ACT (Association for Competitive Technology), an association representing technological start-ups, published its position on Thursday 25 June on the revision of the Cybersecurity Act 2 (see EUROPE 13790/1). Among its main demands is the need to separate supply chain risk assessments from the eligibility criteria for European cybersecurity certification, which must remain “voluntary”, given “excessive” compliance costs and “very limited benefits for Europe’s cyber-resilience”.
“Supply chain risk assessments should not feed into certification eligibility decisions”, the association states.
Risk-based certification schemes aligned with international standards. Certification schemes should remain based on a risk-based approach and be aligned with recognised international standards, rather than creating requirements specific to the EU. ACT is also calling for the mutual recognition of equivalent certifications issued in trusted third countries, in order to prevent small businesses from being forced to certify the same product several times for different markets.
ICT supply chain security: “realistic” transition periods. It is calling on the co-legislators to reject any amendment introducing eligibility criteria based on companies’ nationality, registered office or ownership structure. According to ACT, non-technical criteria should not be used in certification procedures.
While supporting the objective of strengthening consistency at EU level in ICT supply chain security, ACT calls for “disproportionate” effects to be avoided, particularly for SMEs.
Risk assessments should be “evidence-based and transparent”. Suppliers should be consulted before being designated as high risk, in order to allow them to propose mitigation measures. ACT calls for “realistic” transition periods, because replacing “widely used ICT components” can “years and in some cases may be technically impossible without scrapping entire systems”.
Furthermore, the association believes that “no retroactive application [should be imposed on] end-products already in the field”. Products already incorporating a component concerned should therefore not be recalled. (Original version in French by Ana Pisonero Hernández)