An In-Depth Analysis of the Cyber Resilience Act`s legislative procedure
In today’s rapidly evolving digital landscape, cybersecurity has emerged as a fundamental asset for preserving the innovative capacity of digital solutions. To address cybersecurity deficiencies in various products and enhance consumers’ ability to identify and assess cyber secure products, the European Commission proposed the Cyber Resilience Act (CRA) on September 15, 2022.
As previously discussed, the legislative proposal introduces harmonized rules on mandatory cybersecurity requirements for products with digital elements are proposed, encompassing the planning, design, development, and maintenance stages. Despite the above, concerns have been raised regarding potential burdensome obligations that may impact the competitiveness of small and medium-sized enterprises (SMEs). With ongoing discussions shaping the positions of co-legislators, the focus remains on striking a balance between strengthening cyber resilience and avoiding excessive burdens on SMEs, while fostering a competitive and sustainable digitalisation of all industrial ecosystems.
Keeping a watchful eye on the policy debate on cyber resilience, the hybrid event organized under PUZZLE, “Fostering Cyber Resilience for SMEs”, brought together diverse perspectives on the impact of the CRA on SMEs in Europe, with specific attention given to the Act’s influence on the European cybersecurity market.
Notably, Maika Föhrenbach, Policy Officer of the Cyber Security and Digital Privacy Policy Unit of the European Commission, delivered a keynote speech, providing insights into the Commission’s objectives and the provisions that will support SMEs in ensuring compliance with the Act. Furthermore, one of the consortium partners, who represents SMEs in Europe and is also responsible for SME engagement and mentoring in PUZZLE has spoken on behalf of SMEs and contributed actively to the discussion by developing a thorough Position Paper and submitting impactful amendment proposals to the Parliament.
Altogether, SMEs have emphasized the need for clear guidance, support, and proportionality measures to ensure the effective implementation of the new requirements It has been further identified that harmonized standards and SME representation in standardization committees play a crucial role in enhancing compliance. When mandating the development of CRA standards to the European Standards Organisation, the Commission should instruct the latter with concrete measures and KPIs to ensure the development of SME friendly standards. The establishment of regulatory sandboxes, akin to the provisions in the Artificial Intelligence Act, has been recognized as an additional means to facilitate compliance, stimulate innovation, and foster regulatory learning. Furthermore, there is support for the suggestion of extending the transition period and allowing voluntary compliance before the official implementation of the Cyber Resilience Act (CRA). These considerations underscore the importance of providing SMEs with the necessary resources and flexibility to adapt to the regulatory framework effectively.
Under scrutiny in the European Parliament and the Council of the European Union, the proposed text has undergone notable revisions.
Rapporteur Nicola Danti’s draft report emphasized aligning product lifetime with consumer expectations, granting manufacturers the authority to determine it. With respect to the product life cycle, the CRA should also include considerations of sustainability. There should be limitations on the ability of Original Equipment Manufacturers (OEMs) to impose intricate security standards that restrict independent third-party access to their devices. Additionally, the Council, led by the Swedish Presidency, incorporated previous changes, and introduces further elements to enhance flexibility, clarifying that security updates may not be applicable in integrated product settings or instances of operational interference.
The amendments propose several changes to the regulations regarding cyber resilience regulatory sandboxes, penalties, allocation of penalty revenues, manufacturers’ obligations, and security updates. Member States must establish effective and proportionate penalties, considering the financial capabilities of SMEs. Compliance should account for SME status, guidance, and financial support. Penalties should consider the size, market share, risks, consequences, and financial characteristics of offending operators. Manufacturers must address vulnerabilities, provide security updates for a minimum of five years, or expected product lifetime, and inform buyers of update durations. Penalty revenues should fund initiatives for skilled cybersecurity professionals, capacity-building, and raising awareness. Equitable and reasonable conditions should be ensured for SMEs in conformity assessment fees.
In conclusion, it could be noted that most proposed amendments move in the right direction of addressing the concerns of SMEs. Digital resilience and adaptability are critical elements for the survival and growth of SMEs. Policymakers continue to be invited to adopt a proportionate approach that fosters and secures Europe-led innovation while minimizing the disproportionate costs borne by SMEs.
By providing the necessary guidance, support, and inclusive measures, the Cyber Resilience Act can strengthen cybersecurity across Europe and enable SMEs to thrive in the digital economy.
Author: European DIGITAL SME Alliance
Featured Photo by CoolVid-Shows on Pixabay.