Eurosmart’s Comments on the Cyber Resilience Act (CRA) proposal.

30 Oct 2023 Eurosmart’s Comments on the Cyber Resilience Act (CRA) proposal.

The regulation proposal of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements is a very important step towards a cyber-resilient European Digital Society. The introduction of essential cyber security requirements, reporting and patching obligations to cyber incidents and vulnerabilities is an important part of cyber security. The risk-based approach adopted by the CRA proposal, taking into consideration security threats, is a very important step towards standardizing the entire market’s emphasis on security. Eurosmart supports the adoption and implementation of such principles within the CRA proposal.

Representing the security industry in Europe, the members of Eurosmart are at the forefront of pushing the adoption of security principles and are therefore glad to see the adoption of key security concepts already in practice within the high-end security industry and welcome this being adopted in other domains, particularly those security practices where not mandated. In the new connected society, this led to the possibility that these domains could be seen as the weakest link protecting our national infrastructures this is especially true in emerging IoT technology where security was an afterthought.

EU cybersecurity certificate to provide presumption of conformity

Eurosmart members have been performing security assessments for several years, building a long tradition on certification of ICT products in the high-end security domain. This maturity of the high-end security domain is recognized in Article 18 of the CRA proposal, where EU cybersecurity certificates and EU statements of conformity from schemes implemented under the Cyber Security Act (CSA) can be accepted to show conformance also to the CRA. This approach is key to ensure that costs do not escalate for manufacturers when complying to multiple legislations within Europe and also outside of Europe. Would a manufacturer be required to comply to multiple overlapping acts then this will mean an escalation in costs for products and services and directly affect the cost for EU citizens.

In summary, Eurosmart would like legislators to acknowledge that schemes created under the CSA should automatically be seen as conformity proof under the CRA without additional efforts or costs for manufacturers.

No certification obligation for high-end security products approved by sectorial schemes

As the trialogue period is already underway, Eurosmart recommends prioritizing the implementation of the CRA principles like implementation of Essential Cybersecurity Requirements on those product categories where the conformance mechanisms are not yet regular practice. Certification obligation in the CRA context for all high-end security products will complexify existing high-level evaluation processes. Several types of evaluations are already required for various sectors and have maintained products at the State-of-the-Art for years through the assessment of advanced and sector-specific security requirements: this is typically the case for banking products through EMVCo, Visa, Mastercard… approval processes as well as for Telecommunication products evaluated through eSA GSMA.

Consequently, Eurosmart invites the co-legislators to reconsider the European Council proposal focusing on certification obligation for all high-end security products as laid down in Annex IIIa of the proposal.

Eurosmart has a long history of supporting security legislation and standards and continues to support and contribute to both the CSA and the CRA through expertise and adoption.