Imagine waking up one day to discover that all your sensitive business data, including confidential financial information, customer data, and trade secrets, have been stolen. A nightmare scenario, isn’t it? Unfortunately, this is a reality that many companies face as cyber threats continue to grow in scale, complexity, and impact. The good news is that the European Commission has introduced the European Cyber Resilience Act (CRA) to set common cybersecurity standards for digital products and connected services sold in the EU market. The aim is to protect consumers and businesses from cyber incidents, making this the first ‘Internet of Things’ (IoT) legislation in the world.
With this blog post, Publyon’s Consultant Brecht Osselaer provides an overview of the main threats and opportunities for European businesses, focusing on:
- The objectives of the legislation.
- The implications for providers of digital products and connected services.
What’s the objective of the European Cyber Resilience Act?
As different economic sectors have become more dependent on digital technologies in executing their businesses, the opportunities that digital connectivity brings also expose economies to cyber threats. The amount, complexity, scale, and impact of cybersecurity incidents are also growing.
The Cyber Resilience Act introduces rules to protect digital products that are not covered by any previous regulation. This way, it will be the first ‘Internet of Things’ (IoT) legislation in the world.
What are the implications of the European Cyber Resilience Act for your business?
Publyon has identified a number of essential requirements for hardware manufacturers, software developers, distributors and importers who place digital products or services on the EU market. The requirements proposed include:
- an ‘appropriate’ level of cybersecurity;
- the prohibition to sell products with any known vulnerability;
- security by default configuration, protection from unauthorised access;
- limitation of attack surfaces, and minimisationof incident impact.
The default category consists of low-risk products, covering 90% of the market, including smart toys, TVs or fridges, and would require companies to perform a self-assessment to ensure that a product meets cybersecurity standards.
Furthermore, two categories for critical products are listed:
- The first category includes browsers, password managers, antiviruses, firewalls, virtual private networks (VPNs), network management, systems, physical network interfaces, routers, and chips used for entities falling under the NIS2 Directive. Moreover, it also includes all operating systems, microprocessors and industrial IoT not covered in class II.
- The second category includes higher-risk products, such as desktop and mobile devices, virtualised operating systems, digital certificate issuers, general purpose microprocessors, card readers, robotic sensors, smart meters and all IoT, routers and firewalls for industrial use.
The main difference between the two categories is the compliance process. Moreover, the commission asks manufacturers to perform regular tests to identify vulnerabilities in their products.
Lastly, Member States would also have to put in place market surveillance bodies. The penalties for non-complying with the requirements can amount to €15 million or 2.5% of the annual turnover.
Expert perspectives: how industry stakeholders are reacting to the European Cyber Resilience Act
The first overall reactions from the industry and other stakeholders to the initiative were positive. Consumers expect the products they purchase to be safe and secure. Hence, creating greater awareness of the importance of these security requirements in products will result in customers considering key security criteria when making purchasing decisions.
However, to avoid confusion, the industry also warned that the legislation should encompass a clear definition, considering differences in the development, functionality, and use of digital products. Different sectors also asked the Commission to consider existing vertical legislation for specific sectors and/or product groups.
Adding essential cybersecurity requirements risks excluding SMEs from the market. Businesses also need to know exactly what kind of technical specifications they must comply with to ensure adherence to CRA obligations.
Some companies are worried about the extra burden and compliance costs, making it harder for start- ups to compete with established companies. For instance, app developers warn of the extra costs in maintaining a cyber-resilient environment for the benefit of consumers. They prefer guidelines or recommendations.
Where are we in the EU process?
The European Parliament’s Industry, Research and Energy Committee (ITRE) has been appointed as the responsible committee, under the lead of MEP Nicola Danti (RE, Italy) as Rapporteur. The Internal Market and Consumer Protection (IMCO) Committee published an early draft opinion at the end of March 2023, while the Civil Liberties, Justice and Home Affairs (LIBE) Committee decided not to issue an opinion.
On 31 March, Rapporteur Danti circulated his draft report on the European Cyber Resilience Act, which contained proposed amendments on the overall scope of the Regulation, as well as the determination of lifetime of products and the scope of the reporting obligation. Furthermore, the amended texts referred to a changed pace for the entry into force, the availability of automatic updates for the safety features and the interplay of the Regulation with other EU legislation.
Council of the EU
On the side of the Council of the EU, the file has been assigned to the Telecommunications Council under the coordination of the Czech Presidency. Six compromise texts were shared which detail the considerations and contentious issues on the side of the Council. Some of these issues pertained to the scope and free movement clause of the Regulation.
The texts also proposed amendments to the definition of product lifecycle and key security functions. Furthermore, the compromise texts of the Council dealt with the relation of the Regulation with other EU legislation, limit to the product lifecycle and associated automatic security updates for connected devices.
Technical and especially shadow meetings are important because a coherent position in trilogues – one that withstands the scrutiny of the Council – enhances the Parliament’s chances of achieving a favourable outcome following negotiation. Concurrently, they are essential because it has become more complicated to find a common position within the Parliament due to increased levels of politicisation and polarisation in EU policymaking. You can find several important meeting dates below.
Seven technical meetings on the European Cyber Resilience Act are scheduled before a meeting between Rapporteur and Shadow Rapporteurs on 13 June. A further six technical meetings are planned before the final shadow meeting on 5 July. A last technical is expected on 6 July to streamline the text ahead of the ITRE committee vote on 19 July, which means that a plenary vote will take place after the summer recess of the Parliament.
On 2 June 2023, the EU Member States will meet in the Telecommunications Council to discuss the progress on the file. Digital files were not ranked high on the agenda when the Swedish presidency published its priorities for the next six months, which makes it unlikely to have a general approach by June.
Only after Council and Parliament have adopted their positions, are trilogue negotiations due to commence.
Learn more about our EU cyber-related services
Publyon offers tailor-made solutions to navigate the evolving policy environment at EU level and anticipate the impact of the EU cyber-related legislation on your organisation.
Would you like to know more about how your organisation can make the most out of this Regulation? Make sure you do not miss the latest developments by subscribing to our EU Digital Policy Updates.
If you’re intrigued by the EU’s latest efforts to enhance cyber resilience, you can contact our cybersecurity expert Stefano Mauro (firstname.lastname@example.org) about our Cyber Fitness Scan. This digital tool will help all kinds of businesses identify the cybersecurity requirements for digital products and services in the EU and provides strategic advice and solutions to enhance the cyber resilience of affected organisations.