2 minute read
Standardisation (Article 22
Proposed changes to the legislative text:
1. Member States ENISA shall, following guidance from ENISA, the Commission and the Cooperation Group, encourage essential and important entities to utilise in particularly security-critical areas, defined by a list of critical functionalities, only certify certain ICT products, ICT services and ICT processes, either developed by the essential or important entity or procured from third parties, which are certified under European cybersecurity schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881 or, if not yet available, under similar internationally recognised certification schemes or based on European harmonised standards. Furthermore, Member States shall encourage essential and important entities to use qualified trust services pursuant to Regulation (EU) No 910/2014.
2. The Commission is empowered to adopt delegated acts, in accordance with Article 36, to supplement this Directive by specifying which categories of hard- and software providers for essential and important entities are required to obtain for ICT products, ICT services and ICT processes that are utilised in security-critical areas a certificate under specific European cybersecurity schemes pursuant to Article 49 of Regulation (EU) 2019/881 under similar internationally recognised certification schemes or based on European harmonised standards. Such delegated acts shall be considered where insufficient levels of cybersecurity have been identified, shall be preceded by an impact assessment and shall provide for an implementation period.
3. The Commission shall propose a legislative act containing horizontal cybersecurity requirements based on the New Legislative Framework for ICT products, ICT services and ICT processes may, after consulting with the Cooperation Group and the European Cybersecurity
Certification Group, request ENISA to prepare a candidate scheme pursuant to Article 48(2) of Regulation (EU) 2019/881 in cases where no appropriate European cybersecurity certification scheme for the purposes of paragraph 2 is available.
Standardisation (Article 22)
Summary of legislative proposal:
In order to promote the convergent implementation of cybersecurity risk mitigating measures, Member States shall, without imposing or discriminating in favour of the use of a particular type of technology, encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems.
BDI’s position:
German industry welcomes the technology-neutral approach adopted by the European Commission regarding recommendations for the implementation of cybersecurity risk mitigating measures. Furthermore, we welcome that – in contrast to Germany’s new IT Security Law 2.0 – the European Commission focuses on the adoption of European and international standards. This will facilitate the spread of such universal standards. However, to ensure that entities operating in more than one country do not have to fulfil diverging requirements, German industry would welcome if ENISA was to recommend basic guidelines for such measures for the entire EU.
Proposed changes to the legislative text:
1. In order to promote the convergent implementation of Article 18(1) and (2), Member States ENISA shall, without imposing or discriminating in favour of the use of a particular type of
