For flexible and market relevant cybersecurity compliance and certification schemes - Orgalime comments on the Commission proposal for a Regulation on a “Cybersecurity Act” (COM(2017) 477 final)

On 13 September 2017, the European Commission presented a series of policy and legislative initiatives aiming at completing and reinforcing the cybersecurity pillar of the Digital Single Market.

It is of critical interest to our industry to provide its customers with increasingly interconnected and smart products and services that are safe and secure. Cybersecurity is a prerequisite for the functioning of the Digital Single Market and a fast moving target, which cannot be solved by one-fits-all solution. Our industry is committed to provide customers with the highest level of protection possible against any cyber-attack or unauthorized harmful manipulation or destruction of data. Orgalime is committed to enhancing Europe’s cybersecurity capacity and to nurture trust in ICT products and services. The Commission proposal for a Regulation on ENISA, the "EU Cybersecurity Agency", and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act'') is a first step towards a safer and more secure European Digital Single Market.

However, we are concerned that the current draft proposal for a regulation and the regulatory format of a European Cybersecurity Certification Framework (ECCF) fundamentally depart from the robust experience of European harmonisation legislation for products introduced by the New Approach to technical harmonisation and codified in a “New Legislative Framework” (NLF) in 2008. Orgalime underlines the importance and relevance of NLF principles when it comes to legislation applying to the placing of products on the market. These are based on international and European standards, flexible adaptation of product requirements via standardisation procedures, well-established and widely accepted conformity assessments procedures (including the manufacturer’s self-declaration of conformity  and third party certification). Such a well-established system strives for broad acceptance by users and providers, safeguarding a level-playing field within the market for domestic manufacturers and importers, and finally an adequate and effective enforcement.

Finally, static schemes do not necessarily offer the preferred approach to cybersecurity. Therefore, a sectoral approach that takes into consideration the different exposure levels, threats and security architectures of individual economic sectors is necessary as a one-size-fits-all approach will not be appropriate to promote cybersecurity.

Download the position paper above to read our position in full.