22 Oct 2018

Joint industry letter on trialogue negotiations on the Cybersecurity Act

The ongoing negotiations between the European Parliament and the Council to set up an EU cybersecurity certification framework will have profound implications for the future of Europe’s industrial system, European companies being the first impacted by the final design of the framework.

Members of the co-signing associations are developing the ICT products, services and processes that will be the source for Europe’s innovation, growth and competitiveness in core sectors of the digitised economy – industrial applications, connected and autonomous vehicles, medical technology and more. Protecting the safety, reliability and security of our companies’ products and systems is part and parcel of their future success.

We have always been committed to these goals and have extensive experience with the EU’s longstanding placing on the market and market surveillance frameworks. In this context, the cybersecurity certification framework should be a way to boost the EU’s competitiveness – it should not prevent innovation due to a rigid approach. The framework should act as an opportunity for innovators to add value to their offerings and better compete in fast-changing markets, while improving security. The final Cybersecurity Act, therefore, should be flexible and future-proof, which means:

  • Industry involvement needs to be a central element in the development of certification schemes. Without structured industry input in all phases of the schemes’ development and the ability for industry experts to participate in the development of individual schemes as needed, the framework will not generate state-of-the-art or market-relevant outcomes. We support the European Parliament’s amendment to have ad hoc consultation groups for each scheme (Article 20a).
  • The framework should not make schemes mandatory from the start. The competitiveness of our members and their growth opportunities would be severely hampered if certification were to be conceived as a market access barrier, before the market itself is mature enough to warrant mandatory schemes. We urge a careful reconsideration of the mandatory aspects introduced by the European Parliament (new article 48a).
  • Self-assessment, including declaration of conformity, has for decades been a tried and wellrespected procedure for companies to demonstrate their compliance with essential health and safety requirements for connected products. In markets that have not yet been fully developed or that are changing at an unprecedented pace, new features and products would take an inordinate amount of time to reach professional customers and consumers if they were to undergo lengthy and cost-intensive third-party certification procedures, especially for SMEs. We support provisions of the European Parliament and Council introducing the possibility for self-assessment and regret its limited applicability to the most basic cybersecurity risk, which does not match the need for a substantial assurance level in most industrial applications.
  • Interoperability with existing international agreements, regulations and standards should be embedded in the development of future schemes. Our members need scale not just on the European market but also globally, and it is vital that European certification schemes do not reduce the addressable market. We oppose Article 47(1)(b) of the Council’s General Approach in the part providing for the possibility to introduce ‘technical specifications or other
    cybersecurity requirements’ in a scheme, if standards or technical specifications are not available.

Our associations want to make the EU cybersecurity certification framework a success for both the security and the competitiveness of our industries, and therefore urge the co-legislators to focus on the above points.

Read the full document

Joint industry letter on trialogue negotiations on the Cybersecurity Act

For more information, please contact:
Alberto Di Felice
Senior Policy Manager for Infrastructure, Privacy and Security
Martin Bell
Policy Officer for Privacy and Cybersecurity
Back to Cybersecurity
View the complete Press Release
PDF
Our resources on Cybersecurity
Policy Paper 30 Oct 2018
Joint industry letter to European Banking Authority on SCA and CVV authentication factors
Policy Paper 19 Jul 2019
Joint industry letter on Cybersecurity Vulnerabilities Administrative Regulation Response to MIIT published draft for comments
Press Release 10 Apr 2019
Cybersecurity Act gives Europe a new framework to increase trust in a digitising world
Hit enter to search or ESC to close