A legal proposal to overhaul the EU’s cybersecurity rules passed a major hurdle on Tuesday (10 July) as the European Parliament’s Industry Committee (ITRE) approved a plan to create a voluntary system for certifying the security level of technology products.
The bill sharpens measures in a European Commission proposal from last September to set up the first EU-wide labelling scheme to measure cybersecurity standards of items sold in EU countries.
Angelika Niebler, the German centre-right MEP who authored the committee’s report, said after the vote that the legislation would “increase consumers’ trust in internet-connected products and IT solutions”.
“We have a strong industrial base in Europe and working on improving cybersecurity with regard to consumer goods, industrial applications and critical infrastructure is of the utmost importance,” she added.
A total of 56 MEPs voted in favour of the legislation, five voted against it and one abstained.
The Parliament report adds measures that make the certification mandatory for so-called critical infrastructure, including energy grids, water and energy supplies and banking systems. The Commission’s original proposal does not require certification for any products.
National diplomats already approved an identical version of the bill last month. Negotiations between the Parliament, member states and the Commission can begin now that the ITRE Committee has rubberstamped the proposal. The law can only go into effect after the three institutions agree on a compromise draft.
Industry groups have been wary of the plan for EU-wide cybersecurity certification. Some EU countries already have their own national systems, but companies argued that a broader version that applies in all 28 member states could be too rigid.
MEPs in the ITRE Committee voted to allow companies to “self-certify” their products if they meet basic security requirements—meaning that they can bypass tests in private labs that can be expensive and time consuming. Industry lobbyists had pushed for the legislation to allow companies an even broader range of products.
“Self-declaration of conformity must be more commonly accepted as it works well in practice,” said Cecilia Bonefeld-Dahl, director general of Digital Europe, an association that represents tech companies including Google and Microsoft.
Thomas Boué, director general for Europe policy at the trade group Business Software Alliance, said, “today’s marketplace requires fewer fixed assurance levels and rigid technical requirements”.
Commission officials who drafted the 2017 proposal have argued that it is necessary to shore up differences between EU countries’ national certification policies.
The EU proposal even names the different costs of cybersecurity tests for internet-connected smart energy grids in Germany, France and the UK. Germany’s cybersecurity agency charges €1 million for those tests, according to the Commission proposal.
Under the draft legislation, companies could pay to have a product approved in one country and then sell it in all EU member states. That could save them from paying for separate tests in every country where firms sell their products.
But consumer groups and some left-wing MEPs were defeated in their campaign to make the certification rules mandatory.
“There are rules to make our cars safe. There are rules to make our food safe. But there are no rules to make connected products safe and secure. It is very disappointing that the EU institutions still seem to underestimate the dimension of the problem and are unwilling to address it by mandating security by design and default,” said Monique Goyens, director general of the European Consumer Organisation.
The committee’s version of the bill also includes changes to the Commission proposal that would encourage EU countries to set up a procedure for hackers to identify security weaknesses in companies or governments’ software without facing potential legal threats for accessing private computer systems.
MEPs have pushed for an EU-wide system that might make it easier for cybersecurity researchers from different countries to expose flaws in software.
A number of government agencies in the United States already have such systems in place, but so far, France, the Netherlands and Lithuania are the only EU countries that have established the so-called cybersecurity vulnerability disclosure procedures. The idea appears to be gaining traction: another 13 member states are currently discussing plans to create similar national rules, according to a report that was published earlier this month by the think tank CEPS.
The ITRE Committee’s version of the cybersecurity bill would encourage countries to nail down their own policies on how researchers should expose vulnerabilities. Some industry sources said that the legislation should identify one common procedure that applies across the bloc.
“A Dutch researcher who finds a vulnerability in Spanish software should not be treated differently from a Spaniard who reveals a weak spot in Dutch software,” Dutch Liberal MEP Marietje Schaake said when the CEPS report was published.
MEPs also backed the Commission’s proposal to give more power and an increased budget to the EU cybersecurity agency ENISA, which is based in Athens and Crete.
ENISA is one of the smallest EU agencies and would see its €11 million annual budget and staff of 84 employees grow if the bill is approved. The legislation would also allow the agency to move some of its experts into a shared response unit with other EU institutions in Brussels. ENISA director Udo Helmbrecht told EURACTIV last month that the Brussels office should eventually have enough manpower to operate around the clock and respond to major cybersecurity crises like the massive WannaCry and NotPetya attacks in 2017.