For flexible and market relevant cybersecurity compliance and certification schemes - Orgalime comments on the Commission proposal for a Regulation on a “Cybersecurity Act” (COM(2017) 477 final)

Published: 8 February 2018

Policies & Issues: Digital Transformation

On 13 September 2017, the European Commission presented a series of policy and legislative initiatives aiming at completing and reinforcing the cybersecurity pillar of the Digital Single Market.

It is of critical interest to our industry to provide its customers with increasingly interconnected and smart products and services that are safe and secure. Cybersecurity is a prerequisite for the functioning of the Digital Single Market and a fast moving target, which cannot be solved by one-fits-all solution. Our industry is committed to provide customers with the highest level of protection possible against any cyber-attack or unauthorized harmful manipulation or destruction of data. Orgalime is committed to enhancing Europe’s cybersecurity capacity and to nurture trust in ICT products and services. The Commission proposal for a Regulation on ENISA, the "EU Cybersecurity Agency", and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act'') is a first step towards a safer and more secure European Digital Single Market.

However, we are concerned that the current draft proposal for a regulation and the regulatory format of a European Cybersecurity Certification Framework (ECCF) fundamentally depart from the robust experience of European harmonisation legislation for products introduced by the New Approach to technical harmonisation and codified in a “New Legislative Framework” (NLF) in 2008. Orgalime underlines the importance and relevance of NLF principles when it comes to legislation applying to the placing of products on the market. These are based on international and European standards, flexible adaptation of product requirements via standardisation procedures, well-established and widely accepted conformity assessments procedures (including the manufacturer’s self-declaration of conformity  and third party certification). Such a well-established system strives for broad acceptance by users and providers, safeguarding a level-playing field within the market for domestic manufacturers and importers, and finally an adequate and effective enforcement.

Finally, static schemes do not necessarily offer the preferred approach to cybersecurity. Therefore, a sectoral approach that takes into consideration the different exposure levels, threats and security architectures of individual economic sectors is necessary as a one-size-fits-all approach will not be appropriate to promote cybersecurity.

Download the position paper above to read our position in full.


Pierre Lucas
Manager - Industrial Policy & Digitalisation

Related Position Papers

Digital: Cyber Resilience Act: Europe’s technology industries ask decision-makers to proceed with care and caution [7 November 2023]

Digital: Joint Industry Statement on CRA [10 May 2023]

Digital Transformation: Orgalim’s position on the Cyber Resilience Act [5 April 2023]

Digital Transformation: Joint Statement - The Data Act is a leap into the unknown [1 February 2023]

Digital Transformation: Underestimating the Data Act’s impact on trade secrets’ protection will undermine European industrial competitiveness [17 January 2023]

Digital Transformation: Industry calls on EU legislators to respect principles of the New Legislative Framework in the AI Act [30 September 2022]

Digital Transformation: Orgalim position on the Chips Act proposal [9 September 2022]

Digital Transformation: Orgalim position on the Data Act proposal [12 May 2022]

Digital Transformation: Orgalim position on the future Cyber Resilience Act [29 April 2022]