Skip to main content

Cyber Resilience Act

Page 1

POSITION | DIGITALISATION | CYBERSECURITY

Cyber Resilience Act Introducing cybersecurity requirements for products with digital elements

1 December 2022 Executive Summary: Increasing the cyber-resilience of products with digital elements Companies, operators of critical infrastructures and private users are experiencing a steady increase in cyber-attacks. Often, cybercriminals are exploiting vulnerabilities in products with digital elements. While the attackers only have to know one of these technological weaknesses to cause significant harm, manufacturers and operators have to protect all their products and systems against an everincreasing threat landscape. Therefore, German industry advocates for the implementation of riskadequate cybersecurity measures across all products with digital elements during the design, development and production phases as well as when and while a product is placed on the market. We therefore support the European Commission’s proposal for the Cyber Resilience Act (CRA) in principle. The Cyber Resilience Act will – unlike the Cybersecurity Act – horizontally introduce cybersecurity requirements across product categories based on the principles of the New Legislative Framework. Moreover, the essential cybersecurity requirements introduced by the CRA will help essential and important entities to fulfil the supply-chain-related cybersecurity requirements introduced by Article 19 of the NIS 2-Directive. The interplay between CRA and NIS 2 will contribute to security in operations and configuration of critical infrastructures and other companies where secure products are just one, albeit important, factor for a risk-adequate level of cyber resilience. Improving the Commission’s proposal While German industries appreciate the Commission’s proposal in general, we nonetheless see some areas, where the proposal should be improved during the upcoming legislative process. We would appreciate if the European Parliament and the European Council would take into account the following proposals: ▪

reporting obligations: As determining the impact of known vulnerabilities as well as evaluating safety and appropriateness of available mitigations will require considerable resources, we urge the European co-legislators to increase the reporting period to 72 hours and mirror the reporting infrastructures which have been established under NIS 2.

Scope: While we support the Commission’s intention to include a scope that is as broad as possible, the text creates confusion, for example, as to what type of “software” should be covered by the new rules, and what is precisely meant with software with “remote data

Steven Heckler | Digitalisation and Innovation | T: +49 30 2028-1523 | s.heckler@bdi.eu | www.bdi.eu


Turn static files into dynamic content formats.

Create a flipbook
Cyber Resilience Act by Bundesverband der Deutschen Industrie e.V. - Issuu