Cybersecurity Act: EU framework for cyber security certificates
The EU framework for the so-called Cybersecurity Act is coming. The EU Parliament, member states and the European Commission have agreed on the so-called "Cybersecurity Act".
Last December, the EU Parliament, member states and the European Commission agreed on the "Cybersecurity Act". Only one certificate is to serve the cybersecurity of an IT product in Europe: In the political process of the last months, the original proposal was significantly improved - especially with regard to transparency and industry participation. Nevertheless, in the view of the VDMA, this framework law can only be a first step. Although it regulates the awarding of certificates, the framework does not represent a genuine internal market regulation. It is disappointing that only a limited use of a manufacturer's self-declaration is possible.
In the future, there will be a so-called "European Cybersecurity Certification Group" and a "Stakeholder Participation Group", through which member states or industry can submit proposals to the EU Commission if a Europe-wide regulated certification for a certain product group appears necessary. If the proposal is accepted, the European Cyber Security Agency (ENISA) will work out the details with the participation of the industries concerned. The EU Commission then has the final say and the certification system becomes valid throughout Europe.
From this moment on, national systems lose their validity. The certification framework is basically voluntary, but the legislator reserves the right to introduce an obligation within the framework of further legislative acts.
Improvements considered
In the trilogue, the European Parliament and the member states also achieved significant improvements in terms of transparency and industry participation. For example, a public working plan is now provided for. However, a major design flaw was only insufficiently eliminated: The manufacturer self-declaration option, important for innovation and efficiency, is now provided for, but only for a basic level of cybersecurity. In principle, the Cybersecurity Act relies largely on third-party certification, which in the view of the VDMA, the German Engineering Federation e.V., only suitable in exceptional cases and otherwise expensive and cumbersome evaluation procedure.
The VDMA sees the Cybersecurity Act as only a first step. Instead, the European single market needs a uniform legal regulation that guarantees the secure exchange of company and product data.
