DIGITALEUROPE’s views on Cybersecurity Certification and Labelling Schemes

EXECUTIVE SUMMARY

DIGITALEUROPE as the voice of the digital technology industry in Europe welcomes the opportunity to comment on the European Commission’s on-going work within the field of cybersecurity, particularly the potential role for cybersecurity certification and labelling schemesfor ICT products. DIGITALEUROPE is concerned that the potential future proposals of the European Commission in the field of cybersecurity certification and labelling may be focusing on the wrong policy priorities.

DIGITALEUROPE wishes to emphasise that today we already have mature frameworks to support higher security environments as well as lighter self-assessment approaches that serve dynamic emerging markets. The European Commission should not look to establishing new frameworks as they typically take decades to be developed and adopted. Instead, the two current approaches need to be developed further for greater efficiency and agility. Time consuming and expensive certifications work for the governmental and critical infrastructure sectors, but cannot be applied to the dynamic world of consumer products with short life spans or multiple contexts of use. Therefore, DIGITALEUROPE believes any future actions by policy makers in the field of cybersecurity certification and labelling should take into consideration the following criteria:

1. Cybersecurity is a global issue and requires international solutions – Cyber attacks know no borders and therefore standards and related certifications play a significant role in creating a safer ICT environment. Any future EU activity in the field of cybersecurity standards, certifications and labels should take into due account the existing international ecosystem.

2. Flexible cybersecurity solutions – To stay ahead of malicious attackers, industry must be able to develop and deploy new tools to protect our digital economy against changing cyber risks. Policymakers should make sure that any regulatory action in this field keeps abreast of state-of-the-art technology.

3. One size does not fit all in a complex cyberspace – A new EU certification framework would not be able to cover a broad set of products/services as the nature of products and services as well as the magnitude of cybersecurity risk vary significantly.

4. Promoting consumer protection and innovation – Component/product labelling could potentially lead to a false sense of security for end-users in the consumer market. Benchmarking cybersecurity practices, on the contrary, would allow both consumers and organisations to compare situations and form an idea of the cybersecurity state-of-the-art.

5. Certification and competitiveness – Regulated certifications and security evaluation involve considerable costs. It is important that it remains voluntary and that a range of agile self-certification mechanisms are allowed to flourish according to the market at hand. It is important not to erect market barriers to smaller companies by mandating high entry costs.