ETSI Releases Cautionary Statement on Proposed Cybersecurity Act

ETSI has just released releases a position paper on the European Commission proposal of Cybersecurity Act (Regulation 2017/0225).

In September 2017, the European Commission published a proposal for a Regulation of the European Parliament and the Council on “ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 526/2013, and on Information and Communication Technology (ICT) cybersecurity certification ("Cybersecurity Act")".

ETSI welcomes the overall objective of the proposed Regulation to “increase EU resilience, enhance its cybersecurity preparedness and avoid fragmentation of certification schemes in the EU”. Nevertheless, ETSI believes that some points should be further elaborated and clarified in the proposed Regulation.

First, the concept and definitions of standards for certification should be clarified and ETSI recommends that the fundamental relationship between standards and certification schemes is unambiguously and explicitly described in the draft Regulation.

Secondly, the new legislative framework should be used as a toolbox and the text modified accordingly to include the clear sequence of *requirements – standards – certification* as well as self-assessment to determine conformity with specific requirements and standards.

The third recommendation is to follow a risk management approach and leave the definition of levels of assurance to market players. ETSI also recommends that Art 45 should be replaced with much higher-level objectives and should avoid technical issues, which are best left to standards to address.

The fourth recommendation says that the text should clarify how the proposed system will interact with existing certification schemes in other Union acts, and how the migration path from current national or SOG-IS MRA certification schemes will be organized.

The last recommendation is for the proposed Regulation to further clarify and specify the processes and governance of the new missions granted to both ENISA and the European Commission.