Brussels, 12 July 2023 - TIC Council is concerned with the current ITRE compromise position on the Cyber Resilience Act proposal and urges policymakers to engage in a technical discussion on cybersecurity risks and solutions. 

The proposal for a Cyber Resilience Act (CRA), published on September 15, 2022, aims to improve the security of the digital space for consumers and industries, as well as to raise cybersecurity awareness among European consumers. To achieve those objectives, the proposal suggests introducing essential cybersecurity and vulnerability handling requirements for a wide range of products, accompanied by a conformity assessment procedure based on the risk classification of the product. If manufacturers fail to comply with these requirements, the Commission may impose fines of up to 2.5% of their total annual worldwide turnover.

The European Parliament and the Council of the EU, the EU co-legislators, are currently working on amending the European Commission's proposal for a Cyber Resilience Act. The European Parliament's ITRE Committee, in charge of the text, is set to vote and eventually adopt its version of the Cyber Resilience Act on July 19, 2023. 

TIC Council welcomes the work achieved by the European Parliament in creating more consistency with the already existing EU cybersecurity regulatory landscape, especially the EU Cybersecurity Act. However, while negotiations on the text are ongoing, TIC Council suggests the following steps to ensure the Cyber Resilience Act achieves its stated objectives:

  • Further work to develop a robust and transparent product classification system
  1. The current draft CRA puts existing legal certainty at risk, endangering cybersecurity. The CRA must be based on a transparent and clear classification of products and a conformity assessment methodology following the long-standing NLF principles. Specifically, the CRA must follow the traditional use and value of harmonised standards and existing rules regarding the presumption of conformity and application of standards. 
  • Rejecting all postponement of the deadlines for implementing the text or the mandatory conformity assessment methods.                                                     The current draft CRA proposes several postponements of the text's application or conformity assessment methods that do not support the quick adoption of high-level cybersecurity standards by manufacturers and hinder the weight of the manufacturer's responsibility related to its products. It is important to note that the TIC industry already has the relevant cybersecurity expertise and the technical capabilities to perform the conformity assessment procedures foreseen by the text. 
  • Fully recognising the TIC industry as a trusted partner with deep expertise in cybersecurity conformity assessment.                                                                    The TIC industry is committed to being a trustworthy partner for manufacturers and partners in the cybersecurity sector thanks to its substantial experience in conducting cybersecurity assessments across various sectors and markets. It must be kept in mind that the ultimate goal of the Cyber Resilience Act is to maximise the cybersecurity and resilience of the EU market.

Read the updated position paper here.