POSITION | DIGITAL POLICY | CYBERSECURITY
Cyber Resilience Act German industry’s position on the ITRE report –good first proposals for amendments, but further amendments urgently needed to minimise bureaucracy, ensure practicality and safeguard competitiveness
24 April 2023 Evaluation of (selected) proposed amendments German industry welcomes the European Commission’s proposal for the Cyber Resilience Act (CRA) in principle. The Cyber Resilience Act will – unlike the Cybersecurity Act – horizontally introduce cybersecurity requirements across product categories based on the principles of the New Legislative Framework. Moreover, the essential cybersecurity requirements introduced by the CRA will help essential and important entities to fulfil the supply-chain-related cybersecurity requirements introduced by Article 21 of the NIS 2-Directive. Nonetheless, there are areas, where the proposal should be improved during the ongoing legislative process. To this end, BDI welcomes the draft report by MEP Nicola Danti as it already proposes some very important changes to the Commission’s proposal, such as the longer implementation period. In contrast, we see the introduction of multiple reporting obligations per vulnerability and incident as the wrong approach since it will tie up scarce IT security resources – both in terms of personnel as well as finances – without providing any benefits in terms of increasing Europe’s cyber resilience. Below we discuss the amendments proposed by MEP Danti. We would appreciate, if Members of the European Parliament were to take our suggestions for further amendments into account. Amendment 1 – Recital 1 German industry welcomes that Rapporteur Danti recognises the severe impact that cyberattacks have for the internal market. We support the Rapporteur in his evaluation that it is of utmost importance to increase the Union’s cyber-resilience through targeted measures. To this end, German industry advocates for the implementation of risk-adequate cybersecurity measures across all products with digital elements during the design, development and production phases as well as when and while a product is placed on the market. We therefore support the proposal for the Cyber Resilience Act (CRA) in principle. Amendment 2 – Recital 2 Providing B2B and B2C consumers with information about the expected lifetime of products placed on the market and the provision of security updates is essential to turn cybersecurity into a criterion influencing a customer’s decision to buy a certain product. The CRA will facilitate this by introducing the expected lifetime of a product as well as requiring producers
Steven Heckler | Digitalisation and Innovation | T: +49 30 2028-1523 | s.heckler@bdi.eu | www.bdi.eu