23 Jan 2023

Cybersecurity everywhere: deciphering the Cyber Resilience Act

Executive summary

Cybersecurity has become indispensable to our economy and society, and can no longer be an add-on to Europe’s regulatory landscape for products. DIGITALEUROPE strongly welcomes and supports the objectives of the proposed Cyber Resilience Act (CRA), which will for the first time introduce mandatory cybersecurity requirements for ‘products with digital elements.’[1]

DIGITALEUROPE has consistently advocated in favour of horizontal cybersecurity requirements for connected devices.[2] This is not only because of the heightened importance of securing the growing number of devices on the market, which are projected to reach 34.7 billion connections globally by 2028,[3] but also the increased risk of an unclear regulatory framework.

Recent years have seen a proliferation of piecemeal cybersecurity requirements under different EU laws.[4] This complex regulatory scenario is making compliance more difficult for companies, as well as authorities, which in turn will work against a more cyber secure posture in the EU.

The CRA can offer a long-term solution to help manufacturers, users and authorities strengthen cybersecurity across the board. For this to happen, however, we must consider measures that make compliance clear and actionable rather than generate new uncertainty.

An effective CRA must:

  • Factor in the specificities of standalone software, such as the impact of software updates on old concepts such as ‘substantial modification,’ including through the development of guidelines with input from a newly created Stakeholder Expert Group, which should advise the Commission on the CRA’s implementation and future review;
  • Exclude hardware, software and services used for remote data processing, transmission and storage, to avoid excessive overlap with the new Directive on measures for a high common level of cybersecurity across the Union (NIS2);[5]
  • Introduce the concept of ‘partly completed product with digital elements,’ allowing for more accurate conformity assessment of software or hardware that must be incorporated into finished products;
  • Maximise self-assessment through the development and use of harmonised standards, leveraging the many cybersecurity standards which are already in place, in Europe and globally, to support companies’ compliance. An implementation period of 48 months should be provided so that the necessary harmonised standards can be delivered, and a bottleneck of third-party assessments avoided;
  • When required, provide for scalable third-party assessments across other legislation, such as the AI Act, and prioritise mutual recognition agreements to facilitate market access in third countries, particularly with the US as part of the ongoing EU-US Cyber Dialogue;[6]
  • Automatically recognise voluntary cybersecurity certification schemes approved under the Cybersecurity Act as a means for manufacturers to prove compliance,[7] and stipulate a direct presumption of conformity vis-à-vis the AI Act’s cybersecurity requirements;[8]
  • Align incident reporting obligations and timelines with NIS2, requiring an ‘early warning’ within 24 hours, followed by an incident notification within 72 hours. For vulnerabilities, ENISA should establish a European catalogue of known exploited vulnerabilities, which should be reported by manufacturers;
  • Directly repeal the Radio Equipment Directive (RED) delegated act on cybersecurity,[9] which the CRA makes redundant, and provide for a transition period where compliance with either will be possible; and
  • Create a European regulatory sandbox to support compliance, particularly for SMEs and start-ups, and to contribute to regulatory learning for a future revision of the CRA.

 

 


References

[1] COM(2022) 454 final.

[2] See DIGITALEUROPE, Setting the standard: How to secure the Internet of Things, available at https://www.digitaleurope.org/wp/wp-content/uploads/2021/09/DIGITALEUROPE_Setting-the-standard_How-to-secure-the-Internet-of-Things.pdf.

[3] Ericsson Mobility Report, November 2022.

[4] For a non-exhaustive overview of existing or proposed EU laws stipulating cybersecurity requirements for products or entities, see pp. 4-5, DIGITALEUROPE, Building blocks for a scalable Cyber Resilience Act, available at https://www.digitaleurope.org/wp/wp-content/uploads/2022/05/Building-blocks-for-a-scalable-Cyber-Resilience-Act.pdf.

[5] Directive (EU) 2022/2555.

[6] https://digital-strategy.ec.europa.eu/en/news/cybersecurity-eu-holds-8th-dialogue-united-states.

[7] Regulation (EU) 2019/881.

[8] COM(2021) 206 final.

[9] Delegated Regulation (EU) 2022/30.

For more information, please contact:
Alberto Di Felice
Policy and Legal Counsel
Back to Cybersecurity & Digital Resilience
View the complete Policy Paper
PDF
Our resources on Cybersecurity & Digital Resilience
14 Nov 2024 The Download
The Download - Taming the cyber storm whilst empowering European businesses to thrive
05 Sep 2024 Response to Public Consultation
The NIS2 Directive’s transposition: How do Member States make their critical infrastructure cybersecure?
04 Sep 2024 Policy Paper
Developing guidelines for the Cyber Resilience Act
Hit enter to search or ESC to close
This website uses cookies
We use cookies and similar techonologies to adjust your preferences, analyze traffic and measure the effectiveness of campaigns. You consent to the use of our cookies by continuing to browse this website.
Decline
Accept