Brussels, 23 January 2023 – TIC Council welcomes the objectives of the proposed Cyber Resilience Act but recommends that policymakers clarify crucial aspects of the text.
On 15 September, the European Commission published its proposal for a Cyber Resilience Act. It aims to improve the security of the digital space for consumers and industries, as well as to raise cybersecurity awareness among European consumers. To achieve these objectives, the Commission's proposal suggests introducing essential cybersecurity and vulnerability handling requirements for a wide range of products, accompanied by a conformity assessment procedure based on the risk classification of the product. If manufacturers fail to comply with these requirements, the Commission may impose fines of up to 2.5% of their total annual worldwide turnover.
The Commission's legislative initiative is timely as the widespread use of connected devices, accelerated by the pandemic, has led to a dramatic increase in cyber-attacks. Indeed, it is expected that there will be around 27 billion connected IoT objects by 2025. The Cyber Resilience Act is therefore expected to have a significant impact on the industry, which will have to adapt quickly to implement these new cybersecurity obligations.
Considering the compliance system foreseen by the Act, the TIC sector is a central player in the successful implementation of the text. The TIC Council is therefore pleased to share its position on the proposed Cyber Resilience Act. The paper describes the current challenges facing the EU horizontal cybersecurity framework and proposes orientations for achieving a higher level of cybersecurity and competitiveness at the European and international levels.
TIC Council suggests the following steps for the text to reach its objectives.
1. A comprehensive risk-based cybersecurity framework
TIC Council urges policymakers to clarify the risk assessment and product classification methods so that all products with digital elements benefit from a transparent methodology and are classified according to the risk they pose.
2. Independent conformity assessment of critical products
TIC Council recommends that all critical products be subject to a conformity assessment procedure involving an independent notified body. For low-risk products, the benefit of a presumption of conformity for the manufacturer must always be preceded by the full application of harmonised standards; otherwise, a third-party conformity assessment body must be involved.
3. Continuous assessment of digital products
TIC Council supports the implementation of cybersecurity best practices, including cybersecurity by-design, for all products with digital elements until their end of use by their manufacturers. Compliance with these requirements should be assessed on an ongoing basis.
In line with the mission of the TIC sector to support the design of policies that improve security and safety while promoting innovation and facilitating trade, the position paper provides straightforward ways to ensure the continued safe use of digitally enabled products in the European market and globally.
Read the position paper here.
Contact Person: Mann Nguyen Junior Public Affairs Officer tel: +32 490 57 69 54 email: mnguyen@tic-council.org