Lobbying by Nederlandse Orde van Register EDP Auditors

Nederlandse Orde van Register EDP Auditors

NOREA

NOREA heeft ten doel: 1 Het bevorderen van de kwaliteit van de beroepsuitoefening door de leden, voor zover deze beroepsuitoefening binnen het vakgebied IT audit valt of daaraan raakt; 2 Het bevorderen van de ontwikkelingen binnen het vakgebied IT audit; 3 Het behartigen van de gemeenschappelijke belangen van de leden

Links

Website Transparency Register Profile

ID: 818490635811-74

Lobbying Activity

Response to Evaluation of the European Union Agency for Cybersecurity (ENISA) and the European Cybersecurity Certification Framework

14 Sept 2023

Introduction and summary This is the response of NOREA, the professional association of IT auditors in the Netherlands: NOREA acknowledges the need for a common high level of cybersecurity and resilience throughout the European Union and supports the efforts taken by the European Commission to this end. Critical comments and observations made in this evaluation are therefore intended to further improve the processes and operations in place to reach these goals in the context of a single European digital market. NOREA participates in the Dutch Online Trust Coalition (OTC) and endorses the OTC's consultation response. In summary, our comments and observations relate to: - Cybersecurity Certification Framework The framework as laid down in the Cybersecurity Act is based on the Common Criteria / SOG-IS approach for product certification. Existing substantial differences in laboratory testing of products and the audit of services make the framework not suitable for certification of services. According to Article 56 (2) of the Cybersecurity Act: The cybersecurity certification shall be voluntary, unless otherwise specified by Union law or Member State law. Recent developments in other regulations and directives however show a tendency to mandate cybersecurity certification. Therefore in our opinion the requirements and processes in the scheme should be treated as if they are mandatory and a mandatory impact assessment prior to implementation of the scheme should be part of the framework. Given the important role of the cybersecurity certification in other legal acts like among others NIS2 Directive, Cyber Resilience Act, e-IDAS2 and DORA, it is important to safeguard the consistency between these legal acts. Also opportunities for synergy and efficiency like harmonization of criteria across sectors and scope of legal acts and re-use of audit reports should be considered to reduce the compliance cost of CSPs and consequently reduce the price of cloud services. - EUCS scheme development Annex J of the draft scheme contains requirements that aim to safeguard the sovereignty of European cloud services (PUA: Protection against Unlawful Access). These requirements were included without a prior proper economic impact assessment. In the opinion of NOREA this faces the risk of disrupting the EU single internal cloud market. Furthermore the risk that the PUA requirements conflict with other international treaties and agreements like the General Agreement on Trade in Services (GATS) by the WTO, should be assessed. The use of (European or international) standards is essential for the mutual recognition of the cybersecurity certificates and also for the effectiveness of all legal acts affected. Article 54 (1.c) of the EU Cybersecurity Act requires that the schemes shall at least include references to international, European or national standards applied. Recital 69 of that same act states that the European cybersecurity certification schemes should be based on European or international standards. Requirements of certification schemes therefore should be based on existing standards. The draft EUCS scheme however contains important elements that are not standardized (e.g. Annex J) or are submitted for standardisation to CEN-CENELEC (the security requirements in Annex A and the Meta-approach). NOREA supports the role of CEN-CENELEC as it has a well established reputation and transparent governance structure. There is a need to invest in the development of supporting tools and expertise. In accordance with the EU Cybersecurity Act the scheme currently requires Conformity Assessment Bodies to be accredited against ISO 17065 which is an obstacle for auditors that work in accordance with International Standards on Assurance Engagements (ISAE, issued by IAASB) to act as Conformity Assessment Bodies. As a result, the expertise of assurance auditors for cybersecurity certification is not being utilized, while the capacity is urgently needed.

Read full response