DIGITALEUROPE welcomes the adoption of ITRE report on cybersecurity act
DIGITALEUROPE welcomes several aspects of the Parliament’s Cybersecurity Act Report, adopted today in the Committee on Industry, Research and Energy (ITRE), which significantly improves the proposal of the Commission.
“The most significant improvements of the Parliament’s work are the integration of coordinated vulnerability disclosure best practices, and the strong mechanisms for stakeholder engagement, such as the new ad-hoc committees that will help ensure that the new certification schemes rely on industry know-how and expertise and are well designed for the market in a transparent way. This is important for the industry as it will help ensure that certification is fit for purpose and builds on existing best practices”, said Cecilia Bonefeld-Dahl, Director-general of DIGITALEUROPE.
DIGITALEUROPE also recognises the MEPs’ attempt to ensure that the adopted schemes would be compatible with global mutual recognition arrangements, and we call on the developers of specific schemes to honour this ambition.
The Parliament and the Council have expanded the means by which companies can certify their products or services under the EU framework, allowing them to use self-declaration of conformity. This is good news, even though limiting this instrument to cases that present basic cybersecurity risks is likely to significantly impede market adoption. “Self-declaration of conformity must be more commonly accepted as it works well in practice. It is widely used for compliance with technical regulations, such as EU safety legislation for which self-declaration of conformity is used in 90% of cases”, added Cecilia Bonefeld-Dahl.
DIGITALEUROPE urges the co-legislators to keep the voluntary nature of the framework in the upcoming trilogue negotiations. Determining that certifications for certain operators should be mandatory deviates from the existing national and international practice, where certification is voluntary. It will also create market access barriers for smaller players, who would need to undergo costly and time-consuming certification before launching a product or service on the market.