02 Mar 2017

DIGITALEUROPE’s views on Cybersecurity Certification and Labelling Schemes

DIGITALEUROPE’s views on Cybersecurity Certification and Labelling Schemes


DIGITALEUROPE as the voice of the digital technology industry in Europe welcomes the opportunity to comment on the European Commission’s on-going work within the field of cybersecurity, particularly the potential role for cybersecurity certification and labelling schemesfor ICT products. DIGITALEUROPE is concerned that the potential future proposals of the European Commission in the field of cybersecurity certification and labelling may be focusing on the wrong policy priorities.

DIGITALEUROPE wishes to emphasise that today we already have mature frameworks to support higher security environments as well as lighter self-assessment approaches that serve dynamic emerging markets. The European Commission should not look to establishing new frameworks as they typically take decades to be developed and adopted. Instead, the two current approaches need to be developed further for greater efficiency and agility. Time consuming and expensive certifications work for the governmental and critical infrastructure sectors, but cannot be applied to the dynamic world of consumer products with short life spans or multiple contexts of use. Therefore, DIGITALEUROPE believes any future actions by policy makers in the field of cybersecurity certification and labelling should take into consideration the following criteria:

1. Cybersecurity is a global issue and requires international solutions – Cyber attacks know no borders and therefore standards and related certifications play a significant role in creating a safer ICT environment. Any future EU activity in the field of cybersecurity standards, certifications and labels should take into due account the existing international ecosystem.

2. Flexible cybersecurity solutions – To stay ahead of malicious attackers, industry must be able to develop and deploy new tools to protect our digital economy against changing cyber risks. Policymakers should make sure that any regulatory action in this field keeps abreast of state-of-the-art technology.

3. One size does not fit all in a complex cyberspace – A new EU certification framework would not be able to cover a broad set of products/services as the nature of products and services as well as the magnitude of cybersecurity risk vary significantly.

4. Promoting consumer protection and innovation – Component/product labelling could potentially lead to a false sense of security for end-users in the consumer market. Benchmarking cybersecurity practices, on the contrary, would allow both consumers and organisations to compare situations and form an idea of the cybersecurity state-of-the-art.

5. Certification and competitiveness – Regulated certifications and security evaluation involve considerable costs. It is important that it remains voluntary and that a range of agile self-certification mechanisms are allowed to flourish according to the market at hand. It is important not to erect market barriers to smaller companies by mandating high entry costs.

Back to Cybersecurity
View the complete Policy Paper
Our resources on Cybersecurity
02 Oct 2023 Position Paper
Driving a resilient and commercially attractive raw material market in Europe: industry recommendations on the CRM Act
25 Sep 2023 Position Paper
Building a strong foundation for the Cyber Resilience Act: key considerations for trilogues
18 Sep 2023 Position Paper
Adapting ENISA’s mandate and collaboration in a changing cyber landscape
Hit enter to search or ESC to close
This website uses cookies
We use cookies and similar techonologies to adjust your preferences, analyze traffic and measure the effectiveness of campaigns. You consent to the use of our cookies by continuing to browse this website.