Comments on the revision of the EU Cybersecurity Act

In its statement on the revision of the EU Cybersecurity Act, the German Banking Industry Committee (GBIC) argues for practical, proportionate and effective cybersecurity regulation. Central concerns are the clear anchoring of ENISA as a technical and coordinating support body - not as a regulatory authority -, a risk-based application of certification obligations and a comprehensive simplification and harmonization of the diverse reporting and security requirements.

The focus is on avoiding duplicate regulations, particularly with existing sector-specific requirements such as DORA. Certifications should be limited to safety-critical products and services and must not hinder innovation, particularly by smaller providers. At the same time, the GBIC calls for greater international connectivity through mutual recognition of existing standards and certificates.

The high level of bureaucracy caused by inconsistent reporting obligations under NIS2, CRA and DORA is also particularly emphasized. The GBIC advocates a uniform, EU-wide reporting structure with clear threshold values, standardized formats and machine-readable interfaces. Non-technical risks in the supply chain should also be addressed politically in a targeted manner - apart from overarching certification approaches.

The position paper contains concrete proposals for a more efficient, legally secure and innovation-friendly design of the cybersecurity framework in the EU - in the interests of a resilient and competitive European financial market.