For flexible and market relevant cybersecurity compliance and certification schemes - Orgalime comments on the Commission proposal for a Regulation on a “Cybersecurity Act” (COM(2017) 477 final)

Published: 8 February 2018

Policies & Issues: Digital Transformation

On 13 September 2017, the European Commission presented a series of policy and legislative initiatives aiming at completing and reinforcing the cybersecurity pillar of the Digital Single Market.

It is of critical interest to our industry to provide its customers with increasingly interconnected and smart products and services that are safe and secure. Cybersecurity is a prerequisite for the functioning of the Digital Single Market and a fast moving target, which cannot be solved by one-fits-all solution. Our industry is committed to provide customers with the highest level of protection possible against any cyber-attack or unauthorized harmful manipulation or destruction of data. Orgalime is committed to enhancing Europe’s cybersecurity capacity and to nurture trust in ICT products and services. The Commission proposal for a Regulation on ENISA, the "EU Cybersecurity Agency", and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act'') is a first step towards a safer and more secure European Digital Single Market.

However, we are concerned that the current draft proposal for a regulation and the regulatory format of a European Cybersecurity Certification Framework (ECCF) fundamentally depart from the robust experience of European harmonisation legislation for products introduced by the New Approach to technical harmonisation and codified in a “New Legislative Framework” (NLF) in 2008. Orgalime underlines the importance and relevance of NLF principles when it comes to legislation applying to the placing of products on the market. These are based on international and European standards, flexible adaptation of product requirements via standardisation procedures, well-established and widely accepted conformity assessments procedures (including the manufacturer’s self-declaration of conformity  and third party certification). Such a well-established system strives for broad acceptance by users and providers, safeguarding a level-playing field within the market for domestic manufacturers and importers, and finally an adequate and effective enforcement.

Finally, static schemes do not necessarily offer the preferred approach to cybersecurity. Therefore, a sectoral approach that takes into consideration the different exposure levels, threats and security architectures of individual economic sectors is necessary as a one-size-fits-all approach will not be appropriate to promote cybersecurity.

Download the position paper above to read our position in full.


Pierre Lucas
Manager - Industrial Policy & Digitalisation

Related Position Papers

Digital Transformation: Orgalim input to the European Commission consultation on the Data Act [29 June 2021]

Digital Transformation: Position Paper on the European Commission’s proposal for a Directive on measures for a high common level of cybersecurity across the European Union (NIS2) [11 June 2021]

Digital Transformation: Orgalim comments on the Data Governance Act [29 January 2021]

Digital Transformation: Safeguarding data flows - a joint statement from leading European associations on the EDPB “supplementary measures” recommendations [21 December 2020]

Digital Transformation: Proposal for a horizontal legislation on cybersecurity for networkable products within the New Legislative Framework [9 November 2020]

Digital transformation: Orgalim input into the European Commission consultation on “Artificial Intelligence – ethical and legal requirements” [10 September 2020]

Digital Transformation: Orgalim submission on “Legislative framework for the governance of common European data spaces” [31 July 2020]

Digital Transformation: Orgalim Position Paper Towards a Common European Data Space for Smart Manufacturing [4 February 2020]

Digital Transformation: Orgalim Manifesto: a European Agenda on Industrial AI [16 January 2020]