Over the last decades, we’ve seen new technologies, e-services, networks, and information systems emerge and integrate into our daily lives. With networkable products now touching practically every aspect of our lives, cybersecurity becomes an issue across all industries and areas. We now know that deliberate actions intended to disrupt IT services and infrastructures can have devastating impacts on an organization’s operations and functioning.
The EU Cybersecurity Act was developed to respond to the preservation of the Single Market and protection of citizens’ interests. Equipped with a robust framework, the EU and the Member States are in a better global position to combat terrorism and nefarious online activity and safeguard networks and information systems.
According to the IHS Markit research, there will be an estimated 125 billion connected IoT devices globally by 2030. With a rise in the IoT movement comes an increase in cybersecurity attacks. German companies are pushing horizontal cybersecurity requirements based on the New Legislative Framework (NLF) to prevent cyber-criminals activities like business data breaches or electric-grid outages.
The Need for Horizontal Legislation on Cybersecurity
BDI, DIN and DKE call for consistent EU cybersecurity regulation based on the principle of the New Legislative Framework (NLF). The existing measures, security tools, and processes are insufficient as they may lead to regulatory fragmentation. If implemented as they stand, manufacturers of networkable products may discover conflicting and overlapping requirements that may put their cybersecurity at risk.
To effectively enhance cybersecurity, all stakeholders must accept shared responsibility and coordinate when implementing measures. To achieve sufficient protection, manufacturers of networkable products, end-users, and operators must accept the roles they play in maintaining adequate protection. Here are some areas to consider when defining a holistic approach and introducing the proposal to implement horizontal legislation:
- The cybersecurity protection targets should support the principles of the NLF and are defined by law.
- The manufacturer must assume the responsibility of determining the networkable product’s intended application and potential threats associated with its use. It will follow the NLF guidelines on assessing the different risk levels and approaches to mitigate risks.
- The Conformitè Europëenne (CE) Mark. The CE Mark is the EU’s mandatory conformity marking for regulating goods sold within the EU market. The CE marking symbolizes the manufacturer’s compliance with the EU product directives, including the NLF requirements.
- The success of the Single Market relies on the conformity of all stakeholders and compatibility with global standards. The requirements should aim to prevent isolated solutions on a national level to achieve global compatibility.
- The proposed horizontal cybersecurity requirements should act as a bridge and complement the existing cybersecurity requirements of the NLF as defined by the EU Cybersecurity Act.
- Manufacturers should be able to perform conformity assessments by choosing between the EU cybersecurity schemes and harmonised standards.
Directives and other related plans from various product groups are being drafted. The goal is to establish and introduce mandatory, horizontal cybersecurity requirements aligning with the NLF principles by the fourth quarter of 2021.