All major political groups are expected to get behind amendments requiring the adoption of cybersecurity certification schemes to be rubberstamped by the European Parliament.

The amendment follows the politicisation of the European Cloud Services scheme, where the European Commission tried to introduce highly controversial sovereignty requirements that would exclude non-European providers from large chunks of the EU cloud market.

France was the first to introduce this exclusion of foreign cloud providers in its national scheme SecNumCloud. Commissioner for the Internal Market Thierry Breton tried to replicate this approach at the EU level, but faced strong opposition from more pro-market countries like the Netherlands.

“The discussion on certification schemes was supposed to be technical. Since it has become political, we need to be involved too,” said Bart Groothuis, the centrist MEP who has put the amendment on the table, together with other influential lawmakers in digital policy.

One of the signatories is Andrus Ansip, who was the European Commissioner for the digital single market at the time when the Cybersecurity Act was originally proposed.

Content of amendments

The most consequential amendment consists of turning the adoption of certification schemes under the Cybersecurity Act from an implementing to a delegated act. As a result, the EU Parliament, currently out of the loop, would be empowered to endorse or reject the scheme in full.

Moreover, before adopting the schemes, the Commission should carry out, in collaboration with the EU cybersecurity agency ENISA, an impact assessment, a public consultation and consult with the relevant groups of stakeholders and national representatives.

Finally, when evaluating the certification schemes, the EU executive must also consider the effectiveness of the procedures leading to consultation, preparation and adoption of the certificates.

These amendments are all part of the final compromise amendments for the Managed Security Services proposal, set to be adopted in the Committee on Industry, Research and Energy on Wednesday (25 October).

The proposal is a targeted change of the Cybersecurity Act that the EU executive presented in April as part of a package with the Cyber Solidarity Act, a legislative proposal meant to set up a cyber reserve of trusted contractors that can help respond to large-scale cyber-attacks.

The intent was that the trusted vendors would need to comply with a certification scheme to enter this cyber reserve and receive privileged access to public contracts. However, in so doing, the Commission naïvely offered the flank to those disgruntled by how it managed certification schemes.

In May, Euractiv revealed a new draft of the scheme that proposed including the strictest sovereignty requirements in a new level of assurance. While certification schemes are voluntary, the Commission might make them mandatory for entities considered essential for the EU economy under the revised Networks and Information Systems Directive (NIS2).

This tiered approach was confirmed in a new version of the document circulated in August but still did not manage to put the polemics to rest.

Gaining ground

As a result, the idea of rewriting the rules of the game for cybersecurity certificates has gained ground in the EU Parliament. Following committee adoption this week, Euractiv understands a plenary vote might not even be needed for the interinstitutional negotiations to start.

“Following the ongoing discussion on the cloud certification scheme and to ensure a sustainable growth of the Managed Security Services market in a time of ever-present cyber threats, we want to send a message that the European Parliament wishes to be involved to ensure that the interests of EU citizens are represented in the process,” Josianne Cutajar, the centre-left MEP leading on the file, told Euractiv.

However, support for the Groothuis amendment should not be mistaken for an all-out opposition to the sovereignty requirements in the cloud scheme. For several MEPs, it is more a matter of how the EU executive has pushed the scheme than its content.

“We share the view that this issue has become political, so we want the European Parliament to have a say,” centre-right lawmaker Angelika Niebler said.

Conversely, Groothuis wants to go one step further, stating that this initiative also sets a precedent: “If you abuse a delegated power, the Parliament will take it away from you.”

For the Dutch lawmaker, ENISA and the Commission should withdraw their sovereignty requirements from the cloud scheme.

The EU Parliament and Council tend to bicker around whether secondary legislation should be an implementing or delegated act. However, in this case, the MEPs’ text might find support in the coalition of countries who have so far opposed the Commission’s approach.

The Commission is due to review the Cybersecurity Act by June 2024 officially.

[Edited by Nathalie Weatherald]

Source: Euractiv.com