Netnod response to SOU 2021:63 Sveriges säkerhet - behov av starkare skydd för nätverks- och informationssystem

Netnod have responded to an open consultation on SOU 2021:63 “Sveriges säkerhet - behov av starkare skydd för nätverks- och informationssystem. This is in turn based on REGULATION (EU) 2019/881 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act).

In general Netnod believes the trust in certification is too high. A certification is not better than the criteria the certification is based upon, and the criteria is in turn based on knowledge and agreements on necessary requirements. Because of this, if one should talk about certification one has to start from the beginning, with collection of information, dissemination of the information and creation of agreements on what the requirements are to be set on products and services.

When these criteria exist, then one can look at the certification process itself. Should the certification be done by third parties or do we talk about a self certification?  Should the certification be about the process by which the products are developed or should the products themselves be certified?

These issues already exist in the regulation, so there is not much we can do in Sweden except continuing to raise awareness about these issues. And of course do the best we can given the words adopted in the EU.

For the full response, in Swedish