Ensuring consistent cyber regulation for Europe European companies strive to offer products, processes and services that possess a degree of cyber resilience adequate to the likely risk. At the same time, however, one hundred percent cyber security cannot be achieved, let alone guaranteed, because attack vectors are constantly changing, new vulnerabilities are identified, and human error can never be completely avoided. This makes it all the more important for companies to ensure that their efforts to strengthen cyber-resilience are not thwarted by inconsistent regulations, national unilateral approaches or one-sided requirements. Since often more than one rule applies to products, consistent and coherent requirements are essential for maintaining the international competitiveness of companies. Against the background of an increasing fragmentation of legal requirements for cyber security for products and services, coupled with a growing need to strengthen the cyber resilience of products, processes, services and systems, the following principles are needed, and should be taken into account in current and forthcoming cybersecurity legislation by both the EU and national governments: Firstly, it is important to ensure coherent regulatory requirements to strengthen Europe’s cyber resilience, while avoiding competitive disadvantages for European companies. It is important to avoid hasty additions and extensions to legal requirements on cyber resilience. Rather, an approach is required that takes into account that products, processes, services, and systems often fall under more than one regulation.
06
Secondly, regulators should give precedence to European requirements over national unilateral regulatory approaches in order not to endanger the success of the European internal market. For example, the introduction of a national IT security label is not appropriate. Instead, a European solution is needed from the outset. Only an IT security label that is uniform throughout Europe, easy to understand and accompanied by efficient market supervision will be able to make a contribution to strengthening cyber-resilience.
Thirdly, products, processes, systems and services do not all require the same level of protection. Hence, a risk-based approach is needed to ensure adequate and effective protection. Fourthly, German industry recommends that European standardisation bodies should be involved in the development of cyber security requirements according to the principles of the New Legislative Framework (NLF). The successful regulatory model of the European Union – the New Legislative Framework – with its established processes and high temporal efficiency, is suitable for addressing the challenges posed by maintaining cyber security, while at the same time ensuring system coherence. The legislator should merely define the protection objectives, which should then be concretised in European harmonised standards. Finally, all stakeholders – from hardware and software manufacturers to commercial operators and private users – should be actively involved to holistically strengthen the cyber resilience of products, processes, systems and services.
13
