Smart Home, Smart Mobility and Industry 4.0: from everyday life to mobility and production in factories, ever more areas of our daily life are becoming smarter, i.e. more digital and thus more networked. According to current estimates, the number of networked objects worldwide is expected to rise to 125 billion by 2030. This compares to 27 billion networked objects in 2017. The advancing spread of digital technologies is creating a wide range of new opportunities, both for private as well as commercial user groups. However, digitalisation also poses numerous challenges with regard to safety and security, as well as privacy. These can result in additional risks for each individual’s health and safety, as well as for the environment, the economy and public safety at large.
These risks can be countered by targeted technical, regulatory and behavioural measures (such as security-by-design). German industry is already investing in the cybersecurity of products, processes, people and services. Nevertheless, one hundred percent cybersecurity cannot be achieved, let alone guaranteed. This is the case especially as attack vectors are constantly changing, newly discovered vulnerabilities are identified, and because human misconduct can never be completely avoided. According to the German industry’s perspective, this makes it all the more important that the efforts of companies to achieve and maintain a high level of cyber resilience through efficient and risk-adequate measures are supported by coherent and risk-based European regulatory approaches.
The current regulatory approach: Towards a regulatory hotchpotch
Currently, both national governments as well as the European institutions develop legal requirements for products, processes and services to become more cyber resilient. On the national level, the Federal Office for Information Security (BSI) develops technical regulations for specific product groups (e.g. router). These technical regulations will provide the base line requirements which all companies, looking to have their products carry the IT security label soon to be introduced by the second German IT-security law, will have to implement.
Against this background, the Cybersecurity Act (EU CSA) entered into force in June 2019. The EU CSA enables the European Network and Information Security Agency (ENISA) to assist the EU Commission in developing Union-wide applicable cybersecurity certification schemes. One of the first of such schemes will be developed by ENISA in cooperation with industry and Member States for 5G network components. This will be crucial in order to ensure the security of data, services and networks when the new 5G standard is rolled out.
If the current process of both national agencies and European institutions developing cybersecurity-related regulations for product groups were continued, a regulatory hotchpotch would soon exist. In addition, this situation would be further aggravated as cybersecurity-related requirements will soon be introduced also in European regulations and directives, such as the Machine Directive.
German industry’s demands for consistent European cyber regulation
Against the background of an increasing fragmentation of the legal requirements for cybersecurity for products and services and an increasing need to strengthen the cyber resilience of products, processes, services and systems, German industry advocates the following five principles. They should be taken into account by the EU and national governments in current and upcoming legislative proposals in the area of cybersecurity. Adhering to these principles will ensure to prevent a regulatory hotchpotch of cybersecurity requirements.
- Ensure coherent legal requirements to strengthen Europe's cyber resilience while avoiding competitive disadvantages for European companies
- Give precedence to European over national unilateral regulatory approaches in order not to endanger the success of the European Single Market
- Choose a risk-based approach to ensure adequate and effective protection
- Actively integrate European standardisation work according to the principles of the New Legislative Framework (NLF)
- Actively involve all stakeholders – from hardware and software manufacturers to commercial operators and private users – to holistically strengthen the cyber resilience of products, processes, systems and services
German industry believes that if these five principles are considered by the EU Commission, the European Parliament and all national governments, companies will be able to more easily implement the respective cybersecurity requirements in their processes.