Cross-industry and standards development organisations open letter on the EU Cybersecurity certification framework proposal
Our associations represent more than 56 000 companies in Europe in key areas for jobs and economic development in Europe.
Ahead of the expected vote on 10 July in the European Parliament’s Industry, Research and Energy (ITRE) committee, we urge European decision-makers to ensure that the EU cybersecurity certification framework will not be detrimental to the competitiveness of the EU industry and will rather support a flexible and futureproof framework. The Cybersecurity Act aims to harmonise the Single Market and contribute to the establishment of the Digital Single Market, increase cybersecurity in Europe and turn the EU cybersecurity certification schemes into a competitive advantage for the industry and a globally-recognised instrument.
Our associations have, however, a number of recommendations as regards ongoing political discussions, and therefore call on the European Parliament to consider with specific attention the five following points:
The voluntary approach to certification is key for it to remain a competitive advantage for the industry and avoid unintended consequences both on smaller market actors and on already heavily regulated sectors. We therefore recommend keeping the voluntary nature of the certification framework, possibly to be reviewed at a later stage, according to the evolution of the cybersecurity landscape. To avoid potential Single Market fragmentation, it is key to avoid a situation, where national legislation can mandate a scheme.
Conformity assessment methods and requirements should be defined in the schemes and not in the regulation itself so as to allow for a fit-for-purpose approach according to risks and use cases. Allowing for self-declaration of conformity is fundamental to streamline the certification process and make it accessible to all market actors.
A clear framework for the participation of the industry should be defined, to make sure ENISA collaborates openly with the industry when preparing, elaborating and adopting candidate schemes. We support the proposal of the European Parliament to set specific ad-hoc consultation platforms but to occur on a systematic basis with formal rules to ensure a level playing field for stakeholders’representation. A positive step to this direction can also be the proposal for the establishment of a“Stakeholder Certification Group”.
The adoption of the schemes should include a process to ensure that they are aligned or could take part in existing international mutual recognition agreements to ensure that the EU certificates are globally recognised.
Reference to global standards should prevail. This includes European Standards, International Standards, and Technical Specifications, that have been developed in accordance with defined principles in EU standardisation legislation (i.e. Annex II of Regulation EU 1025/2012), developed in an inclusive and transparent way. Allowing for any deviation from this principle creates uncertainty for market players and would need to be clarified.
For more information please contact
Alberto Di Felice
Director for Infrastructure, Privacy & Security Policy