25 Jun 2018

Cross-industry and standards development organisations open letter on the EU Cybersecurity certification framework proposal

Our associations represent more than 56 000 companies in Europe in key areas for jobs and economic development in Europe.

Ahead of the expected vote on 10 July in the European Parliament’s Industry, Research and Energy (ITRE) committee, we urge European decision-makers to ensure that the EU cybersecurity certification framework will not be detrimental to the competitiveness of the EU industry and will rather support a flexible and futureproof framework. The Cybersecurity Act aims to harmonise the Single Market and contribute to the establishment of the Digital Single Market, increase cybersecurity in Europe and turn the EU cybersecurity certification schemes into a competitive advantage for the industry and a globally-recognised instrument.

Our associations have, however, a number of recommendations as regards ongoing political discussions, and therefore call on the European Parliament to consider with specific attention the five following points:

  1. The voluntary approach to certification is key for it to remain a competitive advantage for the industry and avoid unintended consequences both on smaller market actors and on already heavily regulated sectors. We therefore recommend keeping the voluntary nature of the certification framework, possibly to be reviewed at a later stage, according to the evolution of the cybersecurity landscape. To avoid potential Single Market fragmentation, it is key to avoid a situation, where national legislation can mandate a scheme.
  2. Conformity assessment methods and requirements should be defined in the schemes and not in the regulation itself so as to allow for a fit-for-purpose approach according to risks and use cases. Allowing for self-declaration of conformity is fundamental to streamline the certification process and make it accessible to all market actors.
  3. A clear framework for the participation of the industry should be defined, to make sure ENISA collaborates openly with the industry when preparing, elaborating and adopting candidate schemes. We support the proposal of the European Parliament to set specific ad-hoc consultation platforms but to occur on a systematic basis with formal rules to ensure a level playing field for stakeholders’representation. A positive step to this direction can also be the proposal for the establishment of a“Stakeholder Certification Group”.
  4. The adoption of the schemes should include a process to ensure that they are aligned or could take part in existing international mutual recognition agreements to ensure that the EU certificates are globally recognised.
  5. Reference to global standards should prevail. This includes European Standards, International Standards, and Technical Specifications, that have been developed in accordance with defined principles in EU standardisation legislation (i.e. Annex II of Regulation EU 1025/2012), developed in an inclusive and transparent way. Allowing for any deviation from this principle creates uncertainty for market players and would need to be clarified.

 

For more information please contact
Alberto Di Felice
Senior Policy Manager for Infrastructure, Privacy and Security
Back to Cybersecurity
View the complete Policy Paper
PDF
Our resources on Cybersecurity
Policy Paper 05 Sep 2019
Response to ENISA consultation on EU ICT industrial policy
Policy Paper 01 Sep 2019
DIGITALEUROPE and ESIA response to the Office of State Commercial Cryptography Administration Draft Cryptography Law
Policy Paper 19 Jul 2019
Joint industry letter on Cybersecurity Vulnerabilities Administrative Regulation Response to MIIT published draft for comments
Hit enter to search or ESC to close