25 Jun 2018

Cross-industry and standards development organisations open letter on the EU Cybersecurity certification framework proposal

Our associations represent more than 56 000 companies in Europe in key areas for jobs and economic development in Europe.

Ahead of the expected vote on 10 July in the European Parliament’s Industry, Research and Energy (ITRE) committee, we urge European decision-makers to ensure that the EU cybersecurity certification framework will not be detrimental to the competitiveness of the EU industry and will rather support a flexible and futureproof framework. The Cybersecurity Act aims to harmonise the Single Market and contribute to the establishment of the Digital Single Market, increase cybersecurity in Europe and turn the EU cybersecurity certification schemes into a competitive advantage for the industry and a globally-recognised instrument.

Our associations have, however, a number of recommendations as regards ongoing political discussions, and therefore call on the European Parliament to consider with specific attention the five following points:

  1. The voluntary approach to certification is key for it to remain a competitive advantage for the industry and avoid unintended consequences both on smaller market actors and on already heavily regulated sectors. We therefore recommend keeping the voluntary nature of the certification framework, possibly to be reviewed at a later stage, according to the evolution of the cybersecurity landscape. To avoid potential Single Market fragmentation, it is key to avoid a situation, where national legislation can mandate a scheme.
  2. Conformity assessment methods and requirements should be defined in the schemes and not in the regulation itself so as to allow for a fit-for-purpose approach according to risks and use cases. Allowing for self-declaration of conformity is fundamental to streamline the certification process and make it accessible to all market actors.
  3. A clear framework for the participation of the industry should be defined, to make sure ENISA collaborates openly with the industry when preparing, elaborating and adopting candidate schemes. We support the proposal of the European Parliament to set specific ad-hoc consultation platforms but to occur on a systematic basis with formal rules to ensure a level playing field for stakeholders’representation. A positive step to this direction can also be the proposal for the establishment of a“Stakeholder Certification Group”.
  4. The adoption of the schemes should include a process to ensure that they are aligned or could take part in existing international mutual recognition agreements to ensure that the EU certificates are globally recognised.
  5. Reference to global standards should prevail. This includes European Standards, International Standards, and Technical Specifications, that have been developed in accordance with defined principles in EU standardisation legislation (i.e. Annex II of Regulation EU 1025/2012), developed in an inclusive and transparent way. Allowing for any deviation from this principle creates uncertainty for market players and would need to be clarified.

 

For more information please contact
Alberto Di Felice
Policy and Legal Counsel
Back to Cybersecurity & Digital Resilience
View the complete Policy Paper
PDF
Our resources on Cybersecurity & Digital Resilience
13 Dec 2024 Policy Paper
Strengthening healthcare cybersecurity: Focus on implementation, not new legislation
11 Dec 2024 Position Paper
Recommendations on updated draft CRA standardisation request
14 Nov 2024 The Download
The Download - Taming the cyber storm whilst empowering European businesses to thrive
Hit enter to search or ESC to close
This website uses cookies
We use cookies and similar techonologies to adjust your preferences, analyze traffic and measure the effectiveness of campaigns. You consent to the use of our cookies by continuing to browse this website.
Decline
Accept