Reaction to the European Parliament’s and the Council’s positions on the Cyber Resilience Act

Today, the European Parliament and the Council respectively agreed on a common position on security requirements for digital products, marking the start of trilogue negotiations. 

DIGITALEUROPE’s Director-General Cecilia Bonefeld-Dahl said:

“Today’s votes move this important piece of legislation forward, but the issue remains that the Cyber Resilience Act aims to cover a very broad scope of products – including hardware and software – within a very short timeframe, while industry and governments are struggling with stretched cyber resources. Parliament’s and Council’s efforts to narrow down the scope go some way to solving this problem, notably with the exclusion of spare parts. However, more clarity is needed regarding software and the classification of ‘critical’ products. 

We appreciate Parliament’s balanced proposal on product security support. On the other hand, neither the Parliament nor the Council have acknowledged the huge cyber risks that would result from disclosing unpatched vulnerabilities – this will need serious reconsideration during trilogues. 

Crucially, to achieve practical results, we should maximise the use of the well-proven approach of self-assessment through harmonised standards. We’ll also need to give manufacturers and public authorities more time to prepare for the new framework, ideally 48 months considering the time it will take to develop the necessary standards. 

Taking the best out of the original proposal and the co-legislators’ amendments will be the main challenge ahead, but if done properly we are confident the CRA can be a game-changer for Europe’s cybersecurity.”