23 Jan 2023 Cyber Resilience Act Eurosmart’s feedback
Over the last decade, the European Union has been developing a solid cybersecurity regulatory approach. The overall approach is to make the European market more resilient while ensuring the digital sovereignty of the whole continent. This trend has prioritized sensitive domains that deserve strong resilience to more and more skilled attackers. At the same time, a large number of regulatory compliance requirements in the area, or with components on cybersecurity have been developed. Bringing potential confusion and over-regulation to the market. Hence the need for a horizontal minimum set of cybersecurity requirements is necessary.
Eurosmart has identified key topics to be considered while examining the draft legislation:
- Interplay with existing policy provisions
1.1. Reasons for and objectives of the proposal
1.2. Reporting cyber incidents
1.3. Security for privacy
1.4. Security for safety
1.5. Consistency with the AI act.
1.6. Consistency with the RED requirements
1.7. The Chip Act - Relation with the EU CSA (2019/881)
2.1. Security for Resilience - Highly critical products
- Open source
- Product categorisation
5.1. Annex III - Requirements for products with digital elements
6.1. Essential requirements
6.2. Obligations of manufacturers: risk assessment - Vulnerability management
7.1. Know exploited vulnerabilities
7.2. Vulnerability reporting
7.3. Vulnerability handling
7.4. Mechanisms and supervision for the reporting of vulnerabilities and issues - Conformity assessment
8.1. Conformity assessment procedures for products with digital elements
8.1.1. Interoperability of Articles 18 and 24
8.1.2. Harmonized standards
8.1.3. 3rd party assessments for Class I and Class II products
8.2. Need for modularity and reusability in conformity assessments
8.2.1. Modularity and reusability
8.2.2. A CE mark of CE marks
8.3. Notified bodies
8.3.1. Conformity assessment bodies’ notification and assessment
8.3.2. Update of the “blue guide” and inclusion of applicable “explicit” requirements
8.3.3. Necessary consideration for performing CRA evaluation on European territory
8.3.4. Additional clarifications - CE marking & cybersecurity labelling
9.1. The CE Mark - Market surveillance and enforcement
10.1. Product and security maintenance
10.2. Impact of CSA schemes surveillance in the context of CRA conformance
10.3. Highly Critical products and their maintenance
10.4. Product withdrawn - Closing comments
11.1. Resources allocation
11.2. Delegated Acts
11.3. Eurosmart in support of the CRA proposal