European Union's Cyber Resilience Act Proposal Shows Promise, Requires Revisions

European Union's Cyber Resilience Act Proposal Shows Promise, Requires Revisions

The European Commission has introduced a broad cybersecurity regulation for smart devices, the Cyber Resilience Act (CRA), in response to the growing and evolving cyber threats. The CRA is a proposed regulation by the European Union, designed to enhance the cybersecurity of connected devices and potentially play a critical role in improving cybersecurity practices globally.

However, concerns about the CRA center on potential high compliance costs and inflexibility. The comprehensive regulatory framework, while aiming to close cybersecurity gaps and improve product security, is argued by stakeholders to impose significant compliance costs on manufacturers and create inflexibility in adapting products quickly or innovating freely due to the rigid and extensive nature of the requirements.

Manufacturers must conduct detailed risk analyses, implement appropriate anti-tampering and control mechanisms, provide ongoing security patches, and publicly report vulnerabilities. This lifecycle care demands substantial resources, especially for smaller companies or those with complex products. Furthermore, the cybersecurity by design and by default principles and the duty of care throughout the product lifecycle may restrict how manufacturers develop, update, or modify digital products, potentially slowing innovation due to strict harmonization and extensive compliance checks.

To address these concerns, several suggestions have been proposed. These include a risk-based and proportionate approach, flexible implementation timelines and scalable requirements, support for Small and Medium Enterprises (SMEs) and innovators, encouraging security innovation, and ensuring clear and predictable regulatory frameworks.

A risk-based and proportionate approach would adjust CRA requirements to calibrate security obligations according to the risk profile and criticality of products, avoiding a one-size-fits-all mandate. Flexible implementation timelines and scalable requirements would allow phased compliance and modular certifications tailored to the size, type, and cybersecurity maturity of the manufacturer and product. Support for SMEs and innovators could include targeted guidance, tools, and possibly financial incentives or exemptions to lower entry barriers. Encouraging security innovation would promote the use of standards that foster innovation in security design rather than prescribing rigid technical measures, enabling updates and improvements post-market under simplified regulatory procedures. Clear and predictable regulatory frameworks would ensure transparency and predictability in compliance processes to reduce uncertainty and enable better planning by product developers.

By implementing these adjustments, the EU aims to balance its objectives to increase product security and consumer protection while keeping the regulatory framework adaptable, economically viable, and conducive to ongoing innovation in cybersecurity technologies. The Cyber Resilience Act could help ensure consistent cybersecurity practices across the EU, be a vital step toward building the Digital Single Market, and potentially bolster cybersecurity practices internationally.

[1] Center for Data Innovation, Statement on the European Commission's proposed Cyber Resilience Act, Kir Nuthi, Senior Policy Analyst, 16th March 2022. [3] European Parliament, Cyber Resilience Act, 2020/0261(COD), 2020.

1. The Cyber Resilience Act (CRA) proposes AI, technology, and data regulations for smart devices, aiming to boost cybersecurity and potentially global cybersecurity practices.
2. However, the CRA's high compliance costs and inflexibility has sparked concerns among manufacturers, who worry about the impact on innovation and product development.
3. To alleviate these concerns, the EU has proposed a risk-based approach, flexible timelines, support for SMEs, and encouragement of security innovation, all aimed at maintaining a balance between security, economic viability, and ongoing innovation in cybersecurity technologies.
4. Clear and predictable regulatory frameworks, as part of the proposed adjustments, would provide transparency and predictability to reduce compliance uncertainty and enable better planning for product developers, according to the Center for Data Innovation's statement on the CRA.

Read also: