Key points
• SBS welcomes the proposal for a Cyber Resilience Act (CRA) by the European Commission, as it is a necessary step to strengthen the security of connected devices and services in the European Single Market, fostering cybersecurity all across the supply chain. However, it stresses the issue of the additional costs generated by new mandatory requirements for SMEs, including start-ups, who play a key role in this sector. If the possibility for voluntary cybersecurity certification cannot be deemed an option for SMEs, it calls for a degree of proportionality as well as increased guidance and resources for SME implementation of the new requirements, to lower compliance costs.
• When identifying suitable standards to be used in conjunction with the CRA requirements, the impact upon smaller companies should be considered. Measures should be taken to guarantee effective SME representation in cybersecurity-related standardisation committees.
•The co-legislators should also consider the establishment of regulatory sandboxes, based on the model that is introduced in the Artificial Intelligence Act. Public authorities at the national level should notably provide the right conditions to make regulatory sandboxes effective for SMEs, which tend to struggle in creating suitable testing environments.
• While SBS endorses the proposal’s risk-based approach, there is a need for additional clarity on risk assessment requirements. Additional clarity regarding the obligations along the supply chain – where SMEs often lack a full overview – are also welcome.
• The CRA must finally include considerations of sustainability, limiting the ability of Original Equipment Manufacturers (OEMs) to impose complex security standards to restrict access to their devices. Moreover, to avoid planned obsolescence, it is proposed that manufacturers of critical products provide security updates for the entire life cycle of their products, or for a period of five years, whichever is longer.
Background
A 2021 ENISA report on Cybersecurity for SMEs found that 80% of SMEs claim that a cybersecurity issue would have a serious impact on their business – with 57% of them stating that they may risk having to shut down their business altogether.
The costs of cybersecurity attacks for SMEs can be large, and often go beyond their available cash reserves. Resilience and adaptability are key to the survival and growth of any business, regardless of their size. Yet, considering SMEs account for over 99% of all businesses across Europe, promoting their security is critical to ensuring the security of the European Union.
Cyber Resilience Act (CRA hereafter), aiming to introduce cybersecurity requirements for products with digital elements. The regulation applies a security-by-design approach, whereby manufacturers are obliged to ensure the security of their products throughout their life cycle (from planning to maintenance), by making updates available for at least five years, and by reporting exploited vulnerabilities to the European Union Agency for Cybersecurity (ENISA).
harmonised standard or a third-party assessment. Highly Critical Products(such as operating systems and industrial firewalls) will be deemed Class II and will necessarily go through a third-party assessment.
impact assessment conducted by the European Commission found that the introduction of horizontal requirements of cybersecurity would have significant benefits for both consumers and businesses, preventing the formulation of divergent security rules in different countries. Furthermore, the CRA is estimated to reduce the cost incurred in the aftermath of cyber security incidents by roughly 180 to 290€ billion annually – with SMEs to be one of the main beneficiaries of these savings.
position paper published in May 2022, SBS member SMEunited had reacted to the European Commission’s initiative. While it generally welcomed the upcoming piece of legislation, it expressively called for:
• The need for harmonised and transparent rules, since SMEs tend to struggle to identify secure solutions and providers;
• The cost of liability to be borne by manufacturers and developers, and ensure that retailers – who usually lack product-specific and IT expertise – are not burdened with additional obligations;
• Further clarifications on the requirement to provide life cycle support for products.
possibility of voluntary cybersecurity certification, expressing scepticism over binding horizontal cybersecurity requirements. It also requested further clarification on the term of “life cycle”, as well as making sure – in line with SMEunited’s own stance – that distributors are not compelled to ‘proactively’ search and ensure that products they receive are in conformity with the CRA requirements.
NIS2 Directive, The Cyber Security Act, and the Digital Operational Resilience Act) – goes in the direction of creating a more secure digital sphere for all products and services in the European Single Market. Nonetheless, SBS calls for policymakers to bear in mind the additional costs generated by new binding horizontal requirements, especially for SMEs. If there is no room for negotiation on a possible voluntary cybersecurity certification scheme for SMEs, it highlights the need for proportionality and sufficient guidance in order for SMEs to effectively implement provisions under the Cyber Resilience Act.
Making the Cyber Resilience Act suitable to all SMEs
Harmonisation of CRA Requirements Across European Markets – Addressing Compliance Costs for SMEs
SBS supports the harmonisation of requirements for cybersecurity across multiple domains and hence welcomes the Cyber Resilience Act. However, it stresses the issue of the additional costs generated by new mandatory requirements for SMEs, including start-ups, who play a key role in this sector. If the possibility for voluntary cybersecurity certification cannot be deemed an option for SMEs, it calls for an adequate degree of proportionality to facilitate compliance.
sufficient guidance is made available to SMEs, so that companies can understand the interplay between the different European regulations relating to cybersecurity (Cybersecurity Act, NIS2 Directive, Radio Equipment Directive, Digital Operational Resilience Act…).
lower the cost of compliance. This is especially true for SMEs who often outsource analysis of applicable legislation. SBS therefore encourages the European Commission and Member States to provide resources, such as financial incentives to help SMEs adapt to the new regulatory landscape. This support can, for example,be delivered through dedicated information hubs, online training materials, and workshops. Inclusive stakeholder consultations, whereby SMEs would be associated to the different stages of the legislative process until the CRA’s full implementation, would further help in that process.
Market Surveillance and Fines
levied proportionately.
Identification of Standards
SMEs should be considered as key stakeholders and actively included in the decision-making process. Too often, large players are the ones who are better able to absorb the costs associated with standards and certifications. Self-assessment and proportionality of conformity assessment should be made possible for SMEs through the development of standards adapted to SMEs. To achieve so, the European Commission should notably install safeguards which guarantee an effective representation of SMEs in cybersecurity-related standardisation committees.
ITRE committee’s draft report on the CRA, calling for the creation of an Expert group on Cyber Resilience with an explicit emphasis on the adequate representation of SMEs. This group could contribute to better identification of relevant standards, suitable for companies of all sizes.
ensuring that the pace of regulation and technological developments are aligned – a crucial step for up-to-date standards. For instance, new standards of lightweight cryptography algorithms – recently selected in the framework of a program run by the US’ National Institute of Technology and Standards – could be essential towards the cybersecurity of Internet of Things (IoT) components and other small devices.
a. proportional to the security and vulnerability management requirements;
b. in line with the certificates/standards used in other cybersecurity legislation requiring similar security levels;
c. proportional to the profile of the market.
Mandatory regulatory sandboxes at Member State level to support SMEs
SMEs can benefit from a sandbox environment that allows them to test their software and cybersecurity products before entering the market. Regulatory sandboxes can facilitate compliance, boost innovation and contribute to regulatory learning. For instance, SMEs could utilize regulatory sandboxes to understand in which Class their product falls under, and what requirements they must comply with.
it is essential that public authorities at the national level enable the creation of test environments for SMEs, in order for such regulatory sandboxes to beeffective and for SMEs to test the cyber resilience of their products. It is by enabling SMEs to test their products with digital elements in such test environmentsthat public authorities can foster SME compliance to the rules, and therefore level-up European cyber resilience.
Risk Based Approach
greater clarity on risk assessment requirements. Currently, the regulation mandates every manufacturer to implement specific security measures in its software, without considering the necessity for the specific product and use case. SBS endorses an approach where operators who identify a vulnerability in their risk assessments should adopt measures to mitigate risks to end users. Self-assessment and proportionality of conformity assessment procedures should be facilitated for SMEs through the development of standards tailored to their needs.
BS proposes a centralized system for harmonized methods and timing for risk assessments and related processes, managed by the European Commission or ENISA with input from industry stakeholders.
Supply Chain Obligations
should fit with the one pursued via the NLF in terms of improving the internal market for goods, strengthening market surveillance and boosting the quality of conformity assessments. Thus, there is a need to modernise the regulatory approach and differentiate between the requirements for software and hardware.
SMEs are often not in the position to have a full overview and understanding of the different components of a product with digital elements, which are manufactured at different points along the supply chain. This might imply that if obligations are not clearly outlined and adequate support and guidance is not provided to SMEs, they might inadvertently expose themselves to high risks and bear a disproportionate legal and financial burden vis-à-vis large suppliers in their value chain.
(Article 14(3)). Likewise, distributors who build software into their product should only be liable under the scope of being considered as custom manufacturer if they have factual possibilities of influencing the software.
Competitiveness, Sustainability and Life Cycle Definition
limit Original Equipment Manufacturers (OEMs)’s ability to impose complex security standards to restrict access to their devices. Only then will the after sales market remain competitive and open to the majority of European ICT companies – i.e. SMEs. Therefore, to avoid planned obsolescence and ensure the ‘right to repair’ for users, it is proposed that manufacturers of critical products provide security updates for the entire life cycle of their products, or for a period of five years, whichever is longer. In this regard, SBS welcomes the provision in the European Parliament’s IMCO committee’s draft opinion on the CRA to align on this requirement. Similarly, the EU Council’s decision to remove the five-year limit to the product life cycle in its latest compromise text – meaning that manufacturers are responsible of their product throughout their lifetime – can be backed.
requirement to provide life cycle support for products requires clarification. If a company discontinues a product, it is unclear whether it is still required to provide support and security updates if the product is still in use or accessible. For example, it is still not completely clear whether the company should provide security patches if an app has been discontinued, or been substituted by a newer version. Likewise, the expectations on companies that enter bankruptcy, and their support obligations, should be clarified.
Conclusion
