16 Jun 2023 Cyber Resilience Act – Eurosmart’s feedback on ITRE and IMCO amendments
Eurosmart welcomes the recent ITRE draft report and IMCO draft opinion on the Cyber Resilience Act (CRA) and in particular the work achieved by MEPs Nicolas Danti and Morten Løkkegaard to provide more consistency with the already existing EU cybersecurity regulatory landscape.
As an organization dedicated to promoting secure digital interactions and privacy protection for individuals, Eurosmart believes that the consolidation of a comprehensive and harmonized framework for cybersecurity is essential to safeguard the European digital economy and society as a whole. The Cyber Resilience Act is a critical step towards achieving this goal.
Eurosmart believed that the proposal deserves further improvement to adequately integrate suitable cybersecurity evaluation processes. The CRA relies on the NFL (New Legislative Framework) which has been designed for safety purposes only, adaptation of the draft Act provisions and additional links with the EU cybersecurity certification framework under the Cybersecurity Act are therefore necessary.
However, for many market segments, the European hardware security industry already relies on cybersecurity certification schemes and soon on the EUCC scheme. This approach is extremely demanding in terms of security assessment which includes penetration testings for the highest level, vulnerability management and disclosure. The CRA framework relies on modules with a lighter approach that do not highlight security issues at a such level of details. Eurosmart recommends the co-legislators carefully considering the obligations made to the manufacturers that already have their products certified, some CRA obligations in the light of the exigence level requested by CSA schemes would be extremely detrimental for the most advanced European security hardware. From a general approach, Eurosmart supports the efforts of the European Parliament to strengthen cybersecurity in the European Union, and we look forward to further discussions on the Cyber Resilience Act. To build up this coordinated and comprehensive approach to cybersecurity, Eurosmart would like to invite the Members of the European Parliament to consider Eurosmart’s comments on significant amendments and in particular the following aspects:
1. Definition of product categories
To provide legal certainty to economic operators and to correctly implement the provision of the CRA the exact definition of the categories of products included in Annex III is necessary. Depending on the definition, some subtype of product may be included or not within Annex III. Moreover, depending on the classification, the assessment approach will vary, products that are already on the field may already be subjected to certain type of certifications whose approach should be adapted to comply with the CRA. With no clear category definition, it would be complex for the economic operator to invest in this anticipation.
The definitions of the product categories should be part of the text alongside the product categories themselves, or the entry into force of the regulation shall be bound to the adoption of these definitions by delegated act. Finally, discussing the content of Annex III without having at hand the corresponding definitions may pervert the discussion of co-legislators on product categories and deprive them of their effective prerogatives.
2. Products lifetime
It is hardly possible to guarantee a product lifetime over 5 years, in particular for the items that are placed on the market long after their development. Multiple examples demonstrate this situation. The expected lifetime should be freely determined by the manufacturer based on its technical capacities. Depending on the technologies, types of products, the risks, and the criticality, the manufacturer may be able to guarantee a more or less long lifetime, which in some cases may be below 5 years.
The right approach is to ensure transparency for consumers. Product lifetime should be clearly indicated in the EU declaration of conformity, which is available to the consumer, so that the latter could make its choice in a fully informed manner.
3. Vulnerability handling and incident reporting
This proposal considers that vulnerability handling can always be ensured over a product lifetime of 5 years which is not at all the case. For some technologies or types of products, it may be challenging for manufacturer to ensure sustainable and long-lasting products as the risks are constantly evolving and increasing. In many situations, while the level of resistance of the product with digital element can be estimated and committed by the manufacturer over a medium period of time (e.g. 3 to 5 years) starting from the development of the product with digital elements, or the placement on the market of the first item, it is hardly possible to guarantee a product lifetime over 5 years, in particular for the items that are placed on the market long after their development.
Moreover, Eurosmart welcomes the proposal to only report significant incidents on a mandatory basis. This approach alleviates the burden for manufacturer and ensures that only relevant and useful information about incidents is notified. The definition of “significant incidents” should be included to provide a legal basis for the manufacturer.
4. Reporting obligations of actively exploited vulnerability
The notification process as amended by the ITRE rapporteur is much more realistic thanks to the proposed notification procedure. This procedure leaves more time for manufacturers to gather information and carry out the needed analysis. Besides, Eurosmart welcomes the need-to-know principle for the disclosure of vulnerabilities which can’t be corrected or mitigated.
When it comes to the applicability of reporting obligation for product with digital elements that have been certified (EUCC EUCS etc.), a deeper analysis would be necessary to align the obligations from the scheme perspective. Finally, efforts to align the provisions with NIS2 are very much appreciated.
Eurosmart suggests addressing vulnerabilities talking into consideration the following aspects:
- Vulnerabilities should only be considered when the product is used in compliancy with the user guidance;
- The assumption of Notification to users should consider the scenario when Manufacturers will often not know who the users are;
- It should be understood that some vulnerabilities cannot be fixed;
- It won’t always be possible to disclose information about products when trade secrets are involved;
- The timing of a notification of vulnerabilities should start once the manufacturer has confirmed that it is indeed a vulnerability;
- The period of mandatory maintenance could lead to additional costs within the supply chain.
5. Expert group
The proposal to establish an expert group is an instrumental to ensure the correct implementation of the CRA. Moreover, as cybersecurity is a matter of moving target, it is expected to continuously update and enhance the applicable standards, methodologies, as well as the conformity assessment procedures in a broad sense with the essential requirements. From this perspective the holistic view from experts representing different industry verticals, conformity assessment bodies, standardisation organisations and public bodies active in the field, is a paramount objective.
Eurosmart recommends the co-legislators to carefully consider the composition of this group, the European Standardisation Organisations and National authorities (National Bodies) should be represented within this group. The CRA does not apply to products exclusively developed for military and national security purposes, therefore Europol and European Defence Agency participation is not relevant Moreover, the composition of the private stakeholders’ membership should ensure the representativity of many verticals, which could be ensured by business organisations. Finally, as the CRA will rely on EU CSA certification, stakeholders providing technical inputs to ensure the maintenance of the schemes should also be involved.
Moreover, some missions of the expert group conflict with the advisory or divisionary functions of other EU’s technical groups. For instance, the certification of highly critical products is mandatory and should not be discussed. However, the group should advice on the type of products falling under this category. Moreover, when it comes to relying on certification, the maintenance of the scheme and the necessary Protection Profiles should be addressed per vertical. For these topics, ENISA, ECCG representatives and future maintenance organisation representatives are relevant.
6. On standards and harmonised standards availability
The proposal acknowledges that when possible harmonised standards should be the privileged approach. Harmonised standards confer a presumption that products to be made available on the market are in conformity with the essential requirements laid down in the relevant Union harmonised legislation. However, as the CRA embrace a wide range of verticals, it seems reasonable to make the best use of the industrial and technical legacy in terms of “industry standards / industry common specifications” which could be easily translated into “common specifications”.
Finally, taking into account the huge standardisation effort requested by the proposal, when possible, the standardisation toolbox should not be limited to harmonised standards. Eurosmart recommends making the best use of available European Standards and European standardisation deliverables (harmonised standards, European standards and Technical specifications) as defined in Regulation (EU) 2022/2480.