In her State of the Union 2021 address, European Commission President von der Leyen underlined that the EU should strive to become a leader in cybersecurity, announcing in that context a new European Cyber Resilience Act. The act would add in particular to the existing baseline cybersecurity framework of the Directive on the security of Network and Information Systems and the Cybersecurity Act, and set up streamlined cybersecurity requirements covering a wide range of digital products and their ancillary services. To prepare a legislative proposal, the European Commission published a consultation in which CoESS participated, calling for a risk-based approach establishing cybersecurity requirements along the life-cycle of critical digital products.
CoESS is already since a couple of years engaged in the topic of cybersecurity – notably through the cybersecurity guidelinesfor the security services and fire alarm industry, which we published together with Euralarm back in 2019.
High levels of cybersecurity in security services and deployed products are key, as highlighted in the document. Against the background of a growing number of high-profile cyberattacks with a global footprint, the annual cost of cybercrime to the global economy in 2020 was estimated to be EUR 5.5 trillion, double that of 2015.
Particularly in the private security services, it is key that manufacturers deliver high-quality products that guarantee a high level of cyber resilience. In case of an incident, it us often the user who carries the highest costs – financially, but also in terms of reputation.
In the consultation that was launched by the European Commission to prepare the EU Cyber Resilience Act, CoESS therefore supported EU action that establishes a risk-based approach to provide high levels of cybersecurity in digital products, higher transparency on qualitative products, and legal certainty along the security chain.
For users of cyber secure products, such as private security companies, it is particularly useful if transparency is enhanced – e.g. on manufacturer compliance with cybersecurity rules and standards, but also software updates along the life-cycles of products.
Mandatory measures should be accompanied by increased efforts in speedy development of harmonised Standards in this area, in line with the EU Standardisation Strategy, and EU public procurement guidelines on how to identify qualitative and compliant digital products – also to guide public buyers towards providers that offer services with high cybersecurity levels that are in line with any EU rules.