The proposal for a Cybersecurity Act - a BusinessEurope position paper
- No one-size-fits-all certification scheme can apply to all connected technologies or the risks they face. The certification framework cannot pre-prescribe a list of elements to be included in each scheme.
- Determining and developing schemes requires a bottom-up approach. ICT users and providers aligned with the EU’s strategic cybersecurity interests should be formally included at the earliest stages of each candidate scheme.
- The framework must be voluntary to try, test and understand the benefits and impact of each scheme before determining whether market access rules are required. Schemes should be dynamic to certify the ability to react to new challenges and risks.
- Innovative businesses are increasingly exposed to practices aimed at misappropriating trade secrets and IP. More importance should be placed on exploring other policy avenues necessary to counter industrial intellectual property theft and implementing existing law. Strong encryption is crucial and should be encouraged. We should not (inadvertently) reduce the capabilities of organisations to protect their intellectual property.
- The standards and practices behind each scheme will be crucial. Industry-led technical standards should be developed in an open, transparent and consensus-based manner to forge interoperability in cybersecurity.
- ENISA should be granted a permanent mandate to continue supporting cybersecurity capacity building in Member States.
- The human factor is one of the most significant causes of cyber events in terms of error and threat. The public and private sectors need to increase efforts to highlight the importance of basic cyber-hygiene, attack avoidance, incorporation of “security-by-design” and heightened vigilance in the workplace
What does BusinessEurope aim for?
Encouragement of all players in the value chain to ensure products, services and systems are cybersecure from the earliest stage of the engineering process in a dynamic way. A cybersecurity certification framework that achieves voluntary, robust, industry-relevant and affordable schemes. A one-size fits all scheme cannot apply to the multitude of Internet of Things. Europe should promote the need for general education and awareness of basic cybersecurity to minimise human error in security incidents.