Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act'')

Scrutiny details

Subsidiarity deadline: 07/12/2017
Scrutiny Information

Scrutiny date: 15/12/2017

Subsidiarity Concern:

No Important information to exchange

No Veto

Information on parliamentary scrutiny

Referred to Committees on:

European Union Questions

Agricultural Policy and Consumer Protection
Internal Affairs

Economic Affairs

Lisbon Treaty procedures
  Political Dialogue

15/12/2017 | Scrutiny results - COM20170477

The Bundesrat welcomes the great attention which the Commission pays to the subject of cybersecurity. A greater extent of EU cooperation in improving the resilience in the realm of cybersecurity, is reasonable. The Commission’s initiative to improve cybersecurity of IT systems and services by way of introducing a certification scheme and setting security goals, is to be welcomed in general. IT systems, in this respect, should include consumer products for electronic communication, e.g. smart-home products.

The Bundesrat doubts whether the proposal is in accordance with the principles of subsidiarity and proportionality. Proven certification schemes do exist on the national level already. Excluding such national systems bears the risk that they could not be implemented effectively any longer. Such an infringement into matters of national security is not necessary – instead, a European certification scheme could be supplemented by national measures. The Bundesrat views particularly critically that member states, according to the proposal, shall only have a right to submit proposals and serve in an advisory function in developing the security certification schemes. The Bundesrat is critical of extending the scope of ENISA’s competencies, in particular when it comes to operative powers towards member states. In any case, it can only considered once the Directive (EU) 2016/1148 is transposed by all member states and once a coherence check for all member states has been conducted.

It should be examined whether privacy provisions could be included in the certification scheme. Furthermore, the creation of a contractual right for consumers to being provided software updates in the regular lifespan of technical devices should be considered.

Contact points for EU matters

IPEX Correspondents:
Phone: +49 (0) 301 891 00 471  Email Mr. Michael Hoessl
Contact | Legal Notice | v2.3