Improving the drafting process of EU Cybersecurity Schemes

Page 1

POSITION | DIGITALISATION | CYBERSECURITY

Improving the drafting process of EU Cybersecurity Schemes Lessons learned and proposals

3rd May 2022 Drafting EU Cybersecurity Certification Schemes must be more transparent In 2019, the European Cybersecurity Act (EU CSA) was enacted with a view to strengthen the EU Agency for cybersecurity (ENISA) and establish a cybersecurity certification framework for products and services. Considering the experience with the preparation of the EU Cloud Scheme (EUCS) and the EU Common Criteria Scheme (EUCC), German industry proposes concrete measures directed at enhancing the transparency and stakeholder inclusion of the process of preparing these and future schemes. Moreover, we see the need to limit the scope of such schemes to purely technical aspects.

Policy recommendations The Federation of German Industries urges the European Commission, Member States, the European Parliament and ENISA to adopt the following measures: 1. Enhance the transparency of and stakeholder inclusion in the process of drafting EU cybersecurity certification schemes by: a. publishing – on a quarterly basis – the draft of each scheme b. offering quarterly webtalks for stakeholders to comment on the current draft c.

better involving the Stakeholder Cybersecurity Certification Group (SCCG)

2. Narrow the scope of EU Cybersecurity Certification Schemes to technical, rather than political aspects: we urge the European co-legislators to limit the scope of EU cybersecurity certification schemes to technical aspects. The current inclusion of highly political topics, such as the ownership of companies, should be discussed within the ordinary legislative procedure providing for democratic legitimation by the co-legislators as well as transparent public consultation. 3. Mandatory application of cybersecurity certification schemes should only be the ultima ratio: The European Commission should only make the application of EU CSA schemes or European / international standards mandatory if the voluntary application of European schemes does not lead to the aspired increase in cyber-resilience. Rather than solely focusing on schemes, references to international or European harmonised norms should remain the preferred option. 4. Propose an EU Cyber Resilience Act that introduces horizontal cybersecurity requirements based on the New Legislative Framework. Bundesverband der Deutschen Industrie e.V. (BDI) Breite Straße 29, 10178 Berlin | www.bdi.eu Steven Heckler | Digitalisation and Innovation | T: +49 30 2028-1523 | s.heckler@bdi.eu Registered in the German Lobbyregister (R000534) and the EU Transparency Register (1771817758-48)

Improving the drafting process of EU Cybersecurity Schemes

Three Measures to enhance transparency and inclusion The drafting of EU cybersecurity certification schemes within the framework of the EU CSA should provide for a maximum degree of transparency by involving all affected stakeholders, granting easy public access to documents, disclosing the involvement of stakeholders participating in the editorial process and providing all interested parties with several commenting opportunities with reasonable timeframes. In contrast, the current process of drafting cybersecurity certification schemes is characterised by an unacceptably high degree of intransparency for associations and SMEs. This is the case, as Article 8 (1) CSA tasks ENISA with the preparation of these schemes and only grants few interested parties selected for a scheme-specific working group according to Article 49 (4) with the possibility to directly provide their input to a specific scheme. As the co-legislators are most likely to introduce in Article 21 of the NIS 2-Directive the possibility for Member States to require companies to certify ICT products or services under EU CSA schemes, a high degree of transparency in the process of drafting these schemes is paramount. German industry urges ENISA, the EU Commission and Member States to adjust the processes for the development of schemes in such a way as to mirror the principles and processes of international and European standardisation. Therefore, the following three measures should be adopted by ENISA: Quarterly publication of draft versions of schemes While currently, ENISA’s most “recently” published updates of the EUCC and EUCS scheme are eight to ten months old, and thereby, most likely do no longer represent the state of discussion within the respective working groups, German industry urges ENISA to publish on a quarterly basis the current draft of each scheme. Thereby, industry associations and other interested parties – such as SMEs – that were not selected as members of the working groups responsible for a particular scheme, would nonetheless be able to inform themselves about the current ideas and send comments to ENISA. Offering quarterly webtalks for industry and civil society In addition to the quarterly publication of a draft of each scheme, ENISA and the leader of the working group responsible for a scheme should offer one public webtalk every three months, in which they inform all interested stakeholders about current developments relating to a scheme. In such a webtalk, stakeholders should be provided with a possibility to flag their concerns and opinions. The working group should then integrate these remarks when continuing the work on the scheme. Involving the Stakeholder Cybersecurity Certification Group (SCCG) German industry appreciates that the co-legislators agreed to set up a Stakeholder Cybersecurity Certification Group (SCCG) to ensure that industry’s experience is taken into account when developing the annual rolling work programme as well as when developing the cybersecurity certification schemes. However, German industry became aware, that especially the latter duty cannot be fulfilled by the SCCG as the SCCG is neither provided with drafts of the schemes, nor is it consulted in a structured manner on the content of a particular scheme. This situation is completely unacceptable as it renders a structured involvement of stakeholder interests impossible. German industry urges ENISA and the working groups responsible for drafting European cybersecurity certification schemes to regularly provide the members of the SCCG with the current draft and consult them in a structured manner on their views on a draft version of a scheme. ENISA has to take this feedback into account when continuing the work on a scheme. The members of the SCCG should be allowed to share information concerning these schemes with other interested parties in order to ensure a maximum level of transparency and stakeholder involvement. 2

Improving the drafting process of EU Cybersecurity Schemes

Narrowing the focus of EU Cybersecurity Certification Schemes to technical, rather than political aspects In Article 51 of Regulation (EU) 2019/881, the co-legislators did not grant ENISA and the working group preparing an EU cybersecurity certification scheme with the competencies to define political requirements to augment Europe’s digital sovereignty. Rather, the scope is directed at increasing the technical cyber-resilience and data protection of a product. Therefore, German industry urges the European Commission, Member States, the ENISA and the working groups responsible for drafting a scheme to refrain from including politically motivated non-technical requirements in these schemes. For example, we oppose the integration of immunity requirements – including those concerning ownership structures – into EU CSA schemes. Such highly sensitive aspects need to be negotiated within standard legislative procedures between the representatives of Europe’s citizens, i.e. the Members of the European Parliament, and the EU Member States. Working groups within ENISA, the ECCG, the SCCG and national cybersecurity authorities do not have the democratic mandate to propose such measures.

Mandatory application of cybersecurity certification schemes should only be the ultima ratio To ensure a holistic strengthening of Europe’s cyber-resilience, a comprehensive approach – combining technical, organisational, personnel-related, and product-related measures – is necessary. Therefore, German industry, in general, welcomes steps that are directed at enhancing the cyber-resilience of products and services. Companies should be enabled to choose whether certifying their product, service or process under a specific European cybersecurity certification scheme adopted pursuant to Article 49 of Regulation (EU) 2019/881 or based on European harmonised standards, or alternatively opting for a conformity assessment by the manufacturer. The European Commission should only make the application of EU CSA schemes or European / international standards mandatory if the voluntary application of European schemes or European / international standards does not lead to the aspired increase in cyber-resilience.

The EU Cyber Resilience Act: Industry’s general expectations While improving the drafting process of EU CSA schemes is vital for the months to come, German industry would prefer an approach that introduces horizontal cybersecurity requirements based on the principles of the New Legislative Framework (NLF). A risk adequate level of the cybersecurity features of products, services and systems is paramount to ensuring public trust in the process of digitalisation as well as in digital solutions themselves. We urge the European Commission to base the EU Cyber Resilience Act on the NLF. Protective measures and resilience against cyber-attacks must be application-specific and risk-adequate. The NLF allows for the coverage of different risk levels and follows the necessary risk-based approach. Moreover, the NLF's innovation-friendly and technology-open approach is predestined to develop practical requirements. For details see: https://english.bdi.eu/publication/news/eu-wide-cybersecurity-requirements/

3

Improving the drafting process of EU Cybersecurity Schemes

Imprint Federation of German Industries / Bundesverband der Deutschen Industrie e.V. (BDI) Breite Straße 29, 10178 Berlin www.bdi.eu T: +49 30 2028-0 German Lobbyregister Number: R000534 EU Transparency Register Number: 1771817758-48 Editorial Steven Heckler Deputy Head of Department T: +49 30 2028-1523 s.heckler@bdi.eu

BDI Document number: D 1556

4

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.