POSITION | DIGITALISATION | CYBERSECURITY
Improving the drafting process of EU Cybersecurity Schemes Lessons learned and proposals
3rd May 2022 Drafting EU Cybersecurity Certification Schemes must be more transparent In 2019, the European Cybersecurity Act (EU CSA) was enacted with a view to strengthen the EU Agency for cybersecurity (ENISA) and establish a cybersecurity certification framework for products and services. Considering the experience with the preparation of the EU Cloud Scheme (EUCS) and the EU Common Criteria Scheme (EUCC), German industry proposes concrete measures directed at enhancing the transparency and stakeholder inclusion of the process of preparing these and future schemes. Moreover, we see the need to limit the scope of such schemes to purely technical aspects.
Policy recommendations The Federation of German Industries urges the European Commission, Member States, the European Parliament and ENISA to adopt the following measures: 1. Enhance the transparency of and stakeholder inclusion in the process of drafting EU cybersecurity certification schemes by: a. publishing – on a quarterly basis – the draft of each scheme b. offering quarterly webtalks for stakeholders to comment on the current draft c.
better involving the Stakeholder Cybersecurity Certification Group (SCCG)
2. Narrow the scope of EU Cybersecurity Certification Schemes to technical, rather than political aspects: we urge the European co-legislators to limit the scope of EU cybersecurity certification schemes to technical aspects. The current inclusion of highly political topics, such as the ownership of companies, should be discussed within the ordinary legislative procedure providing for democratic legitimation by the co-legislators as well as transparent public consultation. 3. Mandatory application of cybersecurity certification schemes should only be the ultima ratio: The European Commission should only make the application of EU CSA schemes or European / international standards mandatory if the voluntary application of European schemes does not lead to the aspired increase in cyber-resilience. Rather than solely focusing on schemes, references to international or European harmonised norms should remain the preferred option. 4. Propose an EU Cyber Resilience Act that introduces horizontal cybersecurity requirements based on the New Legislative Framework. Bundesverband der Deutschen Industrie e.V. (BDI) Breite Straße 29, 10178 Berlin | www.bdi.eu Steven Heckler | Digitalisation and Innovation | T: +49 30 2028-1523 | s.heckler@bdi.eu Registered in the German Lobbyregister (R000534) and the EU Transparency Register (1771817758-48)