Cybersecurity Act: Five outcome-based principles from the digital security industry

Cybersecurity Act: Five outcome-based principles from the digital security industry

The proposal for a Cybersecurity Act is a matter of European industrial policy and economic growth as well as being of importance for European digital sovereignty and societal choices.

The level of resistance to potential attacks on European encryption solutions will be key to the technical transposition of articles 7 and 8 of the European Union Charter of Fundamental Rights.

The Cybersecurity Act is part of the new social contract for the digital age. Therefore, we will bear the responsibility for drawing up fair provisions which uphold the interests of European citizens, Member States, European industry, the European Institutions and the digital single market. We must make sure that the process of establishing confidence in products through a new ENISA-led certification framework is beneficial, first and foremost, to European citizens.

With this vision in mind, Eurosmart invites both co-legislators to take 5 critical points into account when considering the initial proposal from the European Commission.

· Firstly, clear legal definitions of essential terms referring to IT and security ecosystems (aka “cybersecurity”).

· Secondly, fair and open European governance during the preparation phase of candidate European certification schemes.

· Thirdly, a well-defined European certification objective that is apt for each level of certification. Above all, the co-legislators should ensure that the ‘substantial’ and ‘high’ levels require mandatory penetration testing (“pentest” or “ethical hacking”) of the product by Conformity Assessment bodies (CABs) whilst a product is being evaluated.

· Fourthly, European standards must be the basisfor the preparation of a new candidate European certification scheme.

· And finally ENISA’s “Intellectual Property Rights” (IPR policy) should be spelled out in the Cybersecurity act.