VDMA welcomes EU framework for cybersecurity certificates
Only one certificate in all of Europe to prove the cyber security of an IT product: This possibility is created by the "Cybersecurity Act", on which the EU Parliament, member states and European Commission agreed in December. In the political process of recent months, the original proposal has been significantly improved – especially with regard to transparency and industry participation. Nevertheless, the VDMA believes that this framework law can only be a first step. It does regulate the allocation of proofs, but the framework does not represent a genuine internal market regulation. It is considered to be disappointing that only limited use of a manufacturer's self-declaration is possible.
In future, there will be a so-called "European Cybersecurity Certification Group" and a "Stakeholder Participation Group", through which member states or industry can submit proposals to the EU Commission if a Europe-wide regulated certification for a certain product group appears necessary. If the proposal is accepted, the European Agency for Cyber Security (ENISA) will work out the details with the participation of the industries concerned. The EU Commission will then have the final say and the certification system will be valid throughout Europe. From this moment on, national systems will lose their validity. The certification framework is basically voluntary, but the legislator reserves the right to introduce an obligation within the framework of further legislative acts.
From the point of view of the VDMA, it is good that the issue of cybersecurity is finally being addressed at European level. In the trilogue, the European Parliament and the member states have also achieved considerable improvements in terms of transparency and industrial participation. For example, a public work plan is now planned. However, a major design flaw had only been insufficiently remedied: The option of the manufacturer's self-declaration, which is important for innovation and efficiency, is now envisaged, but only for a basic level of cyber security. In principle, the Cybersecurity Act relies largely on third-party certification, an otherwise expensive and cumbersome evaluation procedure that the VDMA considers to be suitable only in exceptional cases.
The VDMA sees the Cybersecurity Act only as a first step. Rather, the European internal market needs a uniform legal regulation that guarantees the secure exchange of company and product data.