连接欧洲；GSMA对《网络安全法案》审查的看法

June 2025 Section 1: Mandate of ENISA Connect Europe and GSMA welcome the opportunity to comment on ENISA’s mandate and to shareour views on its future mandate and prioritization of tasks. Our members support the continuation of ENISA’s mandateanditsstrengthening to facilitateharmonization, simplificationanda commonunderstanding of the cybersecurity landscape.This couldbe achievedparticularlyby increasingENISA’sability toprovide guidance andsupportregardingtechnical measures,andbyensuring ENISAhasadequate resources to perform its current and futuretasks. Topreventfragmentation in cybersecurity initiativesand existing frameworks, ENISA’s mandateshouldexplicitly list further taskstosupportsimplification and further harmonisationusing bestpracticesacross the EU.Thesetasksincludethe following: •To support compliance efforts, ENISA should conduct acomprehensive analysis andmappingexercise,based on international standards,to identify which standards meet securityrequirements under various regulations, highlight gaps,identify where regulatory fragmentationexists,and recommend any additional measuresto simplify and harmonise, using a risk-basedapproach. International standards should be the foundation for compliance, and the mappingexerciseshould clearly show the interplay between EU and international standards.Tocomplement this, ENISA should create a centralised repository and provide guidance to nationalauthorities and regulated entities on the standards to use for compliance. •ENISA should have a stronger role in the development of standards, and its mandate should beexpanded to include active participation within the European and International StandardizationOrganizations1–particularly in light of the forthcoming standards under theCyber Resilience Act(CRA). ENISA’s participation in standardisation bodies would support the timely development ofsecurity standards in close collaboration with privatestakeholders. Harmonised standards shouldremain the preferred approach, while reliance on common specifications for compliancedemonstration must be limited to narrowly defined and well-justified cases—such as whenstandardisation requests are rejected. •ENISAshould always provideconcretedatesby whichadvice andtechnicalguidelinesshould becompleted(whether by EU working groups or national technical authorities).Without clear andharmonisedtimelines and sufficient time to prepare for new requirements, companies riskoperational disruption, compliance gaps, and unnecessary costs. Predictable timelines enablebetter project planning, budgeting, and sustainable security improvements. •In itsannual report ENISA should reportonthe progress ofcyber securitybest practices at theEuropean level, simplification initiatives (e.g. single point of contact, incident reporting),cooperation between designated authorities,harmonisation andremaining gaps,and suggest improvements. •ENISA should play a key role in developingtechnicalbest-practice guidelines that integrate allMemberState practices on the“once-only”principle/centralisation of security incidentmanagement.Multiple EU laws require telecommunications and digital service providers to reportsecurityincidents and vulnerabilities.However,inconsistent procedures,thresholds,anddesignatedauthorities across these frameworks lead to duplicated efforts.To reduceadministrative burdensand enhancethe efficiency of security incident managementENISA shoulddevelop guidelinesand practical support such asharmonised templatesfor incident reporting. •In the interest of improving communicationwithstakeholders,ENISA should play a roleinconveningNational Technical Authorities (NTAs), CERTsandindustry on a pan-EU basis to shareintelligence/threat insights,in additiontoexistingmechanismsat national level.Such adialoguecould help shape ENISA’s early warning mechanisms and resilience frameworks, support capacitybuilding,allow for dialogue on relevant topics like certification,andestablish a platform forexchange on best practices,allowing for more direct and regular contact with relevantstakeholdersin an areathat is often time sensitive and requires swift action. •ENISA should betaskedby the European Commission to evaluate and provide recommendationsonCyber Security Rating. Currently, EU companies areoftencyber-ratedby international ratingagencieswithout transparentand/or appropriate cyber rating methodologies. Thiscan havedetrimental effects on the rated companies. We believe the EU should establish clear rulesgoverning the operations of Cyber Rating Agencies within its jurisdiction, ensuring transparencyand appropriatenessof methodologies and EU-level oversight. To achieve this, a comprehensivedebate should be initiated, involving consultation with all relevant stakeholders, with the aim ofdefining minimum requirements and procedures for compliance assessment2. Section 2: European Cybersecurity Certification Framework Our members supportvoluntaryEU wide cybersecurity certification schemes,astheyh