The inter-institutional negotiations will be able to go ahead between the European Parliament and the Council of the EU on cyber security legislation. On Tuesday 10 July, the industry committee (ITRE) obtained majority support for the report by Angelika Niebler (EPP, Germany) on the draft regulation and the plenary is not expected to oppose it next September.
It should be recalled that the draft regulation presented on 13 September grants a permanent mandate to the current European Network Information Security Agency (ENISA). It also establishes European cybersecurity certification schemes for information and communication technology (ICT) products and services and common rules governing European cyber security certificated schemes (see EUROPE 11865).
Certification is mainly “voluntary”
The position of the ITRE committee retains the idea of “voluntary” European certification, “except when it is justified by a risk analysis”. In practice, the report from the ITRE committee authorises self assessment by manufacturers when there is a low risk (“basic” level of assurance) and only compels essential service operators to use certain products, processes or specific certified services (identified by the Commission by delegated act).
These provisions were severely criticised by the European Consumers Office (BEUC). The director-general of the BEUC, Monique Goyens, said that “there are rules to make our cars and food safe but there are no rules for making our connected products secure”. She added that, “it is very disappointing that the EU institutions still appear to underestimate the dimension of the problem and are not prepared to respond to it by imposing design and default security”. Digital Europe, however, which represents the digital technology industry, was delighted by this approach and called on the co-legislators to refrain from putting the matter back into question during the negotiations. The private employers' federation considers that the use of self-assessment is too restrictive.
EU cyber security agency
The report by Ms Niebler also strengthens the remit of the European Cyber Security Agency (the former ENISA). In the area of certification, for example, the agency will be able to carry out assessments of the procedures for issuing European cybersecurity certificates put in place by conformity assessment bodies, in addition to carrying out independent periodic ex-post checks on the compliance of certified ICT products and services with European cybersecurity certification schemes. At a broader level, the Agency may, on request by the Commission or a member state, conduct regular IT security audits of critical cross-border infrastructures with the objective of identifying possible cybersecurity risks and with a view to identifying recommendations to strengthen their resilience. Another development: MEPs are suggesting that a Stakeholders Certification Group is created within the agency, as an advisory body, to ensure regular dialogue with the private sector, consumers’ organisations, academia and other relevant stakeholders.
The ITRE committee’s position was adopted by 56 votes in favour with 5 against and 1 abstention and represents the European Parliament’s negotiating mandate, unless it is put to a vote again during the next plenary. If this is not the case, given that the Council adopted its position on 8 June last, negotiations are expected to begin after the summer (see EUROPE 12037). (Original version in French by Sophie Petitjean)