In a working document dated Monday 13 April and made available to Agence Europe, a number of member countries comment on the first half of the new revised text of the ‘Cybersecurity Act’, presented by the European Commission last January (see EUROPE 13790/1).
At this stage, there is no feedback on the most sensitive part of the Act, i.e. the potential exclusion of certain suppliers or equipment manufacturers in the European telecommunications sector who are deemed to pose a risk to the Union’s sovereignty and integrity (see EUROPE 13850/8).
The countries in question focus their comments on the part of the Act that strengthens ENISA’s prerogatives (see EUROPE 13788/1).
A number of countries, including France, Finland, and the Netherlands, are cautious about ENISA’s revised mandate, which they consider to be “too broad” and to “add no value”. Others, such as Romania and Italy, are concerned about the possible “risk of tensions with national authorities responsible for cybersecurity”, who could see ENISA’s renewed mandate as an “attack on national sovereignty”.
“There is strong opposition to the introduction of any instrument that could, even at the level of perception, overlap the role of ENISA and that of the national competent authorities”, writes the Italian government, proposing the introduction of a “general safeguard clause enshrining the principle of direct operational non-involvement” of ENISA.
There is also widespread criticism of the Commission’s proposal that each member country should appoint two “liaison officers” to support the national experts already in place at ENISA. “Requiring Member States to hand over existing capacities is a major challenge”, notes Belgium.
Other countries note the lack of national resources to have the freedom to do without several experts, both technically and financially.
On the sensitive issue of ‘cybersecurity certification schemes’, Spain is proposing a number of amendments to ensure recognition of National Schemes and the national expertise developed through these schemes, as long as they meet European standards.
This desire is shared by France, which has always fought for its own ‘SecNumCloud’ scheme to be recognised at European level, or, failing that, for European schemes to adopt very strict security and sovereignty guarantees, particularly in terms of protection against the extraterritoriality of certain foreign laws (see EUROPE 13788/1). (Original version in French by Isalia Stieffatre)