Cybersecurity everywhere: deciphering the Cyber Resilience Act
Cybersecurity has become indispensable to our economy and society, and can no longer be an add-on to Europe’s regulatory landscape for products. DIGITALEUROPE strongly welcomes and supports the objectives of the proposed Cyber Resilience Act (CRA), which will for the first time introduce mandatory cybersecurity requirements for ‘products with digital elements.’
DIGITALEUROPE has consistently advocated in favour of horizontal cybersecurity requirements for connected devices. This is not only because of the heightened importance of securing the growing number of devices on the market, which are projected to reach 34.7 billion connections globally by 2028, but also the increased risk of an unclear regulatory framework.
Recent years have seen a proliferation of piecemeal cybersecurity requirements under different EU laws. This complex regulatory scenario is making compliance more difficult for companies, as well as authorities, which in turn will work against a more cyber secure posture in the EU.
The CRA can offer a long-term solution to help manufacturers, users and authorities strengthen cybersecurity across the board. For this to happen, however, we must consider measures that make compliance clear and actionable rather than generate new uncertainty.
An effective CRA must:
Factor in the specificities of standalone software, such as the impact of software updates on old concepts such as ‘substantial modification,’ including through the development of guidelines with input from a newly created Stakeholder Expert Group, which should advise the Commission on the CRA’s implementation and future review;
Exclude hardware, software and services used for remote data processing, transmission and storage, to avoid excessive overlap with the new Directive on measures for a high common level of cybersecurity across the Union (NIS2);
Introduce the concept of ‘partly completed product with digital elements,’ allowing for more accurate conformity assessment of software or hardware that must be incorporated into finished products;
Maximise self-assessment through the development and use of harmonised standards, leveraging the many cybersecurity standards which are already in place, in Europe and globally, to support companies’ compliance. An implementation period of 48 months should be provided so that the necessary harmonised standards can be delivered, and a bottleneck of third-party assessments avoided;
When required, provide for scalable third-party assessments across other legislation, such as the AI Act, and prioritise mutual recognition agreements to facilitate market access in third countries, particularly with the US as part of the ongoing EU-US Cyber Dialogue;
Automatically recognise voluntary cybersecurity certification schemes approved under the Cybersecurity Act as a means for manufacturers to prove compliance, and stipulate a direct presumption of conformity vis-à-vis the AI Act’s cybersecurity requirements;
Align incident reporting obligations and timelines with NIS2, requiring an ‘early warning’ within 24 hours, followed by an incident notification within 72 hours. For vulnerabilities, ENISA should establish a European catalogue of known exploited vulnerabilities, which should be reported by manufacturers;
Directly repeal the Radio Equipment Directive (RED) delegated act on cybersecurity, which the CRA makes redundant, and provide for a transition period where compliance with either will be possible; and
Create a European regulatory sandbox to support compliance, particularly for SMEs and start-ups, and to contribute to regulatory learning for a future revision of the CRA.