The EU wants to establish European benchmarks for IT security. However, the proposed measures will slow down innovative companies and detach the EU from international cybersecurity efforts, writes Naemi Denz.
Naemi Denz is a member of the executive directorate of the mechanical engineering association VDMA. VDMA represents more than 3,200 member companies in the SME-dominated mechanical and systems engineering industry in Germany and Europe.
Cybersecurity is not only important for citizens, but also for companies. Much has been said about the potentials of digitalisation in industry, making production more efficient and customer-friendly. However, the benefits of Industry 4.0 will only be realised if Europe develops a consistent strategy to protect sensitive industrial data and infrastructure from attacks and misuse.
Unfortunately, the Commission’s Cybersecurity Act is anything but a consistent strategy. Though good intentions can’t be denied, the proposal fails to address the needs and concerns of industrial companies.
Moreover, ideas such as certificates for cybersecurity might even limit the EU’s ability to address new cyber threats and risk the danger that future European standards for cybersecurity become detached from those developed elsewhere in the world.
Take for example the mechanical engineering industry I represent. Machines are an integral part of the European economy, no matter if you want to build a car, produce energy or harvest a field.
More and more of these machines produce vast amounts of data, which helps to design production processes resource-efficiently. Some of these data contain sensitive insights of how a company operates; they are therefore business secrets that need to be protected.
The EU Cybersecurity Act now rightly suggests establishing a European benchmark for products concerning their IT security. However, it proposes a completely wrong way to do so: the Commission wants to introduce certificates for cybersecurity, indicating the level of protection likely to be controlled and issued by a third party.
This might be a convenient solution from a political point of view. From a business perspective, it is not, for several reasons.
First, certificates do not provide more security, especially in the business-to-business sector. When a mechanical engineering company sells a machine, it is usually custom-made for a specific client, with defined requirements.
What is necessary to make an investment “cyber-safe” completely depends on the customer’s needs, i.e. what the machine is used for and what kind of data will be transferred. Consequently, a business client would rather rely on contracts with the supplier than a certificate that does not take its specific requirements into account.
The main effect of certificates in a B2B-context is that they cost a lot of money. They do not necessarily help business clients in their buying decision but instead bring new business to the private testing industry.
Second, third-party certification is too slow to keep up with the disruptive changes in business that companies face in the digital age. What we would consider as safe today might be outdated tomorrow.
When it comes to formulating concrete security goals and measurements, the process should be driven by companies that are also the driving force behind innovative developments. Public authorities lack speed and flexibility to hit the moving target of cybersecurity in time.
Certification processes are simply too slow to keep up with the rapid pace of digitalisation. They will delay the launch of products and thereby inhibit innovation by European companies.
Third, the EU must be very careful not to set up a framework that works for Europe but is detached from cybersecurity efforts made by the rest of the world. Today, 40 percent of machinery standards are equal to international IEC standards.
This fact helps European companies trading with third countries, and so will international benchmarks for IT security. But this is only possible if measures of cybersecurity are developed within the framework of standardisation – and not by a European certificate solution.
If concrete requirements for cybersecurity are set by European authorities for the EU alone, we are isolating the continent. In the long run, this will hinder European companies from doing business with the rest of the world.
The push for cybersecurity certificates is indeed unnecessary, since a better system is already in place, for example with respect to requirements concerning worker security. Here, the EU uses the infrastructure of the New Legislative Framework: lawmakers formulate a general requirement (“The machine must be safe”).
It leaves it to standardisation bodies to work out what exactly must be done to meet the target of a safe machine.
There are good arguments to also use this tried and tested concept for cybersecurity. It would save companies a lot of time and money if they did not need to run through a certification process but could use available conformity assessments instead, such as the manufacturer’s self-declaration.
Moreover, cooperation between European and international standardisation will limit the danger of differing cybersecurity standards from continent to continent.
The Cybersecurity Act is currently being discussed in the European Parliament. MEPs should be aware that a half-baked certificate solution does not help to prepare Europe’s industry against cyber-attacks – and that the EU can and must do better than the current Cybersecurity Act.