Eurosmart, The Voice of the Smart Security Industry, welcomes results achieved by the Parliament and the Council during the first legislative phase of the Cyber Security Act.
It especially appreciated the work done by Angelika Niebler as Rapporteur of the proposals in ITRE Committee. The efforts made to involve stakeholders in the debate were decisive to consider important issues and to better define the needs of industries. Eurosmart welcomed the full involvement of stakeholders throughout the evaluation of a candidate scheme whether by attending the Group, by expressing their views thanks to ad-hoc platforms or sub-groups.
Eurosmart wants also to point out its satisfaction with the views of the Council: its General Approach on a proposed Cybersecurity Act confirms the European Digital industries’ priorities, by giving more consistency to the quality level of certification in the Member States and thus, thanks to the accreditation and evaluation of the CABs. Eurosmart welcomes the Council proposal to carry out mandatory penetration testing (also known as Ethical Hacking) for assurance level “high” while evaluating the resistance level to potential attacks of a product or a service.
Eurosmart continues to advocate for “High” and “Substantial” levels of certification for which evaluation must be carried out by Conformity Assessment Bodies (CABs), performing penetration tests by “ethical hacking”.
When the vote is taken at the European Parliament, Eurosmart enjoins the MEPs not to watered down the initial ambitions of the text while protecting the European Digital Industry assets.
The Conformity assessment method should be carefully designed by the regulator to avoid any misunderstanding and to get a risk based approach according the three levels.
The regulator shall define the way CABs are accredited and audited to ensure the quality of the evaluation method which cannot be a purely market driven approach when it comes to protect strategic assets and citizens’ life.
A mix-up of safety and security aspects is to be avoided. Self-certification could be useful to attest the products and services “safety” level, but concrete steps are needed to define a high-quality approach for the EU cybersecurity market. The sole self-declaration of conformity is not enough to prevent from potential attacks, the increase number of connected devices that could be used in hostile environments.
A European cybersecurity certification framework targeting scalable security requirements (high, substantial, basic) could become the asset of the European industry and a protection for the consumer and the citizens. Certification is the sole way to face potential cyberattacks and the indispensable mean to reach an upwards harmonised European Framework.
Without a strengthened EU cybersecurity certification schemes, a potential EU trust label for IoT would be worthless. Eurosmart considers the Cybersecurity Act and its certification scheme as a building block of a trusted Digital Single Market.
When it comes to the respect of personal data and with regards to the GDPR, Eurosmart urges the legislator to avoid double certification. GRPD certification should also be covered by the EU Cybersecurity Certification Framework, especially when it comes to IoT devices which process personal identifiable information.
Certification is also the condition to review the “Product Liability Directive” on the basis of new technologies and ICT devices. Without any clear definition of certification objectives (i.e. what is tested according to the different security levels), the identification of the responsibility chain would become even more complex.
The European Digital Security Industry has developed a unique and a globally recognized know-how. The EU cybersecurity certification Framework will contribute to a highly secure Digital Single Market and will benefit the whole European Digital industry.