Berlin, 2 November 2023 - The TÜV Association welcomes the goal of introducing mandatory requirements for the cybersecurity of connected products in the EU with the Cyber Resilience Act (CRA), but calls for consistent improvements to the current draft legislation. "We need an ambitious and robust regulatory framework for cybersecurity in order to effectively protect consumers, businesses and the state from cyberattacks. Unfortunately, the position of the EU Parliament and the EU member states falls considerably short of our expectations," says Johannes Kröhnert, Head of Brussels Office at the TÜV Association.
Taking greater account of cyber risks in consumer products
The TÜV Association criticizes the fact that the list of safety-critical products has been massively shortened by EU member states. "This is incomprehensible and inappropriate in view of the high level of risk and the legislator's duty to protect", emphasizes Kröhnert. For example, consumer products are not categorized as critical products at all in the Council position. "Of course, digital consumer products such as intelligent alarm systems, smart home systems or smart toys also harbour a high risk potential and can easily become a gateway for cyber-attacks," says Kröhnert. It is therefore important to include such products as well.
Mandatory independent assessments for safety-critical products
In the TÜV Association's view, there is also a need for improvement in the conformity assessment procedures. "Many safety-critical products would be allowed to be placed on the market based purely on a manufacturer's self-declaration," says Kröhnert. The TÜV Association considers this approach to be insufficient, as it cannot guarantee the necessary level of cybersecurity for connected products. Kröhnert: "The primary goal of the EU legislator must be to ensure that only cyber-secure products are placed on the market, thereby strengthening people's trust in connected products. In addition to ambitious security requirements, this also requires reliable verification mechanisms, especially for critical products." The consistent involvement of independent assessment bodies (notified bodies) for critical products is essential in order to establish the necessary trust in the security of digital technologies.
Ensure timely application of the regulation
Both the EU Parliament and the member states have extended the application date envisaged by the Commission from 24 to 36 months after the regulation comes into force. Kröhnert: "This means that the cybersecurity requirements of the Cyber Resilience Act would probably not be mandatory until 2027. In view of the high number of cybersecurity incidents, such a long transition period is not justified." Instead, it is important to apply the CRA as soon as possible and to protect citizens effectively.
Background
The new regulation establishes basic cybersecurity requirements for all products with digital elements for the first time. This includes both physical products and software. The requirements include the consideration of cybersecurity throughout the entire product lifecycle, the documentation of all cybersecurity risks, the reporting and removal of actively exploitable vulnerabilities and an update obligation for manufacturers. Negotiations are currently taking place between the EU institutions with the aim of reaching an agreement by the end of the current year.
More information can be found in our Recommendations on the Cyber Resilience Act trilogue negotiations
