The vote in the European Parliament’s Industry, Research and Energy Committee on the Cyber Resilience Act (CRA) marks an important milestone for the cybersecurity of our continent.
An ever-increasing number of products nowadays can connect to the internet. Laptops or smartphones, of course; but also household appliances, smart home assistants, cameras, and industrial control systems too. Or software products such as apps, desktop programs, and computer games. Everything is and will be connected.
With more interconnection, opportunities for growth, development, and innovation multiply. But so do cybersecurity threats.
The cost, both material and immaterial, of cybercrime is constantly on the rise. Not a day goes by without reports of attacks, vulnerabilities, ransomware, or the like.
Europe’s cybersecurity is as strong as its weakest link: we need to step up our game.
This is why with the CRA we want to establish horizontal cybersecurity requirements for hardware and software products, to ensure that manufacturers improve security during the design and development phase, that supply chains are more cyber secure, and that security updates are consistently provided to users.
Essential cybersecurity requirements
Products that fall under the CRA will need to have certain essential cybersecurity features to be placed on the Union’s market. For example, products must be designed to reduce potential attack surfaces, mechanisms must be put in place to ensure protection from unauthorized access or the confidentiality and integrity of data, and known vulnerabilities must be removed before a product can be made available on the market. Important requirements to ensure that cybersecurity is taken into account from the onset.
To deal with widespread vulnerabilities in connected products that may emerge during a product’s lifespan, the Parliament also introduces the notion of a cybersecurity support period, during which the manufacturer must ensure the correct handling of vulnerabilities. We need manufacturers to provide security updates consistently and regularly, as well as to ensure that security updates are installed automatically as much as possible (while the user should retain the option to de-active such features). As manufacturers will be required to indicate on the product’s packaging the duration of the support period, consumers will be able to make better-informed choices and opt for longer-lasting devices.
Some products, of course, have a higher cybersecurity risk than others. A smart fridge does not pose the same threat of a private security camera guarding your home or software where you store all your passwords. For the latter two, cybersecurity requirements need to be more stringent. This is why we draw up a list of critical products for which harmonized European standards need to be applied, to ensure a common level of cybersecurity. Even more, in certain cases, third-party companies specialized in carrying out audits (so-called “conformity assessment bodies”) need to check a product’s compliance before it can be made available to consumers.
Free and open-source software
The Regulation also covers software that is made available under a free and open-source license. Free and open-source software is key to the functioning of the Internet and its cybersecurity must be ensured. Yet, such software is often designed by passionate developers who may not have the resources to comply with the CRA. This is why we made it clear that the Regulation applies only to open-source software developed or supplied as part of a commercial activity, and that the responsibility can never fall on individual developers contributing to open-source projects.
Setting the international standard
Imposing all these rules has, of course, an important cost for our industry. Yet the cost of cybercrime is much, much higher, at an estimated €5.5 trillion in 2021. Tackling cybersecurity from the onset will not only protect Europe’s economy and financial interests but will also give our companies a competitive advantage against our international competitors. As it happened with the General Data Protection Regulation (GDPR), the Cyber Resilience Act can become the international point of reference for the cybersecurity of connected devices, well beyond the Union’s market.
With today’s vote, the European Parliament now stands ready to negotiate with the Member States to find a common position. Informal negotiations with the Council of the EU and the European Commission – the so-called trilogies – are expected to begin in September. We will work hard to find an agreement as soon as possible and make sure that connected products circulating in the single market are much more cyber secure.