The Cyber Resilience Act (CRA) aims at further harmonising and improving cybersecurity in Europe. It represents a significant step in bolstering cybersecurity measures in Europe by adopting a risk-based methodology. Essentially, this means that products with a higher risk profile will be subjected to stricter requirements, and a set of common foundational rules will be applied across all manufacturers, importers, and distributors of such products, to both large and small companies.

The CRA includes rules for placing products on the market with digital elements to ensure the cybersecurity of such products. It specifies essential cybersecurity requirements within two categories: 1) for the design, development, and production of products with digital elements and related obligations for economic operators; and 2) for the vulnerability handling process put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle and obligations for economic operators in relation to these processes. The CRA also stipulates rules on market surveillance and enforcement of these requirements.

Small Business Interest

While the CRA is a relatively broad regulation, the following key aspects are of particular interest to our small to medium-size enterprise (SME) member companies:

The definition of app updates as a ‘substantial modification’ is overly broad, meaning that important software updates may require a new conformity check before being released to European customers. The exemption for Software as a Service (SaaS) or open source software needs to be clearly articulated in the CRA text.
The CRA includes a comprehensive list of critical products with digital elements, which could be particularly burdensome for digital SMEs that are not excluded from the requirements listed in the regulation. The list might even be extended through delegated acts without adequate stakeholder feedback.
There seems to be a lack of harmonisation between the CRA and other EU regulations like the General Data Protection Regulation (GDPR), Digital Markets Act (DMA), and the Ecodesign Regulation, particularly in terms of definitions and processes. The CRA does not effectively address or reconcile conflicting provisions with these other EU regulations.
The importance of cybersecurity literacy is another issue at stake. Educating end users is vital to improving security, especially in areas like internet of things (IoT), where many cyber-based attacks are preventable. Outside of regulation, we hope European Institutions will inform end users across business and consumer communities about the importance of promoting and enhancing digital literacy and cybersecurity skills.

What’s Next?

The Parliament’s Internal Market and Consumer Protection Committee has recently adopted its opinion on the CRA, resulting in a few changes. These modifications range from the inclusion of incomplete products with digital elements under the EU Machinery Regulation to the regulation of connected products using artificial intelligence. New obligations also included a mandate to minimize red tape and fees for SMEs across the EU, but also to harmonise the CRA with other EU regulations, such as the NIS2 and the GDPR.

We appreciate the recognition of micro, small, and medium-sized businesses as crucial economic players in the digital market. However, we hope that our concerns highlighted above are addressed in the final version of the regulation as well. We strongly believe that a more flexible approach that sets up an incentive structure would enhance cybersecurity across the EU and advance the Digital Single Market without subjecting SMEs to potentially untenable compliance costs. Furthermore, to align with the Cybersecurity Act, any EU-wide certification for cybersecurity included in the CRA should also remain voluntary and recognise self-assessments as the default conformity assessment mechanism.

The Committee on Industry, Research, and Energy (ITRE) is slated to adopt its opinion on the 19th of July, and the final vote on the regulation is likely to happen in September. Then the Council of the EU and the European Parliament will start political negotiations called trialogues. We’ll be monitoring these developments closely and will keep you informed.