EU Cybersecurity Act: SBS calls for certification schemes to consider SMEs

EU Cybersecurity Act: SBS calls for certification schemes to consider SMEs

EU Cybersecurity Act: SBS calls for certification schemes to consider SMEs

Brussels, 24 March 2020 – The EU Cybersecurity Act (CSA) seeks to enable the use of cybersecurity solutions by, among other actions, introducing a harmonised framework for cybersecurity certification. SBS welcomes this proposal provided that this framework considers the essential role of SMEs and therefore the need to develop cybersecurity standards and solutions that are compatible with them. This is one of the main messages of SBS’ newly-released position paper. The paper outlines four options to build on existing standards in the area of cybersecurity and make sure they are adapted to SMEs.

Although there is a growing recognition that building cyber resilience is crucial for European digital economy, the adoption of cybersecurity solutions throughout the EU is still very low. Only 32% of European SMEs have a formally defined ICT security policy in place. In its new position paper, SBS analyses the proposed measures and their impact on SMEs, suggesting an approach which would allow SMEs to adopt and benefit from the new cybersecurity certification schemes.

The notion of ‘small and medium-sized enterprises’ is not homogenous; therefore, the position paper stresses the need for differentiation to tailor standards and certification schemes to different types and sizes of SMEs. The framework for the development of certification schemes, introduced by the CSA, will be a complex process, risking producing schemes which are too complex for smaller businesses.

The schemes will be developed in accordance to the existing and future cybersecurity standards and technical specifications, which are not fit for SMEs. Thus, there is an urgent need to think about SME-compatible cybersecurity standards and solutions within the framework of the EU Cybersecurity Act. In this respect, SBS calls for these standards to be accessible, affordable and adapted to SMEs and the need to raise the awareness about the existence of such standards.

Finally, cyber resilience in Europe could also greatly improve through the development of lightweight and easy-to-use cybersecurity guides, and even more by pooling such practical guides in a trusted European online platform. The paper proposes the creation of a ‘one-stop-shop’ for practical guides on cybersecurity for SMEs. The long-term goal is to increase the overall level of cybersecurity assurance among companies in Europe for which a mix of both awareness raising and providing practical solutions is needed.

The position paper can be accessed via the following webpage.


Views and opinions expressed are those of Small Business Standards (SBS) only and do not necessarily reflect those of the European Union or EFTA. Neither the European Union nor EFTA can be held responsible for them.