OpenLobby.EU
Explore

EUROSMART

Eurosmart is a trade association representing the European digital security and smart device industry.

Lobbying Activity

Eurosmart Urges Alignment and Modularity in Cyber Resilience Rules

23 Jan 2023
Topic — The Cyber Resilience Act introduces mandatory cybersecurity requirements for digital products and services.
Message — The association calls for aligning requirements with existing laws to reduce over-regulation and market confusion. They suggest a modular approach allowing manufacturers to reuse existing security certifications for product components. They also recommend a 72-hour window for manufacturers to report cyber incidents.123
Why — Streamlined assessments would reduce compliance expenses and speed up product delivery to markets.4
Impact — Non-EU assessment bodies would lose business from requests for evaluations within European territory.5
Read full response

Eurosmart demands trade secret protections in digital liability rules

9 Dec 2022
Topic — The EU is modernising liability rules for digital products and the circular economy.
Message — Eurosmart recommends refining provisions for evidence disclosure to provide more legal certainty. They argue the protection of confidential information and trade secrets must be more protected.12
Why — Stronger protections would prevent competitors from accessing sensitive data through liability claims.3
Impact — Injured consumers may struggle to prove defects if evidence access is strictly limited.4
Read full response

Response to Digitalisation of travel documents and facilitation of travel

6 Oct 2022

Eurosmart is pleased to submit the attached feedback. Digital travel documents have the potential to make travelling much easier and smoother for EU citizens. For this reason, Eurosmart would favour a legislative act that lays down obligatory digitalisation of travel documents and facilitation of travel (options 5 and 6). A legislative act based on option 5 would allow all EU citizens to benefit from the usage of Digital Travel Credentials (DTC) when travelling in/via the EU Member States, as well as in all other countries supporting DTCs in conformance with the upcoming ICAO specifications. Eurosmart also recommends exploring option 6.
Read full response

Response to Digitalisation of visa procedures

24 Jun 2022

Eurosmart is pleased to submit the attached feedback.
Read full response

Response to Cyber Resilience Act

25 May 2022

Eurosmart fully supports the CRA general objective but would recommend a scalable approach for both hardware and software products. The CRA should clearly define the type of products falling under its scope since the market access and market surveillance rules are closely bound with liability. A clear definition of cybersecurity is missing: the resistance of a given product to potential attacks cannot be guaranteed through a functional approach. Moreover, the current NLF has been designed to address functional security requirements only, which do not cover the full spectrum of cybersecurity. Therefore, additional security elements must be considered, such as resistance to potential attack, vulnerability disclosure, patch management and other mitigation measures. To achieve this goal, and in addition to the NLF conformity framework, the European cybersecurity certification framework should be used. From this stance, the CRA cannot avoid on developing new functional security standards alongside certification methodology to concretely assess the cybersecurity level of the digital products placed on the market.
Read full response

Response to Amendment to the Regulation (EU) No 1025/2012 European standardisation

1 Apr 2022

The Digital security industry represented by Eurosmart welcomes such an initiative; Europe's standardisation approach is of utmost importance for the efficiency of the digital single market. Europe standardisation is clearly challenged by the increasing evolution and innovation pace of ICT products, services, and processes. Digitalisation is increasing in innovation towards connected devices and is no longer limited to information and computer technology platforms, e.g. connected cars, digitalised infrastructure, automated factories, etc. In the field of digital technologies, as it is the case of digital identities, digital payments and other digital services, all part of a service-oriented economy, standards are faced with the challenge of the rapid evolution of the technology itself. By nature, digital technology grows exponentially . This has deep implications in the field of cyber security standardization: To develop standards applicable to cyber security, as well its maintenance, requires specific knowhow that goes beyond the individual expertise. It requires a dialog and contribution from different stakeholders, especially those closer to the technologies and applications in need of standards. Such a construct is difficult, when not impossible at NSBs when taken in consideration the shortage of resources on the field of cyber security worldwide, and the importance of an state-of-the-art knowhow required for this task. Eurosmart expects this renewed standardisation approach will complement the current initiatives to place cyber resilience at the heart of the market access and market surveillance principles. The digital security industry encourages the Commission to further develop several aspects: 1. On the necessary involvement of private organisations and balanced representativeness 2. Assess the impact of EN standards development on harmonised standards adoption 3. Processes for the maintenance of adopted harmonised European standards
Read full response

Meeting with Alejandro Cainzos (Cabinet of Executive Vice-President Margrethe Vestager), Alina-Stefania Ujupan (Cabinet of Executive Vice-President Margrethe Vestager), Pierre-Arnaud Proux (Cabinet of Executive Vice-President Margrethe Vestager)

24 Nov 2021 · (Meeting with Leti, part of Eurosmart) Topic: semiconductors

Response to European Digital Identity (EUid)

2 Sept 2021

Eurosmart, the Voice of the Digital Security Industry, would like to thank the European Commission for the opportunity to comment on the proposal for a Regulation establishing a framework for a European Digital Identity. Our recommendations can be found in the attached document.
Read full response

Response to Smartwatches and connected toys

27 Aug 2021

EUROSMART welcomes the latest draft of the DA, proposed with the intention and in the context to ensure that RF electronics are trustworthy in safeguarding against cybersecurity hacks, fraud, and safeguards privacy. This reinforced the message of the Commission to address cybersecurity risks in all connected products and associated services and throughout their entire lifecycle, as defined in the December's 2020 Joint Communication on the "EU's Cybersecurity Strategy for the Digital Decade" ? In this Communication, the Commission announced considering a comprehensive approach, including possible new horizontal rules to improve the cybersecurity of all connected products and associated services placed on the Internal Market. Eurosmart wants to bring to the attention of the Commission a number of areas where we believe there is a need for further improvement or clarifications within the draft DA.
Read full response

Response to Requirements for Artificial Intelligence

29 Jul 2021

Eurosmart, the Voice of the Digital Security Industry, welcomes the Commission’s proposal for an Artificial Intelligence (AI) Act. Our association has been advocating for years for EU requirements covering AI systems. Eurosmart would like to comment on the following items -each of them is further detailed in the attached file: • Definition of AI systems The current definition of an AI system is very narrow as it covers only software and not hardware. In addition, the list of techniques mentioned in Annex I covers technologies that would not usually be considered AI (e.g. traditional data analysis tools). • Cybersecurity certification Eurosmart calls on the European Commission to request ENISA to prepare European cybersecurity schemes for AI. Genuineness of data, access rights, security of supply chain, and cross-industry relations are elements to consider. • Predictability Standards and technical specifications must be clear regarding the necessary threshold of predictability. It is important to fund research projects in this area. • Standards Eurosmart enjoins the European Commission to issue a standardisation request to European Standardisation Organisations (CEN-CENELEC and ETSI) to support the AI Act. • GDPR certification There is currently no solution to GDPR-certify a device. Operational and technical requirements are missing for GDPR certification. • Auditability of data Access to source code for auditability of data must be strictly regulated. • Data sharing Eurosmart supports the current initiatives to foster data sharing, such as the Data Governance Act. Data sharing should take the aging process into account. • Risk-based approach Clear guidelines are needed to help manufacturers know whether their products fall within the high-risk category. Personal authentication systems should not fall within this category. • Diverted/non-intended use of AI systems Eurosmart enjoins the European Commission to consider situations whereby the initial intended use of an AI system is diverted to another use that falls into the high-risk or banned categories. • Real-time biometric identification in publicly accessible spaces Eurosmart questions allowing for private companies a use case that is prohibited for public authorities. • Competitiveness The EU needs its own structure to certify algorithms. It should also put the emphasis on an AI trust mark so that the AI Act becomes a competitive advantage and not an obstacle to export. Please find below Eurosmart’s detailed feedback on the AI Act.
Read full response

Response to Legislative framework for the governance of common European data spaces

29 Jan 2021

Eurosmart, the Voice of the Digital Security Industry, welcomes the Commission’s proposal for a Data Governance Act. This proposal is instrumental to develop the European research and industry in the field of AI. Ultimately, it should strengthen Europe’s AI value chain, and hence its strategic autonomy. However, Eurosmart has a few recommendations to improve the content of the proposed legislation. Recommendation 1: Focus on Europe’s sovereignty The proposal -as it stands today- does not sufficiently ensure that the measures will mainly benefit European companies and research organisations. AI is a key technology, and it is crucial to give priority to the development of a flourishing AI ecosystem in the EU. Otherwise, Europe relies on imported technologies and weakens its sovereignty. Therefore, Eurosmart recommends: • limiting access to public sector bodies’ data to European-based entities. This would ensure that European organisations exclusively benefit from this data to develop their AI products and services. • introducing an obligation for providers of data sharing services to be established in the EU, • requesting the data processing to take place in the EU territory, especially for public sector bodies’ data, • favouring the participation of European companies in the work of the European Data Innovation Board. Likewise, Eurosmart recommends limiting access to European-based companies in future proposals on common data spaces. Recommendation 2: Security and consistency with NIS 2 Eurosmart believes that storage, processing and transmission of data must comply with minimum security requirements. This is not only a matter of security, but also privacy and (again) sovereignty. Chapter II of the proposal should be more explicit regarding the security requirements. The data at stake is protected on various grounds and can play a crucial role in the development of AI technologies. Therefore, minimum security requirements should always apply to the processing of such data, no matter what the public body prescribes. Public bodies might not always be fully familiar with cybersecurity aspects and hence underestimate the need for security. Article 11 (chapter III) of the proposal does lay down security requirements applying to all cases. It requires providers of data sharing services to ensure a “high level of security for the storage and transmission of non-personal data”. Eurosmart welcomes this point but this paragraph should also mention the use of cryptography and encryption, as these measures are essential to ensure data confidentiality. Additionally, the proposal should mention the possibility to security certify products and services via a European cybersecurity scheme (pursuant to the Cybersecurity Act). Last but not least, Eurosmart would like to point out that the current version of the proposal does not refer to the Directive on security of network and information systems (NIS). The European Commission recently issued a proposal for a revision of the Directive (NIS 2). Eurosmart believes that it is essential to coordinate these two initiatives for the sake of legal clarity. In NIS 2, digital infrastructures, including cloud services and data centres, are considered essential entities, meaning that they must take appropriate security measures. Are providers of data sharing services to be considered essential entities in the meaning of NIS 2? Recommendation 3: Create an AI Competence Centre Eurosmart drafted a paper to advocate for the creation of an AI Competence Centre (see attached). This Centre could determine R&I priorities for Europe in the field of AI. The common data spaces should be coordinated with these priorities. Among other missions, this new structure could act as trusted proxy between, on one hand, the European research and industry, and on the other hand, European entities holding sensitive data. Such a structure would complement the DGA proposal.
Read full response

Response to European Digital Identity (EUid)

3 Sept 2020

Option 1: Eurosmart supports option 1 as a necessary step to consolidate the eIDAS framework. Further enhancements and extended usages of eIDs under eIDAS should be fostered. In particular, deeper harmonisation of certifications will bring more confidence and trust to stakeholders. This will also clarify the eIDAS security requirements and Levels of Assurance (LoAs). The recent adoption of the Cybersecurity Act and the coming EU CC scheme can support a smooth harmonisation. Option 2: The use of eIDAS solutions by private actors could be an incentive to boost the European Digital Single Market. However, the approach proposed in option 2 may damage the current electronic identification framework as provided by chapter II of the Regulation. The system has been designed for Sovereign eIDs only. Sovereign eIDs are assets that the private sector could advantageously leverage on to develop its own identification frameworks. Eurosmart strongly believes that eIDAS should not be revised but complemented: option 1 should be favoured. However, as stated by the European Commission in its inception impact assessment, private actors can make better use of eID solutions. Typically, if banks were given the capability to rely on national eID solutions to implement strong digital ID verification, this would bring trust and convenience to their KYC procedures. Better synergies between the eIDAS Regulation and AML and PSD2 directives would accelerate the deployment of national eID solutions at assurance level “High” and would stimulate their adoption by private actors. In addition, Eurosmart recommends to the Commission not to limit the revision to option 1, but to combine option 1 with another legislative act establishing a complementary framework for: • private eIDs and attribute providers; • private services (also called relying parties) accepting them. Furthermore, to strengthen harmonisation, Eurosmart recommends to the Commission to opt for a regulation rather than a directive. This approach is an alternative to option 2 as currently envisioned in the impact assessment. Through this dedicated regulation, the Commission should give a mandate to the European standardisation organisations (ESOs) to define all the necessary harmonised standards, such as standards for the reuse of notified eID schemes by the private sector. In addition, this regulation should identify or request the development of a European Certification Scheme, under the Cybersecurity Act, when it comes to the evaluation of private eID schemes. This new framework could be adopted through a new proposal for a regulation based on eIDAS. This approach should consider dedicated rules and procedures for data privacy, identity and attribute proofing; and should require harmonised standards. Such a framework will create market incentives for the use of eID schemes. It will provide the necessary means to ensure a clear legal framework and the legal certainty that relying parties need. Eurosmart proposes 9 recommendations as listed hereunder (pages 6-12 of the attached document). Option3: The EUid could quickly be achieved with a European label on national eIDs notified by Member States.
Read full response

Response to Revision of the NIS Directive

13 Aug 2020

The NIS Directive has been instrumental in increasing the cyber-resilience of the EU. As the first piece of legislation concerning EU-wide cybersecurity, the NIS Directive is the acknowledgment that incidents in one Member State can have significant cross-border impacts, hence requiring a common level of cybersecurity throughout the EU. The revision of the NIS Directive, together with the other EU cybersecurity initiatives, is an opportunity to foster Europe’s Digital Sovereignty. The deadline for transposition of the NIS Directive dates back from two years ago -9 May 2018- but there are already elements pointing towards a need for amendments. This is the case for the identification process of Operators of Essential Services (OES), but also the lack of identification of Digital Service Providers (DSPs). There are also vital sectors for the society which are currently not included in the NIS Directive (eGovernment, telecommunications etc.). Finally, compliance with the NIS security requirements would be strongly enhanced with a mandatory certification of security products used by OES and DSPs. Eurosmart calls for a revision of the NIS Directive that would repeal the current Directive and lead to the adoption of a NIS Regulation. The adoption of regulation would foster harmonisation across the EU and hence resolve fragmentation issues, such as different sets of security requirements and diverging identification methods. However, the functioning of the NIS cooperation group should be maintained. In addition, the decisions and technical documents of the NIS cooperation group should be translated into legally binding documents. Eurosmart believes that the revision of the NIS Directive should take into account the following points: - Harmonised identification of OES and DSPs - Enlargement of the scope of the Directive: * Enlargement of the list of essential services * Enlargement of the list of digital services * Mandatory certification - New security requirements: *Supply chain security *Digital infrastructures Security of 5G and mobile network
Read full response

Response to Report on the Application of the eIDAS Regulation

25 Oct 2019

The recommendations supported by Eurosmart do not require any recast of the eIDAS regulation. The approach adopted deserves enough time to harmonise national models fully. eIDAS as a valuable milestone of the European Digital Single Market, would benefit from technical optimisations which could be translated into delegated acts and necessary European standards. Amongst the elements to be improved, Eurosmart has identified the following priorities: - Standardisation and harmonisation by creating a conformity assessment scheme based on ETSI EN 319 403 - Organisational by enabling a peer-review system for CABs, ENISA can be the peer-review organisation. - Influence by enhancing eIDAS’ solutions towards W3C through the ESOs and the European Commission. In addition to this, to request the web browser providers to integrate QWAC. Diplomatic by promoting the eIDAS model towards EU’s partners (Japan, South Korea, US, Brazil, Canada, Africa, Middle East and Latin America). (See attached document)
Read full response

Response to Driving licence legislation ex-post evaluation

9 Sept 2019

Eurosmart, the voice of the digital security industry represents amongst others, manufacturers of secure elements, semiconductors, smart cards and secure software. Eurosmart and its members are fully committed to achieving the highest level of trust and security in the fields of physical and digital ID documents. The evaluation conducted by the European Commission aims at assessing whether the specific objectives of the Directive 2006/126/EC have been achieved. Eurosmart would like to provide its feedback on the security of driving licence document and progress to be achieved with regards to digitalisation and citizen’s mobility requirements. Strengthen the security features for driving licence document The third Driving Licence Directive from 2006 imposes a common standard format and security features. In several EU Member States where ID card is voluntary, the Driving licence can take over the function of the ID-Card. In other words, the driving licence may be used to prove the identity of an individual. The new regulation on strengthening the security of ID cards and of residence documents, which has been adopted in 2019, introduces harmonised and stronger security for ID cards to reduce identity fraud. Hence, the security level of ID documents (driving licences, ID Cards and residence documents should be aligned and equal. A secure element (chip) should be at least recommended for the uniform format for the European driving licence. This option would align the security level of the driving licence with the ID card. The annexe 1 of the 2006 directive mentioning the provisions related to the EU driving licence model should be updated accordingly. Technical specifications should be in accordance with ISO/IEC 18013 standards in parallel with European specifications. These security enhancements which are similar to the EU ID card security features will allow effective controls of the Driving Licence across the European Union. For instance, national authorities will be able to swiftly control driving licence issued by another Member States with a high level of confidence, thereby facilitating control procedures and strengthening security throughout the European Union. It is as well a key opportunity for Member States which recognised the driving licence as a proof of identity to reduce the risk of fraud or counterfeiting. Evaluation and assurance level To ensure a constancy with other legislation (eg. eTachograph regulation EC/2135/1998, Identity Card and residence document 2006/126/EC) the Driving Licence secure element (chip) must be certified against the EAL4+ evaluation assurance level. A step further can be achieved towards digitalisation of driving licence to encourage European Citizen’s mobility. Mobile application as “companion” could be used for the dematerialised driving licence and should benefit from the same legal value. The security level of the mobile application should be comparable to physical documents. Therefore, Eurosmart recommends the certification of the mobile application within the SOG-IS framework reaching the VAN3
Read full response

Response to European Partnership for Smart Networks and Services

27 Aug 2019

A European Partnership for the emergence of European global leaders in innovation Communication systems, secure solutions, and networks shall gather forces to define, implement and deploy smart networks and services. The need in R&I to develop a smart network for the future is more than significant and should contribute to the definition of a comprehensive EU Cybersecurity digital strategy. This could lead to the emergence of European global leaders in innovation that will be world leaders in their respective fields. This will require focusing investment on competitive advantages for the market uptake of European demand-oriented solutions. For these reasons, Eurosmart supports option 2b: an institutionalized partnership based on Article 187 TFEU with the support of the Member States. Meanwhile, this option should not lead to a cluster of few involved parties but engage with the whole value-chains for 5G, Interatrial IoT and automotive. Besides, coordination amongst the member states should be ensured to allow a convergence of the defined projects and strategies. Eurosmart would like to focus on several topics to be tackled to support smart network and services: Enabling trustworthy 5G connectivity infrastructure and applications The next generation EU framework for PKI infrastructure European root DNS for critical infrastructures
Read full response

Response to European Partnership for Key Digital Technologies

27 Aug 2019

A joint undertaking to support the European Partnership for KDTs The key aim of the European Partnership for Key Digital Technologies is to bring together the European fragmented ecosystem for Electronic Components, System community and more generally the European digital manufacturers and service providers. This new European partnership shall leverage on the achievements in terms of governance and projects of the Joint-undertaking on electronics and component systems for European leadership (ECSEL) and shall widen its scope to address the whole European digital value chain. When it comes to cybersecurity and digital security, which are the core topics of Eurosmart, we recommend to fully implement the priorities identified by the Strategic Forum for Important Projects of Common European Interests (IPCEIs). These recommendations are of overriding importance to make the EU as a global leader in key areas of Cybersecurity. European Key Digital Technologies must rely on a holistic and integrated approach to Cybersecurity. Eurosmart strongly believes that Cybersecurity, thanks to the unique European know-how in this field, can make Europe compete in the digital global stage.
Read full response

Response to Smartwatches and connected toys

4 Mar 2019

Eurosmart, the voice of the digital security industry welcomes the European Commission (DG GROW) proposal to strengthen the security approach of internet-connected radio equipment and wearable radio equipment. Reaching a trustworthy and secure IoT market is paramount for the achievement of the European Digital Single Market. By 2025, the projected IoT connections are expected to exceed the 25 billion of units’ threshold . In the meantime, consumer IoT devices will account for over half of these connections. However, Europe will only represent the 3rd IoT market with 4.9 billion units, far behind the Asia-Pacific (10.9 billion units) and the U.S.-Canada ones (5.8 billion units). In this context the challenge for Europe is to place on the market consumer IoT devices which has not been specifically designed for its own market, but which respect the European philosophy and exigences in terms of security, privacy and safety. Throughout the evolution of the Digital Single Market, Eurosmart has been advocating for the strengthening of the digital security as an essential precondition for consumer confidence and the European digital industry growth in a global market where Europe doesn’t hold the balance of power. Hence, in this context, Eurosmart and its members pay a particular attention to the security of the IoT devices placed on the European market, which must respect our fundamental values of data privacy and resistance to potential attacks (Cybersecurity). [...] For these reasons, Eurosmart strongly recommends a cybersecurity approach for the potential Delegated act of the Radio Equipment directive. The NLF-Safety approach is designed to assess static targets whereas cybersecurity is a matter of anticipation and moving security target. The European Cybersecurity Certification Framework as defined by the Cybersecurity act, has been designing to evaluate cybersecurity resistance level of products, it is the only viable process to fulfil this task. Due to the interconnected and sensitive nature of a consumer IoT device and as stated by the Inception Impact Assessment, Eurosmart urges the European Commission to propose a certification scheme at the level “substantial” for “Internet-connected radio equipment and wearable radio equipment”, and thus, based on trustworthy European Standards to be defined. This adopted certification scheme shall be referenced in the foreseen Delegated Act of the Radio Equipment Directive to support the intended purposes pursuant both Articles 3(3)(e) and (f).
Read full response

Response to Application of Article 3 (3) (i) and 4 of Directive 2014/53/EU relating to Reconfigurable Radio Systems

4 Mar 2019

Eurosmart, the voice of the digital security industry supports the political commitment in strengthening reliability of radio equipment placed on the Market. The growing number of internet-connected radio-equipment and more precisely IoT devices, constitute a challenge to ensure both safety and security of products placed on the market. In terms of safety, it comes to the manufacturer, to take care of the conformity for the making available on the market of its radio equipment which may combine hardware and software. In this case, software is part of the final good. However third-party software can be uploaded on the device for the benefit of the final user such as the enabling of new features of its hardware. On the one hand, potential misuse or modification of the behaviour of the device cannot be under the responsibility of the manufacturer whose product placed on the market has been modified did not. Indeed, this situation could lead to legal uncertainty for market players who will bear the full liability of a modified combination of software and radio-equipment. On the other hand, it would be detrimental for the market to oblige the manufacturer to introduce features that restrict the uploading of third-party software, unless the manufacturer ensures the compliance of the combination of the radio equipment and software. This would shift the responsibility for safety, compliance, usability and maintenance of the software to the radio-equipment manufacturer. Moreover, the Inception impact assessment for the Radio Equipment Directive related to Internet-connected radio equipment and wearable radio equipment, foresees a potential delegated act which will include requirements in terms of privacy, data protection, and prevention from fraud. Such requirements will include cybersecurity protection alongside traditional conformity against functional specifications (safety). Eurosmart fears that the radio-equipment manufacturer would carry the whole liability burden in terms of cybersecurity, should the radio-equipment be altered due to the upload of a non-secure software, or a misuse by the user. Internet-connected radio equipment is not acting in a static environment, uploaded software may rely on external databases, algorithms, cloud servers, artificial intelligence etc. which are not under the control of the manufacturer. Breach of data, privacy concerns, vulnerabilities could be attributed to one or several actors of the software’s value chain which the manufacturer may not be responsible or aware of. An alternate option could be the upload of party evaluated software on a standardise platform and require a third party evaluation for the product before and after the upload. Eurosmart enjoins the TCAM and the European Commission to rely on the ongoing work of the Product liability expert group (E03592), to define clear liability for both device manufacturers and software developers and to consider a software as a good placed on the market as such. It is essential that prior envisaging a complementary approach through a potential delegated act for software upload for radio equipment, to wait until the upcoming conclusions of the Product Liability Expert Group.
Read full response

Response to Specifications for the provision of cooperative intelligent transport systems (C-ITS)

8 Feb 2019

Cooperate Intelligent Transport Systems (C-ITS) are an important area of development for many market players such as the automotive, telecommunication and digital security industries. C-ITS undeniably leads to a hybrid communication approach which processes a wide range of data in a very short time. For these reasons, Eurosmart pays a particular attention to the way data will be transmitted and handled. Good practices from the e-call regulation should inspired all the upcoming C-ITS regulatory approaches. Eurosmart particularly welcomes the involvement of the Joint Research Centre (JRC) when it comes to the design of PKI to support the placing on the EU market of interoperable and compatible ITS stations. JRC has long track of records in developing PKI, for instance in the definition of “Smart Tachograph - European Root Certificate Policy and Symmetric Key Infrastructure Policy”. Eurosmart is looking forward to the definitive proposal of the European Commission for an act regulating cooperative transport systems C-ITS in the European Union. The Draft Delegated Regulation paves the way for a complete and better-defined framework governing ITS in the Member States, by clarifying the requirements needed to implement technologies falling into the scope of the ITS Directive 2010/40/EU. Eurosmart focuses on following points: • Interoperability: clear and coherent communication between roads and vehicles. C-ITS market fragmentation is an impediment to road safety. • Solid Public Key Infrastructure allowing certified companies to securely exchange data; • Compatibility: investment in C-ITS is long-term, as vehicles and road-side equipment have long life cycles. Future technologies have to operate with deployed equipment preventing road safety disruption. • Security: resilience of the C-ITS system against information security incidents throughout the life cycle. C-ITS requires a cybersecurity infrastructure that ensures C-ITS stations can check if other C-ITS stations send truthful messages. This system shall cover vehicles and roads, no matter the country, no matter the vehicle brand, no matter the communication technology used. • High security on the road needs the approach of ISO/IEC 15498, concrete CC, at least EAL4+. • Better synergies between transport and telecom infrastructure: TEN-T Policy and CEF II 2021-2027 shall be the main contributors to trigger a joint strategy in the two sectors; • Harmonization: C-ITS shall not causing radio interference to electronic road charging systems already deployed in Europe and the digital tachograph, that is mandatory in trucks in the EU. • A new protection profile (PP) should be deployed, to capture a uniform and long-lasting security level in the European Economic Area. A possible reference in this field could be the EU tachograph, in respect to the Regulation (EC) 2135/1998 and being used today in 52 states • Electrification and influence on the Smart Grid with reference to the Smart Meter Gateways in all Member States (e.g. with link to European roll-out plan), including expected secure interoperability between the Grid, SMGW, charging stations and vehicles. Eurosmart appreciates the Delegated Act following the hybrid communication approach outlined in the 5G Action Plan COM (2016) 588, where mature ITS-G5 short-range communication for safety critical messages is complemented with existing 4G and in the future 5G long-range communication. Eurosmart is also pleased that European Standardization Organisations (ESOs) have been participating in development of the European C-ITS infrastructure. Eurosmart undertakes to collaborate with other companies on security implementation requirements of ITS stations in the draft Delegated Act and the role of Common Criteria therein, within industrial platforms like the Car 2 Car Forum Communication, so that both security and market conditions will be met.
Read full response

Response to Proposal to create a cybersecurity competence network with a European Cybersecurity Research and Competence Centre

11 Oct 2018

On the 13th of September, Eurosmart - the voice of the Digital Security Industry - welcomed the European Commission proposal for a regulation establishing the European Cybersecurity Competence Centre (ECCC) and its related Community. Eurosmart is fully committed to the achievement of the European Digital Single Market and supports all the efforts made by the European Commission to boost the European cyber-resilience and to create a competitive European cybersecurity industry. The establishment of strong links between the European research in the field of cybersecurity, Public Authorities, cybersecurity product manufacturers and solution providers is one of the paramount objectives that Eurosmart shares with the European Commission. With the aim of encouraging the Cybersecurity ecosystem in Europe and competing on a global cybersecurity market, Eurosmart expects from the future ECCC: 1. Capitalising on the cybersecurity public-private partnership approach The Cybersecurity public-private partnership and the creation of the European Cybersecurity Organisation (ECSO) laid the groundwork to mutualise knowledge and enhance the collaboration amongst stakeholders involved in Cybersecurity. Eurosmart supports the European Commission proposal to capitalize on lesson learned from the cPPP and argues for enhanced cybersecurity actions through working groups of the Cybersecurity Community. 2. Pursuing the objectives of the Cybersecurity act The ongoing proposal for a Cybersecurity Act would establish a European Cybersecurity certification framework. This proposal will give impetus to the whole Cybersecurity Industry which would take advantage of a robust, trusted and scalable Cybersecurity Certificate. This proposal will contribute to the European cyber-resilience for both companies and citizens. Eurosmart sees a unique opportunity to consolidate this approach and its community through the ECCC by sharing know-how amongst the stakeholders. The Digital Security Industry advocates for the State-of-the-Art (SOTA) within the upcoming EU certification framework and is ready to contribute to the debate. Namely, those involved could take benefit from the development of proposal regarding candidate certification scheme. ECCC could be a relevant tool to invite all the actors (SMEs included) to gain access or to shape proposals on candidate certification scheme. This activity would require full involvement of ENISA and competent authorities in the Community as well as high degree of representation of the diversity of the European cybersecurity ecosystem. Regarding standardisation in the field of Cybersecurity, a further collaboration with the European Standardisation Organisations (ESOs) should be agreed and more specifically with the eventual working groups related to the EU Cybersecurity Certification Framework. 3. Strengthening the level of investment in Cybersecurity infrastructures product and solutions in Europe. Eurosmart supports the idea of specific investments for Cybersecurity and advocates for the identification of clear budget lines of Digital Europe and Horizon Europe programmes which would be dedicated to the ECCC and its actions. The Digital Security Industry is convinced that a more consistent and specific approach will enable the involvement of actors in the Competence Centre. Once the ECCC is established, the Member States should be encouraged to leverage innovations and solutions from both the research in the field of Cybersecurity and the European Industry. To achieve this goal, a political impetus from the European Union could be triggered with the support of the Community.
Read full response

Response to Improve the security of ID cards and residence documents of EU citizens and of their non-EU family members

11 Jul 2018

Eurosmart fully supports the EC proposal for a “Regulation on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement”, and in particular the emphasis put on the national ID cards. ID card issued within Europe do not have a harmonized security level. Some are easier to falsify or counterfeit than others. Yet, they can all be used by EU MS citizens to exercise their right to free movement (Article 21 of TFEU and directive 2004/38/EC). This situation creates “honeypot” where the weakest ID cards are targeted by criminals to freely circulate within the European Union, but not only as they can also be used (1) to cross Schengen external borders, and (2) within another MS to prove its identity to a public service, the police or a private company. Eurosmart welcomes - the proposal to include the holder’s portrait in the chip of the ID card, and - the compliance of the ID card and its chip with ICAO specification (Doc 9303). Eurosmart calls upon - not to over-regulate eGovernment applications whose interoperability and interconnection issue has already been solved by the current implementation of eIDAS. EUROSMART FULLY SUPPORTS THE PROVISIONS RELATED TO SECURITY HARMONIZATION OF NATIONAL ID CARDS Eurosmart considers that the content of the proposal is a good tradeoff between (1) the need for a harmonized security level of national ID card throughout Europe, and (2) necessary subsidiarity allowing MS to design their own ID cards. No security is everlasting. and Eurosmart calls upon a continuous improvement of ID cards’ security against new frauds. Eurosmart highlights that the biggest risk of fraud remains the lookalike in which a fraudster uses the ID card of a genuine holder having the same face as him, leading to an impersonation. The proposal to include the holder’s portrait in the chip of the ID card is instrumental to help fighting this fraud by allowing biometric authentication in case of doubt. Finally, the proposal requires the ID card and the chip to comply with ICAO specification (Doc 9303). It is key to ensure interoperability of ID card throughout Europe but above all to ensure effective controls. EUROSMART CALLS FOR NOT REGULATING E-GOVERNEMENT APPLICATION The proposal allows MS to also include a national e-Government application that may provide for instance digital identity and/or digital signature to citizen for national purposes. The current state of play of ID card within Europe shows a general trend for adding an e-Government application as soon as the ID card is equipped with a chip. However, the landscape of national e-Government application is very heterogeneous. Nearly each country has its own e-Government application (ITA, BEL, EST and DEU are all different) on which an ecosystem has developed. This situation is not expected to change as the issue of interconnection and interoperability of e-Government application throughout Europe has now been solved. eIDAS regulation has acknowledged the principle that digital identity shall be interoperable at the back-end system level (through eIDAS nodes), and not at the ID card level. It will become true as of September 2018 with the mandatory recognition of the first notified digital identities. Therefore, Eurosmart stresses that there is no need for this text to regulate in any manner the e-Government application as the interoperability and interconnection issue has already been solved, and calls for not regulating them. In contrary, any attempt to regulate e-Government application would deter MS to support this text as it would result in in major impact on their digital identity and trust services ecosystem.
Read full response

Response to Proposal to create a cybersecurity competence network with a European Cybersecurity Research and Competence Centre

23 Apr 2018

Eurosmart, the association representing the European digital security industry, welcomes European Commission’s initative to create a cybersecurity competence network with a European Cybersecurity Research and Competence Centre. This Digital security technology is a unique European success, more than 120 countries in the world use it for securing their electronic passport, all well-known high-end smart phone manufacturers use it to protect their critical assets, as does the European Parliament with the latter using them for electronic voting systems. Our industry is fully involved in the achievement of a trustfully European Cybersecurity Market. Eurosmart do support option 0 and the continuation with well-known instruments cPPP (aka ECSO). From a governance point of view, this option is the only way to involve all the stakeholders, national and regional bodies into a fair and transparent process without any additional administrative burden. The Eurosmart members has been invested a lot in the creation of the current cPPP. We would like to build on upon this platform which is only 18-month old. With the aim at continuously improving the European cybersecurity resilience, the current ambitions in terms of cybersecurity should not been watered down by a fragmentation of the know-how. The digital security industry strongly believes that only the cPPP can bring together the relevant high level experts from both public and private sides. This solution should focus on achieving scale in order to create strong links between the demand (both public and private from various sectors e.g. health, telecomm, energy, space, defence, finance, transport) and supply side of the cybersecurity in a way that exerts a leverage effect both the European cybersecurity excellence and know-how. Eurosmart is convinced that the current proposal may enable a virtuous circle which will benefit to the European Cybersecurity Market, citizens and Industry both in terms of resilience and high secure solutions.
Read full response

Response to Review of ENISA Regulation and laying down a EU ICT security certification and labelling

6 Dec 2017

Eurosmart, the Voice of the Digital Security Industry, is pleased to submit its feedback on the Cybersecurity Package. The documents under comments are: - Impact assessment - SWD(2017)500/948161 - Part 4 - Impact assessment - SWD(2017)500/948161 - Part 5 This document gathers comments from experienced technical experts. The list of comments presented in this document are just example and is not exhaustive. Eurosmart found a certain number of issues along the 200 pages. The main concern is that existing evaluation process and existing Certification Schemes and specifically Common Criteria appears as redundant, static, administrative burden, lengthy, costly based on erroneous, or uncomplete information.
Read full response

Meeting with Bodo Lehmann (Digital Economy)

27 Jan 2016 · cybersecurity; PPP