The EC published a proposal to the European Parliament and the Council on “ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 526/2013, and on Information and Communication Technology (ICT) cybersecurity certification ("Cybersecurity Act")" in September 2017.
The overall proposal is welcomed by ETSI with a note of caution and a request for further clarification. The standards body is in favour of the overall objective of the regulation, to “increase EU resilience, enhance its cybersecurity preparedness and avoid fragmentation of certification schemes in the EU”, but is wants more information on the details of the regulation.
ETIS wants a clarification of the concept and definitions of standards for certification and recommends that the relationship between standards and certification schemes is explicitly described in the draft regulation.
Further, ETSI would like the regulation to be used as a toolbox and the text changed to lay out a clear sequence of “requirements – standards – certification”, and the steps detailed for self-assessment of conformity with the specific requirements and standards.
ETSI also recommends that the regulation follows a risk management approach and lets market players define those levels, as well as replacing article 45 with higher level objectives – leaving technical issues to standards. Next, the standards body wants clarification of how the text would interact with existing certification schemes and a clear migration path from the current national or SOG-IS MRA certification scheme. Finally, ETSI recommends would like clarification and specification of the new missions granted to both ENISA and the European Commission.
See also: Fitness app could expose military bases