(by Davide Maniscalco, Aidr regional coordinator for Sicily, Head of public affairs of Swascan - Tinexta Group) "Trust" is the guiding star that guides policy makers in the configuration of a single European digital market that is perceived "safe" by users digital, in an increasingly interconnected scenario.
In this direction, article 8 of the Cybersecurity Act has given the European Union Agency for IT security, in the newly introduced permanent mandate, to monitor developments in the standardization sector, also in view of the forthcoming "full implementation" , in June 2021, of the European certification of products and processes.
Enisa's work therefore focused on supporting the standardization activities still ongoing of the European standardization organizations CEN, CENELEC, ETSI, as well as the IT security coordination group and also with the appropriate collaboration with development organizations. standards (SDO) such as ISO SC27 (Liaison) as well as with the European Commission and other Stakeholders.
This was discussed in the annual conference on standardization in relation to the radio equipment directive (RED) and certification according to the provisions of the Cybersecurity Act (CSA) organized by Enisa, which ended on February 4 after an intense "three days ”Of works with over 2000 participants from the EU and around the world.
The construction of the Digital Single Market inevitably involves three important lines of action:
- foster a constructive confrontation between the political level, industry, research, and the standardization and certification organizations
- extend the dialogue also to all the subjects involved in various capacities in the development of the ICT certification framework in Europe;
- make the implementation of the Cybersecurity Act effective.
Meanwhile, the recent start of the revision process of the European NIS Directive, through the NIS2 included in the broader framework of the EU Cybersecurity Strategy for the next digital decade, released last December, has set the conditions for a convinced relaunch of the public private partnership. as a tool for effective info-sharing and, ultimately, for the overall enhancement of protection and resilience within the fifth domain on a European scale.
In addition, on 24 July 2020, the new EU security strategy 2020-2025 was adopted relating to the protection and resilience of infrastructures, which goes in the direction of an important revision of the European Directive 2008/114 / EC of 8 December. 2008 relating to European critical infrastructures.
It is therefore intuitive that in this scenario the existing laws and regulations regarding the security of networks and systems become a point of reference for all companies that intend to increase their level of security and awareness regarding cyber threats and risks and, therefore, it becomes essential to configure an effective approach to risk mitigation and the resilience of primary business processes.
If, however, on the one hand, the European strategy on cybersecurity aims to strengthen digital sovereignty and leadership on international norms and standards relating to the cyber domain, on the other it raises an important question on which it may be useful to stimulate a debate: how to promote concrete (cyber) development of SMEs?
It is true that the European strategy intends to enhance SMEs in the context of digital innovation poles designed to improve skills to stimulate innovation and competitiveness.
It is also true that Europe has fielded an unprecedented budget between the Digital Europe program, Horizon Europe and the plan for the recovery of Europe, also with regard to the development of the Cybersecurity Competence Center and the network of coordination centers. .
However, it appears necessary that the economic support strategy for investments is appropriately grafted into a framework of accountability, especially for SME operators.
This can be particularly strategic for improving the security standards of Italian SMEs and, more generally, their vulnerabilities, where involved in the supply chains, with consequent negative externalities for the entire reference supply chain.
It is well known, in fact, that one of the main vulnerabilities of supply chains is represented by the presence of SMEs with little sensitivity towards the issue of cyber.
The strategy that claims to achieve the increase in the budgets of SMEs on information security with a growth in awareness, has proved to be not entirely effective over time.
In this perspective, does it make sense to hypertrophically increase the offer of technologies and standards if SMEs do not yet possess the necessary skills to direct their desirable investments in terms of cost-effectiveness?
Rather, it may be more effective to identify and select the best levers to be activated to first create a "qualified" demand and then direct it towards the most appropriate and coherent offer to ultimately favor the balanced growth of security and, in general, reliability of the supply chain.