ETSI releases cautionary statement on proposed Cybersecurity Act

Sophia Antipolis, 7 February 2018

ETSI has just released a position paper on the European Commission proposal of Cybersecurity Act (Regulation 2017/0225).

In September 2017, the European Commission published a proposal for a Regulation of the European Parliament and the Council on “ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 526/2013, and on Information and Communication Technology (ICT) cybersecurity certification ("Cybersecurity Act")".

ETSI welcomes the overall objective of the proposed Regulation to “increase EU resilience, enhance its cybersecurity preparedness and avoid fragmentation of certification schemes in the EU”. Nevertheless, ETSI believes that some points should be further elaborated and clarified in the proposed Regulation.

First, the concept and definitions of standards for certification should be clarified and ETSI recommends that the fundamental relationship between standards and certification schemes is unambiguously and explicitly described in the draft Regulation.

Secondly, the new legislative framework should be used as a toolbox and the text modified accordingly to include the clear sequence of *requirements – standards – certification* as well as self-assessment to determine conformity with specific requirements and standards.

The third recommendation is to follow a risk management approach and leave the definition of levels of assurance to market players. ETSI also recommends that Art 45 should be replaced with much higher level objectives and should avoid technical issues, which are best left to standards to address.

The fourth recommendation says that the text should clarify how the proposed system will interact with existing certification schemes in other Union acts, and how the migration path from current national or SOG-IS MRA certification schemes will be organized.

The last recommendation is for the proposed Regulation to further clarify and specify the processes and governance of the new missions granted to both ENISA and the European Commission.

The full version of the position paper is available pdfon our website.

About ETSI
ETSI provides members with an open, inclusive and collaborative environment to support the timely development, ratification and testing of globally applicable standards for ICT-enabled systems, applications and services across all sectors of industry and society. We are a not-for-profit organization with more than 800 member organizations worldwide, drawn from 66 countries and five continents. Members comprise a diversified pool of large and small private companies, research entities, academia, government and public organizations. ETSI is one of only three bodies officially recognized by the EU as a European Standards Organization (ESO).

For more information please visit:

Contact ETSI
Claire Boyer
Tel: +33 (0)4 92 94 43 35
Mob: +33 (0)6 87 60 84 40