The TIC Council, representing the independent Testing, Inspection, and Certification (TIC) sector, welcomes the revision of the Cybersecurity Act (CSA2). As the European Union works to bolster its digital defenses, we support the reinforcement of ENISA’s mandate and the development of a more agile European Cybersecurity Certification Framework (ECCF).
With many members operating as Certification Bodies (CBs) and Information Technology Security Evaluation Facilities (ITSEFs), the TIC sector serves as a trusted technical partner in the practical implementation of European cybersecurity certification.
To ensure the CSA2 achieves its full potential, the TIC Council proposes several targeted refinements to the proposed framework:
1. Accelerating the Adoption of Certification Schemes
Harmonized certification schemes are vital for providing a common benchmark to assess ICT products, services, and processes. We support the introduction of a 12-month deadline for ENISA to prepare candidate schemes, which will help prevent delays in finalizing critical initiatives like the EUCS and EU5G schemes.
2. Ensuring "Smart Compliance" and Regulatory Interplay
We advocate for a "smart compliance" approach that allows industry to leverage voluntary certifications to demonstrate compliance across multiple EU frameworks, such as the Cyber Resilience Act (CRA). Clearer guidance is also needed to define the interplay between the CSA2 and other regulations like DORA and the AI Act to remove uncertainty for organisations facing overlapping obligations.
3. A Pragmatic Approach to Organization "Cyber Posture"
The TIC Council welcomes the inclusion of certification for the cyber posture of entities. To ensure rapid and scalable deployment, we recommend that the European Commission builds upon internationally recognized standards, specifically ISO/IEC 27001, rather than creating entirely new frameworks.
4. Formal Involvement of Conformity Assessment Bodies (CABs)
Given their hands-on experience with assessment and assurance, it is essential that Conformity Assessment Bodies (CABs) are formally and consistently involved in ENISA’s governance structures. Their technical expertise is necessary to ensure that future schemes remain operable, auditable, and aligned with market realities.
5. Clarity for the ICT Supply Chain
For the trusted ICT supply chain framework to be effective, co-legislators must provide clear and predictable criteria for classifying "high-risk" suppliers. Precision regarding the allocation of responsibilities across the supply chain is critical to prevent unintentional non-compliance.
Read the full posotion paper here