Critique of the European Commission's Cyber Resilience Act Proposal

Critique of the European Commission's Cyber Resilience Act Proposal

The European Commission is taking a proactive approach to combat the growing threat of cybersecurity incidents by considering five policy options for the Cyber Resilience Act (CRA) initiative. This ambitious endeavour aims to improve cybersecurity standards across digital products in the European Union (EU), working in tandem with existing legislation such as the Cybersecurity Act and the Directive on the security of Network Information Systems.

The CRA initiative is a response to the escalating cost of global cybercrime, which is predicted to reach $10.5 trillion by 2025. In 2020 alone, cybercrime cost the EU a staggering €5.5 trillion.

The five policy options under consideration are:

1. Strict mandatory cybersecurity requirements with broad scope, covering all digital products with digital elements, both hardware and software. This approach ensures a high security standard across a wide range of products, reducing cybersecurity risks EU-wide. However, it could impose significant compliance costs and administrative burdens on manufacturers, especially Small and Medium-sized Enterprises (SMEs), and potentially slow innovation.
2. A limited scope focusing only on high-risk or critical products. This approach reduces regulatory burden on manufacturers of low-risk products, focusing resources and enforcement on products where cybersecurity failures have the greatest impact. However, it may leave many products inadequately regulated, allowing vulnerabilities in less critical but widely used devices.
3. Emphasis on vulnerability management and reporting obligations, including mandatory vulnerability detection, disclosure, patching, and incident reporting. This approach promotes continuous security lifecycle management, improves transparency, and enhances quick mitigation of vulnerabilities and incidents. However, it could create reporting overload for manufacturers, risk exposure to attackers if disclosures are poorly managed, and increased liability and operational costs.
4. Simplified regulatory requirements for SMEs and small product categories. This approach eases compliance for smaller companies, fostering innovation and market entry, and reducing administrative and financial burdens. However, it could result in a weaker security culture in smaller players and potential loopholes that attackers could exploit via less regulated products.
5. Exemptions for spare parts and certain non-commercial or sector-specific products. This approach avoids unnecessary repetition of compliance for parts and legacy items, reducing complexity in supply chains. However, it presents the possibility of security gaps via unregulated components, challenges in tracing and certifying parts, and potential loopholes for malware introduction.

To effectively pursue these policy options, the Commission is advised to:

• Conduct thorough impact assessments to evaluate effects on market supply and demand, member state readiness, and enforcement capacity, ensuring practical and balanced regulations.
• Engage stakeholders extensively via consultations with manufacturers, national authorities (such as Computer Security Incident Response Teams), and cybersecurity experts to gather feedback and technical input on proposals and drafts.
• Implement phased timelines with transition periods to allow industry adaptation and capability building.
• Integrate flexibility tailored to company size and product risk levels, streamlining requirements for SMEs and low-risk products while maintaining strict standards for critical items.
• Establish clear compliance frameworks that emphasize secure-by-design principles, ongoing vulnerability management, documentation, and conformity assessment procedures backed by meaningful penalties for breaches.
• Promote harmonization across member states to reduce fragmentation in implementation and ensure consistent cybersecurity standards across the EU single market.
• Support education and training initiatives to help manufacturers understand new obligations and integrate security into product lifecycles from design to end-of-life.

The Commission's approach involves a careful compromise on scope, reporting, certification, and support measures to maximize cybersecurity while maintaining competitiveness and innovation in the digital product market. It is crucial to strike a balance between strengthening cybersecurity across all digital products and mitigating economic and operational impacts on manufacturers, particularly smaller companies.

Caution is advised against maintaining the status quo and against pursuing broad horizontal regulation for the Cyber Resilience Act. The EU can play an important role in bolstering cybersecurity practices due to the growing cybersecurity vulnerabilities. The Center for Data Innovation has submitted feedback on the European Commission's consultation regarding the Cyber Resilience Act initiative. However, the potential impact of these policy options on the growing threat of cybersecurity incidents and global cybercrime costs remains to be seen.

• The Center for Data Innovation has submitted feedback on the European Commission's consultation regarding the Cyber Resilience Act initiative, recognizing the importance of the EU's role in bolstering cybersecurity practices due to the growing cybersecurity vulnerabilities.
• To maximize cybersecurity while maintaining competitiveness and innovation in the digital product market, the Commission's approach involves a careful compromise on scope, reporting, certification, and support measures.
• The Commission is advised to establish clear compliance frameworks that emphasize secure-by-design principles, ongoing vulnerability management, documentation, and conformity assessment procedures backed by meaningful penalties for breaches, with flexibility tailored to company size and product risk levels.

Read also: