Diplomats reached a compromise on new cybersecurity rules more quickly and with less controversy than many observers close to the file had expected.
Representatives from national governments have agreed on their version of a bill that will create the first EU-wide system to certify the cybersecurity level of technology products after a few short months of negotiations—and before the European Parliament has voted on the rules. Ministers are expected to rubberstamp the agreement at a meeting in Luxembourg next week.
The governments’ quick agreement will come as a relief to the European Commission, which is rushing to make good on its promise to broker compromise deals on all of its outstanding digital policy proposals by the end of this year. Fifteen files are still wading through legislative negotiations.
When the Commission first proposed the cybersecurity bill in September 2017, officials had braced themselves for tough discussions with a handful of uncompromising member states. Some countries, led by Germany and France, had voiced concerns that the overhaul could water down their existing national certification standards.
The cybersecurity bill can only go into effect after national diplomats, MEPs and the Commission reach a compromise in three-way negotiations. Those talks will begin after the Parliament votes on its version of the legislation this autumn.
But while a source said the Commission is encouraged by the diplomats’ breakthrough, tech industry groups and MEPs are more wary of how the legislation is shaping up.
“The Council position risks undermining the objective to create a single market for cyber certification,” said Iva Tasheva, a policy manager at DigitalEurope, an association that represents companies including Google and Microsoft.
Tasheva warned against a change that the diplomats’ agreement introduced that will allow national laws to make the EU certification system mandatory, which “may lead to market fragmentation”. That means that some EU countries may require the certification, while others could keep the system voluntary.
Mandatory vs voluntary certification
MEPs are currently divided over whether the law should create mandatory certification for certain types of products. Member states have agreed to keep the system voluntary, sticking to the Commission’s proposal.
Reinhard Bütikofer, a German Green MEP who tabled amendments to make certification mandatory for certain products, called the Council’s agreed version of the legislation “a weak position”.
Bütikofer told EURACTIV that a voluntary system might work for low-risk products, but “where high risks with great impact are concerned, a certification mechanism based on reliable standards must be made mandatory”.
“It is just too dangerous to play trial-and-error with high-risk technologies. That could wreak havoc on entire regions or countries,” he added.
Tech industry lobby groups have pushed back against MEP’s calls for mandatory certification. They argue that requiring certification tests would be a burden on companies that will be forced to pay some countries’ steep fees and wait several months for approval.
The Commission’s proposal referred to a few stand-out examples of expensive procedures. Germany’s cybersecurity agency charges €1 million to test internet-connected energy meters, according to the EU executive.
Diplomats agreed that companies could skip those expensive, external tests and self-certify their own products—but only to show a low-level security guarantee. Industry groups want the law to allow companies to self-certify a broader range of their products.
Tasheva said that “relying mainly on third-party certification will have a big impact on the time and cost to place a product or service on the market and will limit the access for smaller industry players.”
Little fight over ENISA
Another part of the Commission’s proposal that caused a stir among diplomats and officials working at national cybersecurity agencies was the plan to hand over new powers to ENISA, the Athens-based EU agency. Some national governments are wary of giving the agency too much control over the certification system.
Diplomats are willing to give ENISA more resources—it is one of the smallest EU agencies, with a €11 million annual budget and 84 employees.
But their version of the bill sharpened the Commission’s carefully worded proposal on ENISA’s role.
The agency’s work to help member states develop their own national cybersecurity agencies “should be solely complementary to the own actions taken by member states,” the diplomats insisted.
But several observers of the cybersecurity bill said they expected member states to put up an even tougher fight against the proposal to step up ENISA’s resources and powers.
The agency’s director Udo Helmbrecht said after diplomats reached the agreement, “a stronger ENISA with increased resources and functions can only help Europe to address the cyber challenges of today”.
Helmbrecht added that the new certification system’s “harmonised approach across the European Union will stimulate industry and will support the objectives of the digital single market”.