There is a quote by the former US President Ronald Reagan that best describes the challenge our society is currently facing: “Trust, but verify”. While Europe has welcomed and is facilitating the global digital revolution, the increasing number of cyberattacks demonstrates the vulnerability of our data and the need to protect it.
Billions of devices are connected to the internet and are interacting on a new level and scale. These devices and related services can improve citizens’ lives and our economies.
However, people and organisations will only fully be part of the digital world if they trust digital technologies. Trust requires the Internet of Things - devices, processes and services - to be safe and secure.
As Parliament’s rapporteur on the EU cybersecurity act, I believe that the Commission proposal is a good starting point. It is an important part and tool of the EU’s new cybersecurity strategy, which aims to provide Europe with a long-term vision and to secure confidence in the digital technologies. It needs to be considered within the context of the legislation already in place.
My aim is to amend the Commission’s proposal through five key messages. First, we must establish a recognised European system. Some member states have already established high quality cybersecurity certification schemes, while others still need to catch up. When debating the proposal, we must carefully analyse the role the EU wants to play in European cybersecurity and the role of the member states. How can both political levels cooperate in the best interest of consumers and industry?
I come from a member state with a strong and highly regarded national agency. I acknowledge the fears of German industry representatives that the security level might be lowered and that too many competences might have to be transferred to Brussels.
Therefore, the cybersecurity agency (ENISA)’s role and competences must be well defined. We need to set the right framework for ENISA if we want a strong and well-functioning agency. It is important to strengthen ENISA’s role, comprising a permanent mandate, its budget and its staff. However, we must be cautious when defining its role. It is highly tempting to reinforce its tasks but we should not overcharge ENISA. We need to be realistic.
ENISA’s task should continue to be that of operational cooperation, by considering expertise gained under the NIS directive, to continue supporting capacity building in member states and to be a source of information.
In addition, ENISA should play a stronger role in establishing European certification schemes, without substituting national ones. We need a strong and reliable certification system in place. I am in favour of a clear scope for the proposal, covering not just products but the whole life-cycle and processes. Users need legal certainty. For that reason, it makes sense to have a risk-based approach rather than a one-size-fits-all certification scheme.
This is compatible with a voluntary system, but only for the basic and substantial level and not for the highest assurance level. At the same time, we need to be aware that the system could become mandatory at a later stage depending on market evolution.
A link to the new legislative framework approach will introduce self-assessment, a cheaper and less burdensome system that has worked well in certain areas. This would allow industries and member states that don’t have such a scheme in place to have at least a bare minimum of assurance and one that is also cost-effective.
We need to have more product information for consumers. I have proposed requiring the issuing of a mandatory product declaration with structured information concerning the certification, indicating for example the availability of updates or the interoperability of the certified products, process or service. This would provide the consumer with useful information when choosing a device.
We need to improve the governance of the system if we want all actors to contribute. I believe that we need a more transparent certification process; I therefore suggest the obligation to adopt a multiannual Union work programme that will identify common actions to be undertaken at EU level and priority areas for European certification.
I am strongly in favour of stronger member state participation in the certification process, which could be achieved by putting the member state certification supervisory authorities on equal footing with the Commission in the process of preparing a certification scheme.
Industry’s role can be considerably improved by clarifying the composition of the permanent stakeholder group and by establishing ad-hoc advisory groups by ENISA in order to gain further expertise and knowhow from industry and other relevant stakeholders within certification processes.
With these key points I wish to improve Europe’s response to cyberthreats. With its strong industrial base, Europe can become a leading player in cybersecurity. This will enable us to both trust, and verify.