|
Eurosmart welcomes the recent achievements of the co-legislators on the Cyber Resilience Act (CRA) to provide more consistency with the already existing EU cybersecurity regulatory landscape.
As an organization dedicated to promoting secure digital interactions and privacy protection for individuals, we believed that the proposals deserve further improvement to adequately fit in with the EU cybersecurity regulatory landscape.
The digital security industry reiterates some concerns that have been already addressed through a previous white paper. The junction between safety and cybersecurity must be clarified, legal definitions and clarification on the CRA requirements for EU cybersecurity certified products should be provided. For obligations to manufacturer including the definition of product lifetime, security update requirements, incident mechanism and disclosure of vulnerability, Eurosmart would like to raise the co-legislator’s attention to the mechanism that are already in place for EUCC (today SOG-IS) certified product or products falling under the scope of the NIS2. A full alignment with NIS2 and other requirements that are already in used for this kind of products should be ensured.
Moreover, certification obligation in the CRA context for all high-end security products will complexify existing high-level evaluation processes. Instead of an obligation, Eurosmart recommends working and relying on “presumption of conformity” that could be provided by EU cybersecurity certificates.
Read Eurosmart's position paper on CRA's mandatory certification for high-end products
Therefore, Eurosmart points out the following provisions:
1. Required use of European cybersecurity certification schemes
2. Common specifications
3. High-risk AI system
4. Obligations of manufacturer
4.1. On components
4.2. Product life-time – Support period
4.3. Security update
4.4. Access to the source code to other undertakings extending vulnerability handling services
4.5. Subsequent versions of a software product
5. List of essential requirements
5.1.Distinguish obligations for placing on the market and obligations during the whole product lifetime
5.2. SBOM - Information format
6. Reporting obligations
6.1. Limitation in time
6.2. No corrective or mitigating measures available
6.3. Notification procedures – actively exploited vulnerabilities
6.4. Notification of significant incidents
6.5. Information to the impacted users
7. Definitions
7.1. Data
7.2. Actively exploited vulnerability
7.3. Cyber threat
7.4. Essential requirements
Annex I
Comments on the mandate of the European Parliament
Annex II
Comments on the EU Council’s General Approach |
