EU legislators are preparing for the next round of trilogue negotiations on the EU Cyber Resilience Act (CRA), which has the important goal of improving cybersecurity across the European single market. As policymakers discuss key features in the new regulation, including the scope and definitions, classification of critical products, and reporting obligations of manufacturers, we urge them to ensure that the resulting new framework for hardware and software security is feasible in practice and does not create a chilling impact on innovation through overbroad obligations for companies.
ITI and other stakeholders across different industries have repeatedly expressed concerns about elements of the regulation that could undermine the ability to effectively improve cybersecurity. These concerns still remain, despite our recommendations. We encourage co-legislators to take feedback from industry more carefully into account to ensure that the CRA is applicable and relevant in practice. As policymakers look toward the next trilogues, we offer the following key recommendations:
1. Narrow the scope of the CRA and include clear definitions. The scope of the text being discussed by Parliament and Council remains disproportionately broad. It is critical that co-legislators narrow the scope and clarify key definitions, as outlined in “commercial activity” in the context of open-source software, as well as ITI’s trilogue paper, including what is meant by “remote data processing solutions,” “commercial activity” in the context of open-source software, as well as “substantial modification.” Maintaining a broad scope in the final text and trying to clarify it by means of soft law instruments, such as guidelines, will not provide sufficient legal certainty for such a wide variety of products with digital elements.
2. Establish a proportionate, risk-based approach to determining the risk level of a product with digital elements. Policymakers must take a more proportionate, risk-based approach to determining the risk level of a product with digital elements and offer greater certainty for manufacturers to ascertain if a product is a critical one. While the Commission’s original proposal categorised every product in several broad categories as critical, the co-legislators have now the opportunity to take a more sophisticated approach. We recommend leveraging the Council’s risked-based approach with some key amendments, outlined here.
We also welcome maintaining the provision that would create an Expert Group on Cyber Resilience proposed by the European Parliament, as it is important that different stakeholders and experts are properly consulted in creating and updating the list of critical products, as well as on the implementation and adoption of European cybersecurity certification schemes.
3. Avoid mandating reporting of actively exploited vulnerabilities. We have very significant concerns with provisions that would require reporting on actively exploited vulnerabilities. Such reporting would unintentionally create a more serious security risk by bringing into scope a broad set of sensitive information instead of mitigating harm.
Similarly, it is crucial that the reporting obligations are aligned with the NIS 2 Directive to streamline reporting requirements and to avoid an unmanageable reporting burden for manufacturers and responsible authorities. This means that reporting under should be made to the CSIRTs under a single distributed reporting platform, and the incident reporting on security incidents should only concern “significant incidents”, as outlined in the European Parliament’s text.
4. Avoid overlap and duplication with other applicable legislation and provide sufficient transition period. In addition to NIS 2 Directive, the CRA must also avoid overlaps with other applicable legislation, mainly the Delegated Regulation (EU) 2022/30 (RED Delegated Act). In this regard, we welcome the European Parliament’s proposal to repeal the RED Delegated Act when the CRA comes into force. We strongly suggest keeping this addition in the final text of the CRA. Finally, given the extremely broad scope of the CRA, we urge the co-legislators to consider extending the transition period at least to 48 months to ensure entities can comply.