EU to Enhance Cybersecurity Safeguards for Industry with New Cyber Resilience Act (CRA)
The EU: Delivering stronger cybersecurity measures
We all know that the threats facing society from cybersecurity breaches are very real. The World Economic Forum (WEF) has found that cybersecurity is one of the top ten risks for global businesses at this time and the EU is taking the threat of cybersecurity very seriously. The EU Cybersecurity Act 2019 introduced a new European cybersecurity certification framework, ensuring that all member states of the EU set up dedicated cybersecurity centres. NIS2 – the EU Network and Information Security Directive, which has just been agreed by EU institutions, introduces new processes to assess supply chain risk in Europe.
In her state of the union address in Strasbourg on September 15 2021, the President of the European Commission Ursula Von Der Leyen announced that a new Cyber Resilience Act (CRA) would be introduced in 2022. In line with this political commitment, it is now widely expected that the European Commission will announce the provisions of this new Cyber Resilience Act (CRA) in Q4 2022. This follows the public consultation on the CRA that was put in place by the European Commission and that concluded on May 25, 2022. Many stakeholders from the cybersecurity domain, including Huawei, replied to this EU important public consultation.
Key likely elements of the Cyber Resilience Act (CRA)
The core objective of the CRA is to introduce common cybersecurity safeguards for digital products that will be sold across the 27 member states of the EU. The strong likelihood is that both hardware and software digital products will fall under the provisions of the CRA. It is anticipated that both wired and wireless tangible digital products will also be under the scope of CRA. In a practical sense, this means that DSL routers, connected IP cameras, and smartphones are examples of products that will fall under the terms of the CRA.
A lot of discussion about the CRA will relate to what levels of embedded software, non-embedded software, and related ancillary services will be part of the CRA. In-vehicle computers are by nature embedded software and phone apps and phone editing software are examples of non-embedded software. In essence, the CRA imposes obligations on manufacturers and not on consumers. The European Commission may include vulnerability disclosure requirements within the CRA in line with similar clauses as set out in the NIS2 directive.
Over the course of the next 18 months, the European Commission, the European Parliament and the EU Council (representing the 27 member states of the EU) will tease out the exact finite details as to what specific products will be covered by the CRA. For example, ancillary cloud services could fall under the provisions of the CRA. It is anticipated that passive components such as adapters, open source hardware and software that are not linked to commercial applications will be exempt from CRA applicability.
The CRA will make supply chains more resilient and it will improve cybersecurity for companies and for consumers alike. EU legislation to date has primarily focused on the safety related aspects of products and has only addressed cybersecurity issues in a peripheral way. The CRA will redress this imbalance within the overall EU cybersecurity legislative framework.
Future key challenges for the CRA
Companies want business certainty. It is very important that the provisions of the CRA do not overlap with existing EU legislation such as the Cybersecurity Act or the Radio Equipment Directive (RED). The CRA must be implemented within the 27 member states of the EU in a transparent, unified, and non–discriminatory manner and in co-operation with leading international standards organisations. This will give businesses in Europe the certainty that they require in ensuring that they have a clear and explicit understanding in how the CRA will be rolled out in a practical sense within the EU. Such a unified approach will ensure that the integrity of the EU internal market will be upheld and protected at all times too. The EU internal market is committed to the free circulation of products within the 27 member states of the European Union.
Moreover, companies need to know the exact technical specifications that will have to be complied with so as to ensure adherence with CRA conformity requirements. In other words, what does a company have to do to secure an EU badge of approval that states that particular products comply to the highest standards of cybersecurity? For high risk products, third-party conformity assessment will be required, or even a certification from national authorities will need to be secured. This is a complex matter for the simple reason that products can change during their respective lifecycle, thus complicating liability and user responsibility issues. There will be cybersecurity requirements under the CRA both before and after market placement.
Digital transformation is a driver of innovation. Regulatory and policy frameworks must ensure that the most innovative products and services are capable of reaching the marketplace. The final agreed texts of the Cyber Resilience Act (CRA) must guarantee that processes to deliver innovation for society are not negatively impacted. It is expected that final agreement concerning the provisions of the CRA will be concluded by the European Parliament, the EU Council and by the European Commission circa Q4 2023 / Q1 2024. The 27 member states of the EU will then have a further 18-24 months to transpose the CRA into respective national legislation.
- How You Can Safeguard Your Data Against Ransomware [article]
- OceanProtect Data Protection [product & info webpage]
Disclaimer: Any views and/or opinions expressed in this post by individual authors or contributors are their personal views and/or opinions and do not necessarily reflect the views and/or opinions of Huawei Technologies.