Wide-ranging cooperation and global standards – CSC gave input to the evaluation of the EU Agency for Cybersecurity (ENISA) and EU cybersecurity certification framework
CSC considers cybersecurity as one of the key issues of the digital decade and emphasises the importance of ensuring that related EU policies are comprehensive and up to date. Therefore, we welcome the evaluation of European Union Agency for Cybersecurity and EU cybersecurity certification framework and urge the Commission to perform the evaluation thoroughly, taking into account input from all relevant stakeholders.
According to the Cybersecurity Act (Regulation (EU) 2019/881) “ENISA shall promote cooperation, including information sharing and coordination at Union level, among Member States, Union institutions, bodies, offices and agencies, and relevant private and public stakeholders on matters related to cybersecurity”. In practice, however, ENISA’s outreach at national level has so far mostly been limited to public stakeholders, i.e. the national CSIRTs designated/established according to Art. 10 of the NIS2 Directive (Directive (EU) 2022/2555). Other CSIRTs have often had to rely on information exchange through commercial actors, many of which are based outside of the EU. To remedy this, ENISA should develop its cooperation with private stakeholders, in the spirit of the Cyber Solidarity Act proposal (COM(2023) 209 final) that seeks to promote further inclusion of the private sector in the efforts to strengthen cybersecurity in Europe.
When it comes to the EU cybersecurity certification scheme, we welcome the work that ENISA has done so far in developing candidate certification schemes, emphasising the participation and support of the ecosystem. When developing European certification schemes, it is of utmost importance to align the schemes with the ones developed at international level (e.g. ISO/IEC 27001) in order to ensure that European companies can compete on global markets.