Cyber Resilience Act (CRA) – new cybersecurity rules for digital products and ancillary services

Cyber Resilience Act (CRA) – new cybersecurity rules for digital products and ancillary services

Eurosmart’s feedback

As underlined by President von der Leyen’s State of the Union 2021 address, the EU should become a worldwide leader in terms of cybersecurity. Cybersecurity is of utmost importance for the EU; it is at the same time a matter of European industrial policy, a provider of economic growth as well as an asset to gain the so-called “European digital sovereignty”. In other words, cybersecurity has become a key marker of EU citizens’ societal choice.

Through its last five years’ initiatives, starting from the first NIS directive[1] as the first piece of EU-wide cybersecurity legislation, the European Union has been developing its regulatory instruments to ensure the cyber-resilience of the continent. The EU cybersecurity motto now favours collaboration with cybersecurity-leading countries over the initial EU decency on overseas’ technologies. However, the Digital Single Market, whilst ensuring the free circulation of digital goods and services, doesn’t provide any binding cybersecurity rules for placing digital products on the EU market. As a result, today, there is no guarantee that the digital product they have in their hands meets a minimum set of cybersecurity requirements for the end-users. The same approach applies to software and ancillary services: the Digital Single market lacks consistent requirements. The only way for the user to get consistent information about the security functions is to refer to the endless terms of services.

[1] Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union