Cyber Resilience Act: important step for more cyber security

• Excessively broad definition of "critical products" hinders market access and must be adapted
• Horizontal regulation finally creates uniform rules

With the Cyber Resilience Act, the EU Commission is tackling the necessary task of standardizing product requirements for cyber security and raising the level of resilience in the EU. "This regulation will affect all digital products in the European single market. Even though it poses enormous challenges for our companies, the European Single Market needs such a harmonized level playing field in cybersecurity," said Wolfgang Weber, Chairman of the ZVEI Board of Directors. The draft presented is an important step.

However, the ZVEI is critical of the broad definition of so-called "critical products" and "highly critical products", which include, for example, microcontrollers, industrial automation and control systems or parts of the Industrial Internet of Things, even if they are not used in a critical context. "This classification makes it more difficult for  companies to place such products or products based on them on market, and hence this will lead to major delays in the EU in the deployment of digital products and components," says Weber. Instead of keeping merely high-risk lists, the concept of the intended use must therefore be in the foreground, he said. In addition, manufacturers of digital products and components must be essentially involved in the assignment of criticality, as they are best able to assess potential safety risks and initiate appropriate measures. 

The Association of the electro and digital Industry takes a positive view of the fact that the draft regulation follows the principles of the New Legislative Framework (NLF). Weber: "This approach links directly to established processes in companies, among others for conformity assessment, and strengthens the role of European standardization." However, the envisaged transitional period of 24 months for the implementation of such measures is clearly too short and must be extended. The severe difficulties in applying the Medical Device Regulation show how much time is needed to subject all products to a comprehensive conformity assessment by the deadline. The European Commission should therefore set longer transitional periods here so that harmonized standards can be listed in good time and a sufficient number of notified bodies for conformity assessment can be designated. 

The ZVEI has been actively campaigning for years for horizontal regulation that addresses cyber security requirements for products. From the manufacturer to the user, all participants in the value network must work together and do their part to achieve a high level of cyber resilience. To achieve this, the requirements for the individual participants, especially for manufacturers of hardware and software, must remain clearly delineated in the life cycle.