The introduction of the Cyber Resilience Act by the European Commission is getting pushback from some of the leading electronic manufacturers in Europe. Six electronics companies, including Siemens, Ericsson and Schneider Electric, have teamed up with industry group DigitalEurope to warn that the rules governing smart devices could disrupt supply chains on a scale similar to what we saw during the COVID-19 pandemic.
Proposed by the European Commission last year, the Cyber Resilience Act requires manufacturers to assess the cybersecurity risks of “products with digital elements” and take measures to fix those problems for a period of five years or through the expected lifetime of the products. To achieve this, it will establish a framework for developing hardware and software with fewer vulnerabilities.
The CRA is empowered to oversee a broad range of products, such as routers, smart meters, internet of things devices, processors, and physical network interfaces, as well as software like operating systems, password managers and web browsers. The letter arguesthat, given this broad mandate, the EU currently lacks the capacity to certify these products in a timely fashion without creating significant bottlenecks in the system.
The broad mandate also means that many of the products under discussion are pivotal to the European economy’s growth. Even products that are fully secure could be prevented from reaching EU markets due to congestion in the certification process.
Alternative Solutions
The alternatives proposed by the letter would allow manufacturers to self-assess their products and narrow down the number of products subject to the legislation. They also asked for a two-year implementation period before the rules would take effect.
It’s easy to see why the CRA is pushing for greater scrutiny. A series of high-profile incidents of hackers damaging business processes and demanding huge ransoms has raised concern throughout the EU. The proposed legislation could restore confidence in all internet-related products, while greatly reducing the risk of a catastrophic cyber meltdown.
Allowing manufacturers to implement their own protocols is basically the status quo, and it’s understandable that neither the EU nor European consumers would consider that a practical solution. The request for pausing the implementation—presumably until the necessary infrastructure was created—would go a long way toward addressing both the manufacturers’ concerns and the CRA’s desire for reliable safeguards.
