EU-wide cybersecurity regulation
A horizontal European IT security approach that involves standardization is needed.
BDI, DIN and DKE call for consistent EU cybersecurity regulation based on the principle of the New Legislative Framework (NLF) in order to maintain international competitiveness. The CE mark must also stand for cybersecurity.
In a joint position paper entitled "EU-wide Cybersecurity Requirements", the Federation of German Industries (BDI) and the German national standards organizations DIN and DKE call for the introduction of mandatory, horizontal cybersecurity requirements based on the principles of the New Legislative Framework (NLF) at European level. According to the NLF principle, in legal texts legislators restrict themselves to formulating essential requirements and protection targets, and refer to harmonized European standards (hEN) to make these requirements and targets more concrete. This enables flexible legislation that takes into account the dynamic development of the IT sector and is based on the state of the art.
This principle of the NLF has proven itself for several decades and is the basis for the continuous improvement of product safety on the European Internal Market. Standardization brings together the knowledge of all stakeholders. Documents drawn up on the basis of consensus are regularly reviewed and adapted to the state of the art. In this way, standards meet the complex challenge of achieving secure solutions with international competitiveness and connectivity. If the hENs listed for a European legal act in the EU Official Journal are complied with, it is assumed that the requirements of the legal act are met (presumption of conformity). Through the interaction of standardization, conformity assessment, certification and market surveillance under the New Legislative Framework, the CE mark is an anchor of trust for private and commercial customers alike.
As part of its cybersecurity strategy, the European Commission has announced that it will present a legislative proposal for cybersecurity requirements for connectable products in the second half of 2021. Moreover, the EU Council of Ministers supports such a regulatory approach in its Council Conclusions on the cybersecurity of connected devices of December 2, 2020.
With this joint position paper, BDI, DIN and DKE present a proposal for extending to the digital space the effective and successful alliance between government and industry in the area of security: The introduction of a horizontal EU legislative act under the New Legislative Framework. This must not conflict with the Cybersecurity Act (CSA) that is already in place. Rather, coherent cybersecurity requirements for the products covered can and must be realized in the combination of the two pieces of legislation. For product groups for which a voluntary cybersecurity certification scheme has been developed based on the CSA, this legislation could also be used to demonstrate compliance with the horizontal cybersecurity requirements of the NLF Act. However, should there be inconsistencies in the requirements, the NLF regulatory act would have to take precedence. Even though the manufacturer can only use the presumption of conformity directly via harmonized European standards, under this model the application of a CSA scheme as part of a conformity assessment procedure leads to the fulfilment of the NLF regulatory act and thus provides a “bridge” between CSA and NLF regulation.