U.S. Chamber Comments on the Draft European cybersecurity certification scheme (EUCC)

The U.S. Chamber of Commerce (“U.S. Chamber”) welcomes the opportunity to provide feedback to the European Commission’s public consultation on the Draft Implementing Act laying down rules for the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC).

The U.S. Chamber, as the world's preeminent business advocacy organization, champions free enterprise and facilitates American trade and investment globally. Within Europe, our affiliations run deep. We collaborate extensively with AmCham EU and American Chambers of Commerce across all 27 Member States. We maintain a close relationship with our colleagues at BusinessEurope, among other Member State business associations.

The U.S. Chamber believes cybersecurity certifications, such as those authorized in the Cybersecurity Act, Regulation (EU) 2019/881 of the European Parliament and the Council, are an important tool in a broader risk management program for enhancing trust and security in connected products, services, and processes. Our members leverage numerous international standards, certifications, and frameworks to manufacture products that are more secure and more resilient by design. From a global perspective, cybersecurity certification and standards-based attestation can be critical to creative opportunities for harmonization and mutual recognition.

The candidate EUCC scheme is risk-based, grounded in technical standards, and envisions a robust cybersecurity baseline for certified products. The U.S. has assessed the EUCC's foundational guidelines and anticipated implications. As representatives of U.S. business, we recognize the EUCC's pivotal role in standardizing cybersecurity certifications across Member States, thus fostering trust in ICT products. In particular, we welcome the lack of any “sovereignty” requirements included in the draft scheme, which we believe respects the primary objective of the cybersecurity certification schemes envisioned in the Cybersecurity Act. The U.S. Chamber supports the fact that the EUCC will supersede any existing national cybersecurity certification scheme, enabling much-needed harmonization at the EU level, which will have a considerable impact on the global ICT ecosystem, including U.S. stakeholders.

Our comments addresses the following issues:

1. Outcome Focused, Risk-Based, Consensus Standards Are Critical for Driving Regulatory Cohesion
2. Duplication and Mutual Recognition
3. Assurance levels of European Common Criteria-based cybersecurity certification scheme
4. Conformity Self-Assessment
5. Unified Rules and Validity Variance
6. Voluntary
7. Collaboration Gap and Expert Engagement

About the authors

Vincent Voci

Vice President for Cyber Policy and Operations in the Cyber, Intelligence, and Supply Chain Security Division at the U.S. Chamber of Commerce

Read more

Marjorie Chorlins

Marjorie A. Chorlins is senior vice president for European Affairs at the U.S. Chamber of Commerce and the Executive Director of the U.S.-UK Business Council.

Read more