On Friday 8 June, the Council of the EU adopted its negotiating position on the cybersecurity regulation without the support of Hungary, which abstained from the vote. Among stakeholders, the private employers’ federations and the consumers’ association both expressed reservations about the text, on which Parliament will express its views on 19 June.
The project sets the objectives, work and organisational aspects for the EU cybersecurity agency (ENISA) and creates a framework for establishing European cybersecurity certification schemes. The Council’s position, which had already been given the backing of the national ambassadors, takes up the broad outline of the Commission’s proposals.
During a round-the-table discussion, many delegations insisted on the importance of giving the agency enough means. Lithuania stressed the ‘operational’ role to be played by ENISA, in other words, ‘on demand’ and ‘completing’ the action of the member states.
Several delegations called for improvements to the text in the interinstitutional negotiations with the European Parliament. Poland, for example, stressed the importance of further work on conditions of conformity and member states’ powers when it comes to defining security conditions and the United Kingdom stressed the importance of action over a product’s lifetime in order to ensure they are safe right from the design stage. The Netherlands were more virulent, regretting that the general approach didn’t back a certification mechanism or compulsory self-assessment. "We deplore that this is option, because we believe that that will not suffice to deal with threats", said Dutch Infrastructure and Water Management Minister Cora Van Nieuwenhuizen.
Hungary abstained, saying that most parts making up ITC products were manufactured in third countries. "Certification requirements should be adequately detailed and Member States should be provided with effective safeguard tools by having the possibility to challenge the validity of certification in justified cases," explained the delegation.
Reactions
Private employers’ federation BusinessEurope immediately published a press release regretting that industry was not more associated with the certification mechanism. It warned about the attempts to make the system compulsory, which it says would lead to fragmentation and not be adapted to future developments.
The European Bureau of Consumer Unions (BEUC) expressed the opposite opinion, deploring the fact that the certification system was only voluntary. It regretted the absence of "minimum cybersecurity demands" for manufacturers, such as security updates or the encryption of objects. The general approach can be found at: https://bit.ly/2kPSEjk . (Original version in French by Sophie Petitjean)