NIS 2: Mandatory certification should not be discarded

NIS 2: Mandatory certification should not be discarded

Eurosmart has long been advocating for mandatory cybersecurity certification of specific products used by Operators of Essential Services and Digital Service Providers (NIS 1), now called essential and important entities (NIS 2). Cybersecurity certification ensures that products resist a given level of cyber-attacks. Such a level needs to be high in the case of essential and important entities, given the crucial role they play in our society.

The Cybersecurity Act creates a valuable framework for the development of European cybersecurity certification schemes. European cybersecurity certification at level high is the only effective way to strengthen the robustness and the cyber resilience of these critical entities. This framework delivers cross-border consistency in evaluation tests and methodologies for security requirements supported by ENISA and legally adopted by the Commission and the Member States.

European cybersecurity certification is a matter of digital sovereignty: it ensures that our European companies are adequately protected, also meaning that citizens and companies’ data are protected from malicious interference.

Our association warmly welcomed the Commission’s proposal for a revised NIS Directive. Article 21 of the proposal states that Member States “may require” essential and important entities to certify certain ICT products using a European certification scheme. It also stipulates that the Commission is empowered to adopt delegated acts on mandatory certification.

The draft report currently discussed within the ITRE Committee[1] , rapporteur for NIS 2, discards this possibility for Member States to require certification. The report opted for purely voluntary certification.

Eurosmart believes that this goes against the initial objective of the NIS directive, which is to enhance the overall level of cybersecurity of essential and important entities. The proposal from the Commission lays down a flexible provision – stating that Member States “may require” certification. This is a balanced approach in our views.

On the broader front, EU legislative corpus dealing with cybersecurity should seek to make the best use of the European Cybersecurity certification framework.

NIS 2 forms part of the EU’s Cybersecurity Strategy in the Digital Decade[2], adopted on 16 December 2020; it aims at strengthening collective capabilities to respond to major cyberattacks. Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age, expressed EU’s ambitions to enhance the cyber resilience of the continent: “The digital transformation is accelerating, but can only succeed if people and businesses can trust that the connected products and services – on which they rely – are secure.  With this aim in mind, Europe should make the best use of already existing tools such as the EU cybersecurity certification and the EU standardisation approach to protect its critical assets.

EU Cybersecurity certification is the best way to provide a consistent cybersecurity approach among the Member States; it guarantees at the same time the respect of EU’s fundamental values of security and privacy.  Therefore, Eurosmart actively contributes to the Commission effort in developing new cybersecurity schemes, evaluations methods, and harmonised standards. For the sake of cybersecurity and digital sovereignty, it is necessary to go back to the initial version of Article 21 of the NIS 2 proposal.

[1] 03/05/2021 – ITRE Draft Report on the proposal for a directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148
(COM(2020)0823 – C9-0422/2020 – 2020/0359(COD))

[2] On 16 December 2020, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy presented a new EU Cybersecurity Strategy.