EU agrees on framework for cyber security certificates

Only one certificate in all of Europe to prove the cyber security of an IT product: This possibility is created by the “Cybersecurity Act”, on which the EU Parliament, member states and European Commission agreed in December. In the political process of recent months, the original proposal has been significantly improved, in particular with regard to transparency and industry participation. Nevertheless, from the point of view of the VDMA, this framework can only be a first step. The framework does not provide for genuine internal market regulation, although it does regulate the granting of evidence. It is disappointing that only a limited use of a manufacturer’s self declaration is possible.

In future, there will be a so-called “European Cybersecurity Certification Group” and a “Stakeholder Participation Group” through which Member States or industry can submit proposals to the EU Commission if a Europe-wide regulated certification for a specific product group appears necessary. If the proposal is adopted, the European Cyber Security Agency (ENISA) will work out the details with the involvement of the sectors concerned. The EU Commission will then have the last word and the certification system will be valid throughout Europe. From this moment on, national systems lose their validity. The certification framework is voluntary in principle, but the legislator reserves the right to introduce an obligation within the framework of further legislative acts.

From the point of view of the VDMA, it is good that the issue of cybersecurity is finally being addressed at European level. In the trialogue, the European Parliament and the Member States also achieved considerable improvements in terms of transparency and industrial participation. For example, a public work plan is now foreseen. However, a major design flaw was only insufficiently eliminated: The option of manufacturer self-declaration, which is important for innovation and efficiency, is now planned, but only for a basic level of cyber security. In principle, the Cybersecurity Act relies largely on third-party certification, which, from the point of view of the VDMA, is only suitable in exceptional cases and is otherwise an expensive and cumbersome evaluation procedure.

The VDMA sees the Cybersecurity Act only as a first step. Rather, the single European market needs a single piece of legislation to ensure the secure exchange of company and product data.