Cyber Resilience Act Eurosmart’s feedback

23 Jan 2023 Cyber Resilience Act Eurosmart’s feedback

Posted at 09:41h in IoT, News, Position Papers by
Eurosmart’s feedback on the European Commission’s proposal for a Cyber Resilience ActDownload

Over the last decade, the European Union has been developing a solid cybersecurity regulatory approach.  The overall approach is to make the European market more resilient while ensuring the digital sovereignty of the whole continent. This trend has prioritized sensitive domains that deserve strong resilience to more and more skilled attackers.  At the same time, a large number of regulatory compliance requirements in the area, or with components on cybersecurity have been developed. Bringing potential confusion and over-regulation to the market. Hence the need for a horizontal minimum set of cybersecurity requirements is necessary.

Eurosmart has identified key topics to be considered while examining the draft legislation:

  1. Interplay with existing policy provisions
    1.1. Reasons for and objectives of the proposal
    1.2. Reporting cyber incidents
    1.3. Security for privacy
    1.4. Security for safety
    1.5. Consistency with the AI act.
    1.6. Consistency with the RED requirements
    1.7. The Chip Act
  2. Relation with the EU CSA (2019/881)
    2.1. Security for Resilience
  3. Highly critical products
  4. Open source
  5. Product categorisation
    5.1. Annex III
  6. Requirements for products with digital elements
    6.1. Essential requirements
    6.2. Obligations of manufacturers: risk assessment
  7. Vulnerability management
    7.1. Know exploited vulnerabilities
    7.2. Vulnerability reporting
    7.3. Vulnerability handling
    7.4. Mechanisms and supervision for the reporting of vulnerabilities and issues
  8. Conformity assessment
    8.1. Conformity assessment procedures for products with digital elements
    8.1.1. Interoperability of Articles 18 and 24
    8.1.2. Harmonized standards
    8.1.3. 3rd party assessments for Class I and Class II products
    8.2. Need for modularity and reusability in conformity assessments
    8.2.1. Modularity and reusability
    8.2.2. A CE mark of CE marks
    8.3. Notified bodies
    8.3.1. Conformity assessment bodies’ notification and assessment
    8.3.2. Update of the “blue guide” and inclusion of applicable “explicit” requirements
    8.3.3. Necessary consideration for performing CRA evaluation on European territory
    8.3.4. Additional clarifications
  9. CE marking & cybersecurity labelling
    9.1. The CE Mark
  10. Market surveillance and enforcement
    10.1. Product and security maintenance
    10.2. Impact of CSA schemes surveillance in the context of CRA conformance
    10.3. Highly Critical products and their maintenance
    10.4. Product withdrawn
  11. Closing comments
    11.1. Resources allocation
    11.2. Delegated Acts
    11.3. Eurosmart in support of the CRA proposal
CRA_eurosmart-feedback_

Print page