11 Dec 2024

Recommendations on updated draft CRA standardisation request

Introduction

DIGITALEUROPE presents its perspective on the newly revised draft standardisation request supporting the Cyber Resilience Act (CRA).
Building on our previous recommendations, which remain insufficiently addressed in the updated draft, this paper outlines additional proposals to reflect the latest changes.

Incorporating these recommendations is essential to facilitate the effective
implementation of this groundbreaking mandatory framework for cybersecurity requirements in hardware and software:

  • Security interests of the Union’: The newly introduced Art. 2 lacks
    clear criteria defining the ‘security interests of the Union,’ creating
    ambiguity that raises concerns about proportionality and alignment with the Standardisation Regulation. We call for clarification of these criteria or reconsideration of Art. 2 and Recital 13 to ensure coherence with stakeholder participation principles.
  • ETSI’s role: The European Telecommunications Standards Institute
    (ETSI) must be explicitly included in the standardisation request for all
    relevant entries. ETSI’s expertise in telecoms and cybersecurity is
    essential for delivering robust, market-relevant and globally aligned standards.
  • Alignment with existing standards: To streamline implementation,
    the CRA should leverage existing international standards rather than
    creating new frameworks. The request should be outcome-focused,
    avoiding rigid sequencing between vertical and horizontal standards to ensure consistency without unnecessary delays.
  • Realistic timelines: The current draft imposes a sequencing
    requirement that delays the development of vertical standards until
    horizontal standards are finalised. This, coupled with misaligned deadlines, risks leaving manufacturers without adequate time to adopt standards before the CRA’s application date. We recommend allocating sufficient time for standards development and aligning timelines with realistic industry needs.
  • Impact of open source on CRA standardisation: There is a critical
    need for greater open-source software (OSS) expertise in the standardisation process. Whilst the draft acknowledges OSS participation, many OSS organisations lack the resources to engage effectively.
Download the full document
For more information, please contact:
Rita Jonušaitė
Senior Manager for Cybersecurity & Cloud
rita.jonusaite@digitaleurope.org +32 499 708 625
Sid Hollman
Policy Officer for Cybersecurity & Digital Infrastructure
sid.hollman@digitaleurope.org +32 491 37 28 73
Back to Cybersecurity & Digital Resilience
View the complete Position Paper
PDF
Our resources on Cybersecurity & Digital Resilience
11 Dec 2024 Policy Paper
Recommendations on revised draft CRA standardisation request
Read more
PDF
14 Nov 2024 The Download
The Download - Taming the cyber storm whilst empowering European businesses to thrive
Read more
PDF
05 Sep 2024 Response to Public Consultation
The NIS2 Directive’s transposition: How do Member States make their critical infrastructure cybersecure?
Read more
PDF
View all resources
Hit enter to search or ESC to close
This website uses cookies
We use cookies and similar techonologies to adjust your preferences, analyze traffic and measure the effectiveness of campaigns. You consent to the use of our cookies by continuing to browse this website.
Decline
Accept