Netnod response to SOU 2021:63 Sveriges säkerhet - behov av starkare skydd för nätverks- och informationssystem
In general Netnod believes the trust in certification is too high. A certification is not better than the criteria the certification is based upon, and the criteria is in turn based on knowledge and agreements on necessary requirements. Because of this, if one should talk about certification one has to start from the beginning, with collection of information, dissemination of the information and creation of agreements on what the requirements are to be set on products and services.
When these criteria exist, then one can look at the certification process itself. Should the certification be done by third parties or do we talk about a self certification? Should the certification be about the process by which the products are developed or should the products themselves be certified?
These issues already exist in the regulation, so there is not much we can do in Sweden except continuing to raise awareness about these issues. And of course do the best we can given the words adopted in the EU.