that used to be independent. While some individual might profit from the new connection, the general securi-ty can suffer (hackers could now have access to before secure data). Conformisecuri-ty assessments can help internalize external effects and make them become part of the decision making pro-cess. One possibility would be through defining clear requirements and organizing regular checkins to ensure a high level of implementation.
4. Natural Monopoly is a state of a product or service market which is brought forward
by very high fixed costs, low marginal costs and economies of scales.24 Through this monopoly, the market loses its selective mechanisms and allows for a continuous low-ering of quality from the monopolist.
Conformity assessments can reestablish a competition market situation in ways such as by setting high quality demands which limit the possibility of the monopolist.
5. Public Goods are goods which are not excludable, meaning their use and/or access is
not limited to one person.25 This lack of excludability can be the result of technology (i.e., radio waves are available to everyone) or political. It can also result in a loss of quality and subsequently low costs.
Conformity assessments can help here in the same way as with the natural monopoly, by set-ting certain quality levels as requirements and by their use for regular re-examinations.
The internalization of market imperfections through conformity assessments offers certain advantages,26 including:
Preservation of quality High product safety
Avoidance of damage and injuries Reduction of risks
Higher specialization effect (which increases competition capabilities)27
There are three ways to internalize market imperfections through conformity assessment and accreditation. These differences depend on which role the state plays. From these differ-ences we identify three sections within the conformity assessment system (Figure 4).
23
See Mankiw, N. Gregory, Principles of Economics. Forth Worth, Texas: Dryden Press, 1998.
24
See Stocker, Ferry, Moderne Volkswirtschaftslehre. Oldenbourg: Oldenbourg Wissenschaftsverlag, 2009.
25
See Donges, Juergen B. and Klaus-Werner Schatz, Staatliche Interventionen in der Bundesrepublik Deutschland: Umfang, Struktur, Wirkungen. Leibniz: Kieler Diskussionsbeiträge, No. 119/120, 1986. http://hdl.handle.net/10419/48101
26
See Jahn, Gabriele, Matthias Schramm and Achim Spiller, Zur Glaubwürdigkeit von Zertifizierungssystemen: Eine ökonomische Analyse der Kontrollvalidität. Göttingen: Institut für Agrarökonomie Georg-August Universität, 2003. http://www.uni-goettingen.de/de/sh/download/69d421644c49352d9b303174aedd84ca.pdf/Diskussionsbeitrag0304.pdf.
27
See Ernst, Dieter, America's voluntary standards system: a "best practice" for innovation policy? Honolulu: East-West Center, 2012. http://www.eastwestcenter.org/publications/americas-voluntary-standards-system-best-practice-model-asian- innovation-policies
Section Description
Voluntary Section Conformity happens on a purely voluntary level and is both initiated
and implement by private actors. The state plays no major role and if, is a participant like all the others.
Law Regulated Section
Conformity is initiated by laws which are brought forward by the state. It is still implemented by private actors but according to the state. The state here “regulates” all three elements of the conformity assessment system
“Sovereignty” Section
Conformity is a pure state business. It is responsible for everything from setting definitions and requirements up to the implementation and surveillance. Private actors are no longer present. The state the “agent” responsible for the conformity assessment system.
Source: Own figure based on Teichler et al. (2013) Figure 4: Sections of conformity assessment systems
Figure 5 summarizes the three possible ways to internalize market imperfections, varying de-pending on the different roles taken by the state.28
Source: Own figure based on Teichler et al. (2013)
Figure 5: Possible forms of internalization of market imperfections
28
Ensthaler et al., op. cit., 2007 provide a detailed overview of the general possibilities of certification and accreditation in the public and private sectors as well as on the European accreditation systems, too. However, their work does not have a special focus on the “Sovereignty“ section and security.
In Chapter 3 each of the three methods to internalize market imperfections will be described individually and in more detail.
The practical economic benefit of conformity assessment is shown in numerous studies. Guash et al.29 for example list 14 studies – 11 studies indicated a positive impact of conformi-ty assessment on firm performance while 3 failed to demonstrate such effects. Additional evi-dence is offered by BMWFJ.30
According to an IAF survey,31 certification (as part of the conformatity assessment) adds val-ue and increases trust. Around 80% of the participants agree or strongly agree on a relevant statement that certification adds value. 25% state that it significantly increases sales and 37% state that a minor increase in sales.
The OECD32 has also published a study on conformity assessment bodies. The results hint at a strong tendency in which the exports profit from the conformity assessment, especially in terms of reducing information asymmetries.
In addition, certification has a signaling function to proof quality. In a number of security are-as selling products is not possible without the relevant certificates.
At the same time, there are also negative effects which arise from using the conformity as-sessment system. Those mainly revolved around “freezing” the status quo, sometimes even leading up to “lock-ins”.33
Conformity assessments set up requirements which can stop new and innovative solutions from spreading in case they do not match those requirements (yet). The optimal rate of standard replacement thus strikes a balance between the costs of standard-isation and standard adoption on the one hand, and the opportunity cost of using an outdated technology on the other hand. The rate can deviate from the social optimum in both direc-tions, yielding either excessive inertia (insufficient rate of standard replacement) or excessive momentum (excessive rate of standard replacement).
In a similar way, conformity assessments can also create barriers to entry and therefore harm competition.34 While those negative effects are known they do not outweigh the positive ef-fects in the least.35 Moreover, we will describe advanced certification solutions for innovative products, and will demonstrate the advantages of certification in innovative areas at the end of this document.
29
See Guash et al., op. cit., 2007, p. 108.
30
See BMWFJ, ‘Akkreditierung. Studie zur wirtschaftlichen Bedeutung der Akkreditierung für die österreichische
Wirt-schaft’, no date.
https://www.bmwfw.gv.at/TechnikUndVermessung/Akkreditierung/Documents/Endbericht%20KMU-Akkreditierungsstudie.pdf.
31
See Frenz et al., op. cit., 2013.
32
See Fliess, Barbara and Raymond Schonfeld, Trends in Conformity Assessment Practices and Barriers to Trade: Final Report on Survey of Cabs and Exporters, Trade Directorate 2006.
http://www.oecd.org/officialdocuments/publicdisplaydocumentpdf/?doclanguage=en&cote=td/ tc/wp%282006%296/final, see also Teichler, et al., op. cit., 2013.
33
See Arthur, William Brian, “Competing Technologies, Increasing Returns, and Lock-In by Historical Events”, The Economic Journal, Vol. 99(No. 394), S. 116-131, March 1989. http://www.jstor.org/stable/2234208
34
See Baumol, William J., Elizabeth E. Bailey, John C. Panzar, Robert D. Willing, Edward Zajac, Baumol, Panzar, and Willig’s Theory of Contestable Markets and Industry Structure: A Summary of Reactions. Harcourt Brace Jovanovich, 1982. http://mpra.ub.uni-muenchen.de/41974/1/MPRA_paper_41974.pdf
35
2.5. ECONOMIC BENEFITS OF STANDARDS AND THEIR USE FOR CONFORMITY ASSESSMENTS 2.5.1. GENERAL BENEFITS
Standardisation is an important catalyst for innovation and modern societies’ need to include new knowledge from the research field in standards, promoting innovation and competitive-ness.36 Based on their functions, four kinds of standards are distinguished: compatibil-ity/interface standards, minimum quality/safety standards, standards for variety reduction and information standards.37 General positive effects of standards are shown in Figure 6.
Kinds of standards Positive effects
Compatibility/interface standards
network externalities, avoidance of lock-ins, increased variety of systems products
Minimum quality/ safety standards
correction for adverse selection, reduced transaction costs, correction for negative externalities
Standards for variety reduction
economies of scale, building focus and critical mass
Information standards facilitate trade, reduce transaction costs Source: Blind (2004)
Figure 6: Positive effects of different kinds of standards
A detailed description of the potential role of standardisation to accelerate the sustainable growth of the European economy is given by European Commission (2011).38
To stimulate lead markets for security-related technologies and services, standards and speci-fications may provide knowledge and technology transfer, connect relevant stakeholders, fos-ter innovative demand, provide innovation-enhancing regulatory frameworks, intensify com-petition and increase exportability (see Blind, 200839).
Certification can be based on standards developed by standardisation organizations. It is also possible to develop a certification system without using standards. Therefore, the main ques-tion is what advantages arise from using standards instead of other documents as a basis for certification? Answers will be provided in the next sections.
36
See Blind, Knut, ‘Standardisation: a catalyst for innovation‘, Inaugural Address Series. Research in Management, Eras-mus Universiteit, 2009. http://repub.eur.nl/res/pub/17558/EIA-2009-039-LIS.pdf,
EXPRESS [Expert Panel for the Review of the European Standardisation System], ‘Standardisation for a competitive and innovative Europe: a vision for 2020,’ Report delivered to the European Commission in February 2010.
http://ec.europa.eu/enterprise/policies/european-standards/files/express/exp_384_express_report_final_distrib_en.pdf
CEN‐CENELEC STAIR, ‘The Operationalisation of the Integrated Approach’, Submission of STAIR to the Consultation of
the Green Paper “From Challenges to Opportunities: Towards a Common Strategic Framework for EU Research and Innova-tion funding”, 2011. http://ec.europa.eu/research/horizon2020/pdf/contribuInnova-tions/post/european_organisaInnova-tions/
-cen-elec_stair_joint_strategic_working_group.pdf.
37
See Blind, Knut, “The Economics of Standards: Theory”, Evidence, Policy. Cheltenham, 2004, pp. 14ff.
38
See European Commission, A strategic vision for European standards: Moving forward to enhance and accelerate the sustainable growth of the European economy by 2020, Communication from the Commission to the European Parliament, the Council and the European Economic and Social Committee, COM (2011)311 final, Brussels, 1.6.2011.
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2011:0311:FIN:EN:PDF
39
See Blind, Knut, Standardisation and Standards in Security Research and Emerging Security Markets. Fraunhofer Symposium ‘Future Security’, 3rd Security Research Conference Karlsruhe, 10th - 11th September 2008, pp. 63-72.
2.5.2. USABILITY OF DIFFERENT DELIVERABLES FOR CONFORMITY ASSESSMENT
As described in Chapter 2.3.3, certification bodies certify a product, system, process or ser-vice against requirements set out in a document. EN's (or ISO standards, ‘ISO's’) are the most suitable to be used as a basis for certification for the following reason: Certification is based on requirements. Technical Reports cannot set requirements and are therefore not suitable for certification.
CWAs have a limited lifetime. They can be used for certification, but since a CWA usually exists for three years (with possible extension to six), it is not a preferable option. If a CWA is transferred into an EN after three or six years, the content of the document has to go through public voting and more/different/further stakeholders can give their input. This often leads to major changes in the content of the document. If the CWA was the basis for certification, this transfer from CWA to EN may lead to major changes in the certification practice as well. In contrast, Technical Specifications can be the basis for certification, since they can contain requirements.
For a certification system to be successful, it is important that stakeholders trust in the certifi-cation system as well as the requirements that are being certified. The one main distinctive feature of an EN is that the requirements which it sets are agreed upon by a very large com-munity of interested parties. Often, the parties who have interest in the certification process (i.e. manufacturers, end-users) are involved in the development of the EN which makes it eas-ier to value the requirements as well the quality of the document.
When using a standard as the basis for certification, a certification scheme is needed. The standard sets the requirements and the certification scheme explains the steps to be taken in the certification process. A certification body can develop its own certification scheme for each standard it wants to certify. This means that each certification body may have its own certification scheme. From the point of comparability, transparency and efficiency, certifica-tion bodies may decide to bundle their forces and develop a harmonized certificacertifica-tion scheme together.
2.5.3. EXAMPLES OF THE USE OF STANDARDS FOR CONFORMITY ASSESSMENT
To illustrate the use of standards for certification, this sub-chapter gives two examples con-sisting of management systems standards and the ISO standard ISO 15408.
Management systems standards
Organizations and companies often want to get certified to ISO’s management system stand-ards (for example ISO 900140, ISO 1400141, ISO 3100042) although certification is not a re-quirement. The best reason for wanting to implement these standards is to improve the effi-ciency and effectiveness of company operations. According to Figure 7, a company may de-cide to seek certification for many reasons:
40
See ISO, op. cit., 2008
41
See ISO, ISO 14001:2004 Environmental management systems – Requirements with guidance for use, 15 November 2004
42
Contractual or regulatory requirements Necessity to meet customer preferences
Signaling competence
Falling within the context of a risk management programme Helping motivate staff by setting a clear goal for the development of
its management system Source: Own figure
Figure 7: Selected reasons for certification
According to ISO43, ISO 9001:2008 sets out the criteria for a quality management system and is the only standard in its standards family that can be certified to. It can be used by any or-ganization and is implemented by over one million companies and oror-ganizations in over 170 countries. The standard is based on a number of quality management principles including a strong customer focus, the motivation and implication of top management, the process ap-proach and continual improvement. Using the standard helps ensure that customers get con-sistent, good quality products and services. Checking that the system works is a vital part of ISO 9001:2008. An organization must perform internal audits to check how its quality man-agement system is working. An organization may decide to invite an independent certification body to verify that it is in conformity to the standard. Alternatively, it might invite its clients to audit the quality system for themselves.
ISO 1540844
The concepts, principles and requirements for IT security are established in the three parts of ISO 15408. This standard is accompanied by ISO 18045,45 which was written specifically for evaluators and certifiers. ISO 18045 defines the minimum action to be performed by an eval-uator in order to conduct an ISO 15408 evaluation. By setting these minimum actions in a standard, ISO ensures that evaluators work at least in a comparable way on the level of the minimum actions. More examples for the use of standards for certification will be provided in Chapter 6.
2.5.4. EXAMPLES OF CONFORMITY ASSESSMENT WITHOUT USING STANDARDS
Certification is always based on a set of requirements. These requirements can be documented in a standard, but do not have to be. Certification without the use of standards is one of the practices in professional certification. In professional certification, a person is certified to be capable of completing a task or job, usually by passing an exam. The requirements for profes-sional certification are often documented in documents from the school, the organization of-fering the exam or a sector organization.
43
See ISO, ISO 9000 - Quality management, no date. http://www.iso.org/iso/home/standards/management-standards/iso_9000.htm
44
See ISO/IEC, ISO/IEC 15408-1:2010 Information technology – Security techniques – Evaluation criteria for IT security – Part 1: Introduction and general model, 15 December 2009
45
See ISO/IEC, ISO/IEC 18045:2008 Information technologies – Security techniques – Methodology for IT security evalua-tion, 15 August 2008
A second type of certification without using standards is the certification based on sector re-quirements. Commonly known examples of these are the FSC46 certificates for wood and sus-tainability labeling. In most of the cases of certification within a sector, the sector defines its own requirements and sometimes quality levels.
Both in the case of professional certification and certification based on sector requirements, the certification itself can still be carried out by independent certification bodies.
In addition there are fields in the software area in which no European standard exist and alter-native documents are used for certification. This is in harmony with Regulation (EC) No 1025/2012 which lays down new rules for technical ICT specifications and highlights that ICT technical specifications are not adopted by the ESOs, international standardisation organ-isations or national standardisation bodies. Furthermore Rodrigues et al. (2014)47 provide an overview of different privacy seals which are based on standards and other documents. More examples are given in Chapter 5.
2.5.5. ADVANTAGES OF USING STANDARDS FOR CONFORMITY ASSESSMENT
An important difference between certification with standards and certification without stand-ards lies in the fact that when using standstand-ards as a basis, it is known that the requirements have been agreed on by all parties concerned. This leads to transparent requirements and pre-vents any suspicion of partiality. According to Figure 8 and the following list, the use of standards offers four additional advantages:
Source: Own figure
Figure 8: Selected advantages of standards
Trust and transparency
An often heard comment about certification systems which are based on sector internal re-quirements is that manufacturers/providers set the rere-quirements for their own product or ser-vice. The end-users, who have a very large interest in the quality level, do not always have a
46
See Forest Stewardship Council, "FSC Certification", no date. https://ic.fsc.org/certification.4.htm
47
See Rodrigues, Rowena, David Barnard-Wills, David Wright, Paul De Hert and Vagelis Papakonstantinou, EU privacy seals project. Inventory and analysis of privacy certification schemes. Final Report Study Deliverable 1.4, 2014. http://bookshop.europa.eu/en/eu-privacy-seals-project-pbLBNA26190/
say in the requirements. This fact may decrease the level of trust in the system and the value of the certificate.
If standards are being used as the basis for certification, all parties concerned, including end-users, have set the requirements alltogether. This leads to an increased trust in the certification system and the value of the certificate. Blind48 summarizes this principle as follows: “In com-plex product and service markets, where conformity with a performance standard for the in-ter-operability of systems is not transparent to the consumers, the certification of conformity by independent testing institutions presents a dimension of quality competition among suppli-ers which has positive impacts on consumsuppli-ers’ surplus”.
Comparability
By using standards as the basis for certification, the market can certify against the same set of requirements. This is a key prerequisite for comparable certificates: it is clear that certificates from different certification bodies have the same status, since they are all based on the same set of requirements. In contradiction, if within sectors different sets of requirements are estab-lished, the certificates are less comparable. This might also lead to a decrease in trusting cer-tificates by the market players.
Interchangeability
If certification bodies all certify against the same set of requirements, manufacturers/providers are not bound to one certification body and can change from one certification body to another. Furthermore, if a standard set of requirements is used all over the EU, there is no need to cer-tify a product or service in every country.
Economic impact
As mentioned above, the use of one set of standardised requirements as the basis for certifica-tion leads to interchangeability within the European market. This leads to a cost reduccertifica-tion for the manufacturers/providers. Furthermore, once a product or service has been certified, the step to enter the market in another European country will be easier since there is no need for another certification process. From an economic point of view, it will ease the international trade for manufacturers/providers and will make it easier for end users to buy prod-ucts/services from abroad. Altogether, this leads to a more open European market and a de-crease of the barriers to trade.
With regard to the security field, the European Commission summarizes the advantages of using standards for certification as follows: “Complementary to industrial standards is the need for more consistency in the regulation and certification of security-related equipment and services.This would provide certainty of technical reference for a wide range of stake-holders, from industry and technology innovators to end-users, regulators and policy mak-ers. And it would go a long way toward helping create a single market and, above all, anchor-ing the conditions for interoperability of equipment across borders. “49
The following sub-chapters will describe the economic impact of conformity assessment.
48
See Blind, op. cit., 2004, p.42.
49
See European Commission, Regulatory & certification issues, 05.02.2013, http://ec.europa.eu/enterprise/policies/security/industrial-policy/issues/index_en.htm
2.6. ECONOMIC BENEFIT OF MUTUAL RECOGNITION OF SECURITY-RELATED CONFORMITY ASSESSMENTS
Mutual recognition of conformity assessments is a specific issue of international trade. Guasch et al. (2007) describe the need for such arrangements as follows: “Demonstrating compliance through conformity assessment is itself only useful if the testing and certification requirements are similar in the exporting country and the importing country. If testing labora-tories are not recognized abroad, tests on products carried out in the exporting country have to be repeated by a recognized laboratory in each of the importing countries. An adverse test report in the importing country can result in the rejection of an entire shipment. Likewise, if certification in one country is not recognized abroad, domestic firms requiring quality system and environmental management certification for export purposes need to be certified by or-ganizations in each of the importing countries. Conformity assessment procedures vary wide-ly across countries and in many cases constitute a large barrier to market entry. Nonrecogni-tion or nonharmonizaNonrecogni-tion of conformity assessment procedures do not persist due to inherent national differences, but because conformity assessment is particularly vulnerable to misuse if bureaucratic procedures are not transparent.”50
The specific extent of the economic benefits of mutual recognition and conformity assessment depends on the specific security field. This sub-chapter gives an impression of these ad-vantages by presenting numbers from two market segments as examples. In the following, the markets for alarm systems and airport scanners are investigated.51
Currently companies that market security alarm systems need to apply for 10-15 certificates from different Member States to supply the products throughout Europe. The costs of certifi-cation of a system are on average at the level of € 200-300,000 for full access to Europe. Alternatively, the estimated cost for obtaining a mutually recognised certificate would amount to € 40-60,000 according to analyses of the European Commission.52
Therefore, it is expected that the total savings based on a common EU scheme for conformity assessment and certifica-tion would amount to € 160-240,000.53
The total certification cost in the specific field of intruder alarm systems is estimated to range between € 6.2 million and € 13.2 million per year. It is assumed that a single European con-formity assessment system reduces the cost by 75%. This would suggest a saving of € 4.7 million to € 9.9 million per year from certification of all intruder alarm systems.54
50
See Guasch et al, op. cit., 2007, p. 82.
51
The following explanations are based on European Commission, Commission Staff Working Paper Security Industrial Policy Accompanying the document Communication from the Commission to the European Parliament, the Council and the European Economic and Social Committee Security Industrial Policy Action Plan for an innovative and competitive Security Industry {COM(2012) 417 final}, SWD(2012) 233 final, Brussels, 26.7.2012.
52
See European Commission (2012), Commission Staff Working Paper Security Industrial Policy Accompanying the docu-ment Communication from the Commission to the European Parliadocu-ment, the Council and the European Economic and Social Committee Security Industrial Policy Action Plan for an innovative and competitive Security Industry {COM(2012) 417 final}, SWD(2012) 233 final, Brussels, 26.07.2012.
53
See European Commission, op. cit., 2012 describes the calculation in more detail based on AFNOR-CNPP, „Certification rules Electronic Security Equipment: Intrusion Detection, Access Control Management Systems”
HTTP://WWW.CNPP.COM/FR/MEDIATHEQUE/AUTRES-DOCUMENTS/CERTIFIERIMAGE/H58/REFERENTIEL-NF324-H58-VERSION-ANGLAISE-OCTOBRE-2010
54
With regard to the Explosive Detection System (EDS), the EU refers to an expert who esti-mated that the cost of a single test could be in the region of € 65 thousand and for a liquid explosive system (LAGS) in a range between € 30 and € 75 thousand. These figures do not take into account any repeated testing that may be required. Certification costs of larger sys-tems are estimated to be up to €700,000. They include estimated €100,000 for an “imaging test” for a cargo scanner as well as €500,000 for a biometric identity card model.
A harmonisation of the certification of testing procedures for airport scanners would facilitate a cost reduction to € 3 million (30 products * € 100.000). Based on a comparision with the current cost of € 22 million, this implies cost savings to approximately € 19 million per year.55
Both examples show that harmonized solutions would provide the European security industry with substantial cost savings and consequently advantages to compete in the international market. The issue will be analized in more detail in CRISP WP 3.
55
3. GENERAL FRAMEWORK CONDITIONS IN EUROPE
This chapter provides a historical perspective of the general framework in European standard-isation and certification and analyzes the legislative background of security standardstandard-isation and certification in depth.
3.1. GENERAL FRAMEWORK FOR CERTIFICATION AND ACCREDITATION IN EUROPE
According to Chapter 2, conformity assessment consists of three sections: the Voluntary section, the Law Regulated section and the Sovereignty section.56
3.1.1. CONFORMITY ASSESSMENT AND ACCREDITATION IN THE VOLUNTARY SECTION
Conformity assessments are implemented on a voluntary basis (without any regulatory en-forcement) for a large part of the trade market. The idea behind this principle is that operators will accept and rely upon a conformity assessment made by an independent body without hav-ing to review the assessments themselves. These conformity assessments could be for securi-ty, qualisecuri-ty, products or services. Through such structure the economic relationships are strengthened and the market process is accelerated. Furthermore, through the use of a con-formity assessment system, market imperfections can be internalized, reducing risks and costs as well as creating a differentiation possibility facilitating competition. Certificates are the best example.
Certificates are used to inform the consumer about the characteristics of the products or ser-vices. They can also communicate that certain minimal requirements are being respected, for example in the fields of safety and security. To increase the credibility of the conformity as-sessments, the conformity assessment bodies can make use of accreditations, offered by an independent and neutral institution or body. Accreditation systems will be set up according to international standards and requirements, and are transparent in their criteria.
The basis for the accreditation is the fulfilment of international standards. These not
only cover requirements for the basic markets, they also set the requirements of the conformity assessment system. The accreditation increases the trust in the results of the conformity assessment bodies and the quality of their tested products and services. The accreditation is, mainly in the voluntary section, aimed at manufactures and their
clients and not state institutions.
Here the key function of the accreditation is here of an economical nature. The accreditation is and can be used as a differentiation or marketing tool in a market with high competition. There are also cases where such accreditations are unspoken requirements to enter the markets (for example in China or India). In cases of the accreditation failing, never taking place or being delayed, it results in high costs and losses for firms. Therefore there is an emphasis on a well-organized, quick and reliable accreditation system.
The expectations towards the accreditation are not only those previously mentioned,
but also that the relevant organisation offers a capable management of the evaluation process with clear steps (applying, assessment, accreditation, monitoring).57
56
See Teichler et al., op. cit., 2013, pp. 23ff.
57
As mentioned, the state acts as participant only. The requirements are set by and for private
actors without any law enforcement. The state can be part of the procedure and formulate de-mands, in the same way all participants can. The rules for the conformity assessments are laid down by and are implemented by private actors. The state is a consumer of the assess-ment bodies like all others. The use of accreditation is voluntary a means to prove competen-cy or to achieve higher recognition.
Directive 1999/93/EC58 on a Community Framework for Electronic Signatures offers an early example for the definition of European framework conditions for certification and voluntary accreditation in a specific technological field. In particular, Article 4 ‘internal market princi-ples’ and Article 11 ‘notification’ are important.
At the beginning of the document several prerequisites for the establishment of the framework are defined which offer interesting examples for dealing with these certification and accredita-tion issues. The most important passages for this analysis are:
Certification service providers should be free to provide their services without prior authorisation; “prior authorization” includes not only any permission whereby the rel-evant certification service provider has to obtain a decision by national authorities be-fore being allowed to provide its certification services, but also any other measures having the same effect;
Voluntary accreditation schemes aiming at an enhanced level of service-provision may offer certification service providers the appropriate framework for developing their services further;
Certification service providers should be free to adhere to and benefit from such ac-creditation schemes; and
Certification services can be offered either by a public entity or a legal or natural per-son, when it is established in accordance with the national law; whereas Member States should not prohibit certification service providers from operating outside volun-tary accreditation schemes; it should be ensured that such accreditation schemes do not reduce competition for certification services.59
Parts of the relevant articles are shown below.
Article 4 - Internal market principles
Member States may not restrict the provision of certification-services originating in another Member State in the fields covered by the Directive.
Member States shall ensure that electronic-signature products which comply with the Directive are permitted to circulate freely in the internal market.
Article 11 – Notification
Member States shall notify to the Commission and the other Member States the following:
58
See European Parliament and the Council, ‘Directive 1999/93/EC of the European Parliament and of the Council of 13
December 1999 on a Community framework for electronic signatures’, 13 December 1999, 1999.
http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31999L0093&from=EN
59
