OFE Position on Cybersecurity Act Vote in ITRE

09 July 2018

Author: Sivan Pätsch

Rapporteur’s Compromise Amendments represent significant step towards establishing an effective, workable, risk-based regulatory tool to boosting trust and security in Europe.

OpenForum Europe appreciates the close collaboration with Members of Parliament and welcomes the significant improvements of the Rapporteur’s Compromise Amendments tabled for tomorrow’s vote on the Cybersecurity Act. We are pleased to see many of our core priorities reflected in the latest draft report and thus would welcome the report’s adoption and entry into trilogue. We do, however, still see areas of further improvement to ensure a more effective and workable regulatory instrument to improve trust and security in Europe.

OFE supports the inclusion of well established EU approaches of self-declaration of conformity to standards,regulations and certification. These tried and tested method offers the same security benefits with lower time-to-market and cost and therefore is positive for users and providers alike. The Rapporteur foresees limiting this method to the lowest assurance level though, which will mean many products will have to go through a lengthy and costly third-party certification process. OFE therefore recommends decoupling the method of certification from the assurance level and let each scheme decide what is appropriate.

The Rapporteur’s suggestion of a rolling work programme improves the scheme adoption mechanism. The addition of a formal, open, transparent and inclusive process establishes coordination between the European Commission, Member States, ENISA and stakeholders. This process could still be improved by the inclusion of the EU’s Multi-stakeholder platform for ICT standardisation, which would utilise another well established EU process.

OFE additionally welcomes the increased links to standards, technical specifications and ICT specifications as defined in regulation 1025/2012. Based on these, standards are developed by all stakeholders in an open and voluntary manner and in most cases self-assessments are carried out against these standards.

OFE would like to reaffirm its position that the proposed three-tiered assurance levels are not conducive to achieving the goal of the proposal. OFE suggests that assurance levels should be defined on a scheme-by-scheme basis. This approach would ensure schemes are tailor-made for their use-case which consider risks and do not confuse consumers by presenting labels for which the consumer has little context.