On 20 May, ESMIG submitted it’s response to the European Commission’s public consultation and call for evidence on the Cyber Resilience Act, looking at new rules for digital products and ancillary services.
In the past few years, cyber and information security topics, network protection, security risk management, security governance, security certification and data protection have been addressed with several legislative and regulatory directives, acts and frameworks, like the Network and Information Security (NIS) Directive and General Data Protection Regulation (GDPR). There are also several legislative and regulatory acts in place that smart metering products, solutions and industry must comply with.
While we support any upcoming legislative and regulatory acts in the field of cybersecurity, addressing ever changing and evolving cybersecurity threats, we emphasise that it is crucial that any obligatory acts do not overlap.
Furthermore, we believe that the existing regulations, where smart meters are in the scope, already cover a substantial set of requirements for our sector. Additionally, the security requirements, defined in existing legislation, should be applicable to a wider scope of products, irrespective of their country of origin.
As briefly described and stated in ESMIG’s position paper on “Fair Competition in the Energy Sector” in 2021, cybersecurity legislation and regulatory acts must be broader and include non-European countries, governments or related bodies to minimise any supply chain and cybersecurity risks, originating from components and products outside the European Union.
Anže Zaletel, member of ESMIG’s Cybersecurity Task Force and Information Security Officer at Iskraemeco, stated ”Our industry supports proposed efforts from the European Commission to increase the cyber resilience and cybersecurity maturity levels of products, solutions and systems. With a combination of horizontal regulatory and voluntary measures (e.g. guidelines and recommendations) the European Commission can significantly contribute to minimising cybersecurity risks in critical infrastructure, originating from a violation of trust between vendors and customers. That said, the European Commission must ensure that any upcoming obligatory acts do not overlap and compete with each other, allowing several interpretations and putting the industry into a position of undermining technological innovation.”