Cyber Resilience Act enhances Europe’s cyber resilience

Smart Home, Smart Mobility and Industry 4.0: from everyday life to mobility to production in factories, more and more areas of our daily lives are becoming smarter, i.e. more digital and thus more connected. According to current estimates, the number of connected devices worldwide is set to rise to around 29 billion by 2030. By comparison, there were just under nine billion networked objects in 2019. The progressive spread of digital technologies creates a multitude of new opportunities, both for private and commercial users. However, digitalisation also brings with it numerous challenges in terms of security and data protection.

Cyber security for connected devices

More and more home appliances, such as refrigerators and televisions, are connected to the internet - making them “smart”. However, thereby they are also exposed to potential threats from cyberspace. These risks can be countered by targeted technical, regulatory and behavioural measures. German companies are already investing in the cybersecurity of the products they develop, their internal processes, the people they employ, and the services they offer. Nevertheless, one hundred percent cybersecurity cannot be achieved, let alone guaranteed as the threat landscapes continuously changes.

For companies, coherent regulatory requirements are paramount to facilitate the development and marketing of products that meet these requirements and fulfil risk-based cybersecurity standards. The Federation of German Industries - together with German standardisation organisations (DIN and DKE) and industry associations (Bitkom, VDMA and ZVEI) - has therefore advocated for the introduction of horizontal cybersecurity requirements that are based on the principles of the New Legislative Framework, the regulatory framework for European product regulation. Therefore, we welcome the publication of the draft Cyber Resilience Act by the European Commission.

While compliance with the requirements set out in the EU Cybersecurity Act schemes is a priori voluntary, the Cyber Resilience Act provides for mandatory cybersecurity requirements for all products with digital elements. In addition, the Cyber Resilience Act requires manufacturers of such products to implement coordinated vulnerability management to ensure that such products are free of any cybersecurity-related vulnerability that could compromise the functionality and safety of such devices. The combination of cybersecurity requirements and vulnerability management will strengthen the cyber resilience of products throughout the value chain - from design to production, placing on the market and operation.

BDI welcomes the Commission’s proposal in principle since its horizontal approach avoids fragmentation of cybersecurity requirements while ensuring legal coherence.

Cyber Resilience Act needs practical design

The Cyber Resilience Act is an important step towards strengthening Europe's cybersecurity. Only if all products with digital elements that are placed on the European internal market meet risk-adequate cybersecurity requirements will Europe's cyber resilience be increased in the long term. Nevertheless, the Commission's draft leaves significant room for improvement in the current negotiation in and between the EU Council and the European Parliament. The European Parliament and the European Council must propose amendments to the Commission’s draft in such a way as to ensure that the envisaged cybersecurity requirements can be realistically implemented by companies. There is a need for a longer implementation period, clearer rules for dealing with software-as-a-service and Open-Source solutions, and mandatory participation of government agencies in sharing vulnerabilities. In the upcoming legislative process, risk-adequate cybersecurity requirements and the intended use of products must be more clearly addressed in the legislative text.

The implementation period of the Cyber Resilience Act must be at least 36 months so that companies, market surveillance bodies and standardisation organisations can each contribute their share to the timely implementation of the requirements. Only after the legislative process has been completed can the EU Commission issue the standardisation mandate and the European standardisation organisations develop the concrete technical requirements. Manufacturers of products with digital elements need sufficient time to implement the respective technical specifications in their product development process and to manufacture CRA-compliant products. Given the gap of around 100,000 IT security professionals in Germany alone, market regulators and companies will have great difficulty recruiting sufficient staff to implement the new requirements on time.

Trust in digital solutions: CE marking will (also) stand for cyber security in the future

The New Legislative Framework focuses aims at ensuring that all products and services placed on the European internal market by manufacturers and importers comply with safety requirements. This contributes to the safe utilisation of these products.

Products that comply with the requirements of the European standards developed based on the NLF bear the CE marking. The NLF provides transparent conditions for conformity marking and declaration of conformity. The application of the CE marking has been tried and tested for many years. Private and commercial users recognise compliance with the relevant requirements by the CE marking. By combining conformity assessment and market surveillance, the CE marking acts as an anchor of trust for private and commercial customers.

German industry appreciates that in future the CE marking will also stand for cybersecurity, and thus, considers the requirements of an increasingly digitalised society.