11 Dec 2024

Recommendations on revised draft CRA standardisation request

Introduction

DIGITALEUROPE welcomes the opportunity to share its views on the revised draft standardisation request in support of the Cyber Resilience Act (CRA). In this paper, we put forward our high-level recommendations to ensure a timely availability of robust standards in support of the CRA. Addressing these recommendations is crucial to ensure a smooth implementation of this world first mandatory framework of cybersecurity requirements for hardware and software.

Alignment with existing standards

As we have consistently argued, rather than building a completely new
framework of standards, reusing existing international standards would ensure timely and smoother implementation of the CRA, facilitating industry’s ability to comply with CRA requirements.
The CRA standardisation effort needs to draw from and augment existing
standards to fulfil the standardisation request’s goal of addressing the CRA
essential security requirements. The revised draft standardisation request puts forward significant changes that potentially undermine this fundamental goal.
One significant change is the requirement that ‘[v]ertical standards developed under this request shall therefore build on and further specify the horizontal provisions.’ This would complicate the possibility of developing harmonised standards based on existing, proven European and international standards. It would also risk a decoupling from international standards, which would negatively impact Europe’s global competitiveness. Whilst the standardisation request acknowledges international standards, the dependency requirement between vertical and horizontal standards may effectively hinder the practicality of this acknowledgment. The standardisation request should be outcome focused – it should not specify sequencing for the work but instead focus on the outcome, ensuring vertical standards are consistent with horizontal standards, with justified exceptions, regardless of which the standardisers start first.

Realistic timeline

The change of language in Annex II, paragraph 2.1 would mean that the
development of any vertical standard can only start after the availability of the horizontal standards. This would require significantly more time for
standardisers to establish robust standards in support of the CRA. As the
envisioned CRA timeframes are already tight, this would lead to real negative market impact.

Conformity assessment bodies face limited capacity to perform all conformity assessments mandated by the CRA’s large scope. This would be compounded by the absence of harmonised standards providing presumption of conformity for categories listed in Class I of Annex III, which would generate further bottlenecks for third-party conformity assessments of these products, too. Manufacturers whose products require third-party certification would also be heavily impacted.
Moreover, the CRA foresees secondary legislation to provide legal clarity as to a very broad and largely undefined set of important or critical products within 12 months of entry into force. This approach will not allow standards to
progress properly as they will lack reference to this first layer of secondary
legislation having first been completed. Until such time, standardisers will have no conclusive information on which specific vertical standards need to be developed for the CRA’s product categories. This increases time pressure on the entire standardisation process.

At the same time, it is possible for a product to have several core functions in accordance with Annexes III-IV CRA. Although Art. 7(1) CRA refers to products’ core functions as the central classification criteria, some manufacturers are still unclear as to which categories their products fall into. This exposes manufacturers to double regulation and contradictory requirements from vertical standards. Equally, though not legally required, economic operators –and specifically notified bodies – are dependent on harmonised standards. The draft standardisation request specifies deadlines by which the standards are to be available. However, provided the CRA is published in the Official
Journal of the EU (OJEU) by October 2024 at the latest, and thus applies from
October 2027, 13 out of 15 horizontal standards will only be ready after the
CRA’s application date, as their deadline is 30 October 2027. Manufacturers
need time to prepare for, adopt and implement standards.

DIGITALEUROPE insists that lessons be learned from the work delivered in
JTC13 WG8 on standards in support of the RED delegated regulation, where
an initial timeline of two years to develop three standards had to be extended by one year, despite enormous additional investments of time and efforts by standardisers.
This work should also form the basis for horizontal standards in support of the CRA to maximise efficiency and ensure they are developed and delivered in a shorter timeframe, allowing for vertical standards to be developed well before the 30 October 2026 deadline. Vertical harmonised and cited standards must be ready and available in good time before the CRA becomes applicable.Therefore, we need to ensure that they can be developed in a timely manner.

Impact of open source on CRA standardisation

A related and significant knowledge gap widely identified by all relevant
stakeholders is the need for more open-source-software (OSS) expertise and open standardisation.
Even if effective participation of OSS communities is required in the current
draft standardisation request, there exists significant uncertainty as to whether such organisations have the operational bandwidth and financial capacity to get involved in the CEN-CENELEC standardisation development process. Some of our members are taking additional steps to re-engage in this process to provide much needed OSS expertise, but the challenges are considerable.

Different nature of conformity assessment modules

Conformity with the CRA’s essential requirements is to be reached through the conformity assessment procedures under Modules A, B, C and/or H set out in Annex VIII.

Annex I, paragraph I of the draft standardisation request stipulates that ‘the standard must cover the conformity assessment modules as defined in the CRA.’ We should be cognisant of the fact that the aforementioned modules, however, are different in nature.

Module H focuses on the manufacturer’s quality management system, which ensures compliance with the essential requirements of the CRA. Modules A, B
and C, on the other hand, address the fulfilment of the actual essential
requirements.

From a standardisation perspective, it is not achievable to address both quality management system requirements and functional/process requirements derived from Annex I CRA in a single standard. Consequently,
DIGITALEUROPE strongly recommends deletion of references to specific
modules.

Download the full document
For more information, please contact:
Rita Jonušaitė
Senior Manager for Cybersecurity & Cloud
rita.jonusaite@digitaleurope.org +32 499 708 625
Sid Hollman
Policy Officer for Cybersecurity & Digital Infrastructure
sid.hollman@digitaleurope.org +32 491 37 28 73
Back to Cybersecurity & Digital Resilience
View the complete Policy Paper
PDF
Our resources on Cybersecurity & Digital Resilience
11 Dec 2024 Position Paper
Recommendations on updated draft CRA standardisation request
Read more
PDF
14 Nov 2024 The Download
The Download - Taming the cyber storm whilst empowering European businesses to thrive
Read more
PDF
05 Sep 2024 Response to Public Consultation
The NIS2 Directive’s transposition: How do Member States make their critical infrastructure cybersecure?
Read more
PDF
View all resources
Hit enter to search or ESC to close
This website uses cookies
We use cookies and similar techonologies to adjust your preferences, analyze traffic and measure the effectiveness of campaigns. You consent to the use of our cookies by continuing to browse this website.
Decline
Accept