Cybersecurity is a make-or-break issue in the digital economy. Although there is growing recognition that building cyber resilience is crucial, adoption of the extant cybersecurity standards is severely lacking—especially among SMEs. This is partially due to the fragmented nature of cybersecurity certifications in Europe; there are no well-known and universally accepted certificates with a high level of adoption.
Among other goals, the EU Cybersecurity Act (CSA) set out to eliminate this fragmentation through the introduction of a harmonised framework for cybersecurity certification. In a new position paper, DIGITAL SME provides concrete suggestions to make sure SMEs can adopt and benefit from the new cybersecurity certification schemes.
If a high rate of adoption is achieved, the voluntary certification schemes could significantly elevate cybersecurity throughout Europe.
But how do we get there? The CSA introduces a framework for certification schemes, not the schemes themselves. The development of these certification schemes will be a complex process and it could run the risk of producing schemes that are too complicated and too hard to adopt.
The schemes will most likely be developed in reference to existing and future cybersecurity standards, i.e. official documents by European and international standardisation organisations.
Standards are voluntary, industry-driven agreements that aim at harmonisation and interoperability of products, services and solutions to boost compatibility and trade. If cybersecurity standards are the base layer for trusted certification schemes, they must be easy to access, understand and implement—especially for smaller companies with a low level of technical literacy.
In DIGITAL SME’s new position paper “The EU Cybersecurity Act and the role of standards for SMEs”, they outline “four A”-challenges of standards-adoption for SMEs: affordability (most SMEs simply can’t afford paid-for standards), adaptation (most standards are not tailored to different types and needs of SMEs), awareness (ask your friend who works in a small consultancy firm if they can name a single cybersecurity standard), and access to standardisation organisations (SMEs often don’t get to participate in the standards-making process, putting them at a decisive disadvantage).
Put simply: We need standards that are more accessible, affordable and adapted to SMEs, and they need to be aware of their existence. To solve this conundrum and move forward, we propose four concrete options to increase SME-adoption of cybersecurity standards. Learn more about these options in the position paper.
Besides standardisation, cyber resilience in Europe could also greatly improve through the development of lightweight and easy-to-use cybersecurity guides, and even more by pooling such practical guides in a trusted European online platform.