Euroopan kyberturvallisuutta vahvistettava olemassa oleviin kansainvälisiin standardeihin tukeutuen – CSC kommentoi ehdotusta EU:n kyberresilienssisäädökseksi

CSC pitää kyberturvallisuutta yhtenä digitaalisen vuosikymmenen avainkysymyksistä ja katsoo kyberresilienssisäädöksen olevan tervetullut lisäys tätä koskevaan EU-sääntelykokonaisuuteen. Kyberturvallisuussääntelyn tulee olla vaikuttavaa, mutta kohtuullista, pohjautuen riskiperustaiseen lähestymistapaan. Kyberresilienssisäädöksellä luotavan hallintomallin on perustuttava olemassa oleviin kansainvälisiin standardeihin ja katettava digitaalisten tuotteiden ja ratkaisujen koko elinkaari.

Lausunto kokonaisuudessaan:

CSC considers cybersecurity as one of the key issues of the digital decade and welcomes the Commission’s intention to complement the related European regulatory framework with a Cyber Resilience Act. In our view, the proposal recognises cybersecurity risks of digital products and solutions adequately based on well-established international best security practices, and proposes a justified and comprehensive governance mechanism. We particularly appreciate the attempt to address cybersecurity risks throughout the product’s lifecycle as this has so far been done inadequately which has led to users not having trustworthy and up-to-date information on the information security vulnerabilities of the products and solutions.

Cybersecurity regulation in general and Cyber Resilience Act in particular must be effective while not hampering the cost-efficiency and usability of the products and solutions or competitiveness of the companies. In particular, regulation must avoid creating unreasonable obligations for innovative European start-up companies which face tough competition in terms of time-to-market. A risk-based approach must be adopted, setting the security requirements based on the criticality of the product or solution to make the burden on the developers of non-critical products and solutions as light as possible.

The governance mechanism of the cybersecurity of digital products and solutions must be based on existing international information security standards and on information security certifications based on accredited audits practices (e.g. ISO/IEC 27001) as well as penetration testing procedures and frameworks (e.g. OWASP-10). The procedures and measures must ensure cybersecurity throughout the lifecycle of the product or solution, including product development, product support and updates, customer service and after-sales service.

With cybersecurity becoming a more relevant issue than ever, it is essential to ensure that it is governed with an efficient and effective regulatory framework that is up to date and fit for purpose. It is particularly important to develop legislation at EU and at national level in a coordinated manner to make sure that regulation does not contain incoherences, overlaps or loopholes. Regulation must avoid creating excessive administrative burden or barriers for the development of the digital single market.