NIS 2-Directive: Evaluation of the ITRE Committee’s compromise position
Use of European cybersecurity certification schemes (Article 21) Summary of legislative proposal: Member States shall, following guidance from ENISA, the Commission and the Cooperation Group, encourage essential and important entities to certify certain ICT products, ICT services and ICT processes, either developed by the essential or important entity or procured from third parties, under European cybersecurity schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881 or, if not yet available, under similar internationally recognised certification schemes. The Commission is empowered to adopt delegated acts to supplement the NIS 2-Directive by specifying which categories of essential and important entities are required to obtain a certificate under specific European cybersecurity schemes pursuant to Article 49 of Regulation (EU) 2019/881. Such delegated acts shall be considered where insufficient levels of cybersecurity have been identified, shall be preceded by an impact assessment and shall provide for an implementation period. BDI’s position: In order to ensure a holistic strengthening of essential and important entities’ cyber-resilience a holistic approach – combining technical, organisational, personnel-related and product-related measures – is required. German industry welcomes the EU Commission’s intention to address the product dimension. However, the current EU Commission’s proposal is not adequate for several reasons: 1. German industry disapproves the primary focus on specific European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881, especially since these schemes were always intended to be voluntary. Rather, we urge the European Commission to propose a legislative act containing horizontal cybersecurity requirements based on the NLF as announced in the working programme for 2022. Details on BDI’s proposal for introducing horizontal, mandatory cybersecurity requirements based on the NLF can be found here: https://english.bdi.eu/publication/news/eu-wide-cybersecurity-requirements/ 2. Since the producer or distributor of an ICT product, ICT service or ICT process is responsible for the certification of the respective product, service or process, it should be the responsibility of the producer or distributer to ensure certification of its product, service or process. Henceforth, the wording in paragraph one must be adjusted accordingly. 3. Paragraph 2 currently does not state for which concretely defined products, services and systems an essential or important entity has to obtain a certificate under specific European cybersecurity schemes pursuant to Article 49 of Regulation (EU) 2019/881. German industry urges the co-legislators to introduce the requirement to certify components, processes or services only for those components, process or services that are utilised in security-critical areas. At the same time, the co-legislators should introduce a mechanism that ensures that the manufacturer (e.g. hard- and software provider) is obtaining the required certificates. 4. Companies should be enabled to choose whether certifying their product, service or process under a specific European cybersecurity certification scheme adopted pursuant to Article 49 of Regulation (EU) 2019/881 or based on European harmonised standards, or alternatively opting for a conformity assessment by the manufacturer. 5. Especially for smaller important entities having to rely only on certified products or services will proof costly without necessarily enhancing the entity’s cyber-resilience.
20
