Brussels, 20 September – On 15 September, the European Commission published a proposal for a Cyber Resilience Act which sets out minimum cybersecurity requirements for all connected devices, placing greater responsibility on software and hardware producers. SBS sees the proposal as offering a clear improvement over the current regulatory vacuum and shifting requirements and responsibilities from users to producers, which is a step in the right direction for SMEs.
The Commission’s proposal for a Regulation aims at improving the security of connected devices in the design and development of a product throughout its whole life cycle. The proposal affects all products with digital elements and would therefore have a huge impact on the EU software and hardware market and related certifications.
While SMEs who are producers of connected devices will benefit from the improvement brought by the proposal in terms of impact and clarity of the regulatory framework and an increase in the overall quality of their products, they will still likely be required strong efforts to fully implement the new requirements. SMEs who are users of connected devices will still be required to implement the features provided by the producers to properly ensure an adequate level of cybersecurity.
Given the horizontal nature and the technical complexity of the proposal, it is crucial for all the SMEs, both producers and users, that European and national authorities provide clear and easy-to-access tools to ensure their understanding and compliance with the legislation.
The proposal and its Annex refer to cybersecurity certification schemes under Regulation (EU) 2019/881 (“Cybersecurity Act”) and look to widely rely on the development of harmonised standards to facilitate the implementation of the Regulation. SBS supports the reliance on harmonised standards as a way to ensure conformity and a less fragmented market.
Regarding the connection of the proposal to the RED Delegated Regulation 2022/30, SBS would like to re-emphasize the importance of preserving the horizontal market (more information in its position paper published in November 2019). Articles 3(3)(d), (e), and (f) aim at strengthening privacy, protection from fraud and protection of the networks. Strengthening these values can be used as an “excuse” to lock-in devices to prevent third-party software from being installed and offer value-added services that may prolong the lifetime of the device, contribute to environmental goals or offer additional features that benefit users. Standardisation experts should keep this in mind when developing relevant standards.
Commenting on the proposal, SBS Secretary General Maitane Olabarria, said: “In times where cybercrime continues to be a major threat for SMEs across all sectors, the Cybersecurity Resilience Act shall provide a clear framework for manufacturers and SMEs at all levels of the supply chain. Conformity with harmonised standards will give SMEs the edge to provide high-quality devices and services, while preserving Europe’s digital sovereignty.”