Cyber Resilience Act – CECE responds to public consultation

On 25 May, CECE submitted its response to the European Commission’s public consultation on the Cyber Resilience Act (CRA).

Advertisement

The Commission’s initiative aims to improve the internal market’s functioning by introducing new horizontal cybersecurity requirements for connected products and associated services. The announced harmonised rules would add to the existing framework – composed of the Directive on the security of Network and Information Systems (so-called NIS directive, which is currently under review), and would complement the Delegated Regulation to the Radio Equipment Directive.

The scope of the initiative is notably relevant for CECE as it covers a wide range of digital products and their ancillary services placing obligations on economic operators throughout the whole life cycle of products.

In addition to the essential cybersecurity requirements, the future Cyber Resilience Act would introduce provisions on conformity assessment, on the notification of conformity assessment bodies, and on market surveillance.

CECE believes that the scope of the future Cyber Resilience Act is potentially very broad and should be limited only to those devices connectable to the internet. Besides, manufacturers should not be held responsible for the application of cybersecurity requirements throughout the whole life cycle of digital products, this resulting in a duplication of burden after products have been placed on the market. Yet, cybersecurity requirements should account for the various stakeholders involved, also considering that construction machinery products have life cycle in the range of decades.

On the various policy options to improve the cybersecurity of digital products, CECE supports the adoption of horizontal regulatory measures but, at the same time, the interaction with the existing requirements should be clarified. On the contrary, amending the existing legislation could be effective for certain types of products, while it presents the risk of fragmentation and contradiction to those products subject to multiple sectoral legislation.

The European Commission intends to put forward its Cyber Resilience Act (CRA) proposal in the third quarter of 2022, and CECE will continue to monitor closely the developments of the file.