25 Sep 2023

Building a strong foundation for the Cyber Resilience Act: key considerations for trilogues

Executive Summary

Trilogues on the proposed Cyber Resilience Act (CRA) will set the foundations for a world-first framework of mandatory cybersecurity requirements for ‘products with digital elements.

For the CRA to meet its objectives, the final text must include measures that make compliance clear and actionable, rather than generate new uncertainties that would disrupt Europe’s ability to innovate and compete globally.

Current estimates put the global cybersecurity workforce gap at 3.4 million people, with Europe lacking more than 200,000 cyber professionals. It is crucial to avoid unrealistic pre-market approval and compliance demands for such a huge scope of hardware and software products used and developed by private and public entities. These demands – as a whole and individually – will, in many cases, only work to undermine the legitimate investment required to increase cybersecurity.

For an effective CRA, the following aspects must be considered during trilogues:

  • An implementation period of at least 48 months should be provided so that the necessary harmonised standards can be developed, and to avoid a bottleneck of third-party assessments due to a lack of capacity and/or technical competence;
  • The specificities of software should be factored in when using traditional concepts from the New Legislative Framework (NLF). The final text can further specify some concepts, such as ‘substantial modification’, and guidelines should be developed with input from a newly created Stakeholder Expert Group, which should advise the Commission on the CRA’s implementation and future review;
  • Criticality levels should ensure that most products can undergo self-assessment, leveraging harmonised standards and prioritising mutual recognition agreements (MRAs) to facilitate market access in third countries and allow for scalability;
  • The exclusion of open-source software (OSS) must be refined so as not to discourage crucial upstream contributions by commercial entities. Similarly, spare parts that are intended to replace identical parts, as well as websites and cloud services covered by the NIS2 Directive should be excluded;
  • The concept of ‘partly completed product’ should be introduced to better address the nature of components, allowing for more accurate and efficient conformity assessment of software or hardware that must be incorporated into finished products;
  • Reporting obligations, timelines and definitions must be aligned with the NIS2 Directive, focusing on significant incidents. The CRA should not mandate reporting of unpatched vulnerabilities. Instead, ENISA should establish a European catalogue of known exploited vulnerabilities, in coordination with already existing recognised initiatives;
  • Provisions on product security support should allow manufacturers to determine the period of support, with the obligation to be transparent and taking into account product life expectancy and consumer expectations;
  • The CRA must directly repeal the Radio Equipment Directive (RED) delegated act on cybersecurity, which the CRA makes redundant, and provide for a transition period where compliance with either will be possible; and
  • The voluntary nature of cybersecurity certification schemes should be retained. Approved schemes should be automatically recognised as a means for manufacturers to prove compliance.
Download the full position paper
For more information, please contact
Alberto Di Felice
Policy and Legal Counsel
Sid Hollman
Policy Officer for Cybersecurity & Digital Infrastructure
Back to Cybersecurity
View the complete Position Paper
Our resources on Cybersecurity
02 Oct 2023 Position Paper
Driving a resilient and commercially attractive raw material market in Europe: industry recommendations on the CRM Act
18 Sep 2023 Position Paper
Adapting ENISA’s mandate and collaboration in a changing cyber landscape
03 Jul 2023 Policy Paper
DIGITALEUROPE's Response to the Joint European Supervisory Authorities Discussion Paper on DORA
Hit enter to search or ESC to close
This website uses cookies
We use cookies and similar techonologies to adjust your preferences, analyze traffic and measure the effectiveness of campaigns. You consent to the use of our cookies by continuing to browse this website.