The proposal for a Cyber Resilience Act - a BusinessEurope position paper

Key messages

• BusinessEurope welcomes the European Commission’s proposal for a Cyber Resilience Act (CRA) as it entails the potential to significantly increase Europe’s cyber-resilience. We urge the European co-legislators to preserve the CRA’s many positive elements, e.g. a self-assessment of conformity for most products. The New Legislative Framework is best equipped to adequately ensure that requirements and obligations for the economic operators are proportionate and aligned with the market practices.
• The implementation of risk-adequate cybersecurity measures across all products with digital elements during the design, development, and production phases, as well as the vulnerability handling procedures will contribute to a more trusted business environment for the supply and the demand of such products in the EU single market.
• Targeted clarification on notions such as software-as-a-product and “remote data processing services” must be made to avoid the risk of double regulation, and to ensure that the proposal meets its objective.
• The risk categorisation of products and thereby the conformity assessment procedures must be clarified based on, inter alia, intended use, application environment, method for controlling the product. Highly critical products must be defined in a lex specialis.
• Leveraging harmonised European standards and alignment with international standards is crucial for businesses’ scalability both within and outside the EU market.
• The implementation period must be prolonged to at least 36 months to allow adequate time for standardisation bodies to develop the necessary harmonised European standards, provide breathing space for economic operators to comply with requirements and obligations stemming from horizontal and sectoral legislations; and to enable market surveillance authorities to set up respective institutional structures.