OFE Suggestions for Cybersecurity Act Trilogue

23 October 2018

Author: Sivan Pätsch

OpenForum Europe (OFE) appreciates and welcomes the progress made by the co-legislators in improving upon the proposal of the Commission and are pleased to see that many OFE core priorities are reflected in both the Parliament’s Report as well as the Council’s General Approach. OFE wishes to contribute to finding a timely conclusion to the negotiations through the below suggestions.

On the Stakeholder groups, OFE would like to stress that groups should be advisory to the Commission, ENISA and Member States. Furthermore we suggested to take advantage of the existing Multi Stakeholder Platform on ICT Standardisation (‘MSP’). This group already convenes all major actors, such as Member States, International, global and European Standard Organisations, consumer groups and industry representatives involved in ICT standardisation. For this reason we suggested to utilise the MSP by setting up a specialised Task Force under the MSP as the Stakeholder advisory body.

On the advisory bodies, Article 19(4) gives wide ranging powers to the Executive Director to create and disband groups. We strongly suggest that the agreed text should require one advisory body for the certification framework and we would also like to reiterate that there should be a provision in the agreed text requiring consultation.

In regard to the possibility of self assessment, many companies have established internal certification labs, which can be used for self-assessment. Excluding these labs from consideration for substantial and high levels of assurance will increase costs with no tangible benefit. Moreover, the naming of and interaction between assurance levels and evaluation levels should be improved, as it currently is lacking. We do see the benefit of evaluation levels and wish to see them preserved.

Lastly, pertaining to the provisions regarding a work programme, we understand the concerns in regard to speed, though we do see it as very important to have a robust up-front understanding of which areas will be tackled and therefore support such a work programme. The Annual Union Work Programme for European standardisation provides a compelling example including the template documentation utilised to optimise operational impact.