ETSI welcomes the European Commission’s proposed Cybersecurity Act but urges clarification on the definitions of standards and the explicit relationship between standards and certification schemes. The organization recommends that the legislation adopt a risk management approach, leaving assurance levels to market players and avoiding technical details best handled by standards bodies. ETSI also calls for clearer guidance on how the new system will interact with existing certification schemes and how migration from current national or SOG-IS MRA arrangements will be organized. Finally, the position paper suggests that Article 45 be replaced with higher-level objectives and that the governance processes for ENISA and the European Commission be more precisely defined.
Keywords: ENISA, ICT cybersecurity certification, regulatory framework, risk management, standardization