Earlier this summer, we outlined the ins and outs of Europe’s Cyber Resilience Act (CRA), including our four main concerns, particularly in relation to small and medium-sized enterprises(SMEs) like our member companies. Since then, both the European Parliament’s (EP) Committee on Industry, Research, and Energy (ITRE) and the EU Council, representing European Member States, have voiced their perspectives ahead of the CRA’s Plenary vote later this fall. Below, we have outlined changes the CRA has seen since our last update and what to expect moving forward.
“Substantial modification” definition
In the latest report, the ITRE defined the idea of “substantial modification,” adopting a more balanced approach, especially for small developers. It determined that minor updates and fixes, such as code tweaks or adding new visuals, shouldn’t be seen as major changes. If these small changes are made, manufacturers don’t need to reassess the digital parts of the product, saving them time and money.
The Council’s view is a bit different, especially on what counts as a “substantial modification.” While the EP suggests security updates be given separately and installed automatically (with an option to turn off) from functional updates, the Council only outlined that updates would be required for a minimum of 10 years and didn’t indicate a separate update requirement.
Digital elements
The number of ‘critical’ digital products remains unchanged from earlier drafts in the ITRE’s report, and just as before, ‘critical’ products that can impact health, rights, or safety are under stricter rules. For instance, makers of things like network tools, fingerprint scanners, password keepers, or system setup tools would be required to receive a European cybersecurity seal, and as we saw earlier this year, the European Commission may add more items to this ‘critical’ list. They can begin making these additions two years after implementation.
Once again, the Council’s perspective is a bit different. They’ve limited the list of ‘critical’ digital products and categorised them uniquely, covering products like VPN tools, the virtual system supports, and security systems. However, the European Commission still holds the right to update this list in the future.
Open source consideration
In the updated ITRE report, some new protections and clarifications are added for software as a service (SaaS) and open source software. Simply put, the rules will apply to free and open-source software only if it’s being sold or used in business. The report also mentions that services like SaaS, platform as a service (PaaS), and infrastructure as a service (IaaS) might be covered by these rules if they are considered remote data processing solutions. Members of the European Parliament (MEPs) have asked the Commission to give more guidance on how to use these software types.
At the time of posting, it would appear that the Council mostly agrees with the ITRE Committee’s views.
Harmonisation with other laws
The ITRE Committee made a good effort to align the CRA with other laws. MEPs also added a role for the European Union Agency for Cybersecurity (ENISA) to be responsible for receiving alerts from manufacturers about security issues. These alerts should come in within three days after spotting the issue, a change from the original one-day timeframe. While efforts have been made to align with other rules, some, like the Eco-design regulation, might not be fully considered, even though they might affect security updates.
The Council’s viewpoint aligns with the ITRE’s three-day alert window; however, they believe that these alerts should go to national authorities instead of ENISA.
End-user education
The ITRE report emphasizes the need for better cybersecurity training. It suggests that with the help of ENISA, the Commission and Member States should roll out education programs in this field, an initiative we applaud.
The Council agrees to an extent, as they’re particularly keen on helping small businesses improve their digital skills. They suggest using EU funds and the collaboration of various EU and national bodies to ensure manufacturers, especially smaller ones, understand and meet their responsibilities.
Additional changes and next steps
The ITRE also introduced the idea of ‘regulatory sandboxes’ so developers and innovators can safely test new products or software. ENISA would guide countries in creating these sandboxes, and manufacturers would have to share product lifecycle data. The Council doesn’t mention using sandboxes.
When it comes to oversight and advice, the Parliament and Council appear to have different approaches to CRA implementation; the Parliament wants to empower ENISA further, suggesting more staff and funds. They also included more time for the industry to adjust to the new rules, suggesting a three-year rollout instead of two years, an extension that our SME members would value.
As outlined above, the European Parliament’s main committee (ITRE) settled on its stance earlier this summer and is planning a final decision by mid-October. The Council also wrapped up its decision just ahead of the ITRE, and is prepping to discuss the CRA with the European Parliament, likely right after Parliament’s vote. Trilogues are expected to begin before the end of the year, however, it’s uncertain if all parties will agree on everything by the end of 2023. We’ll continue to monitor CRA developments closely and will keep you informed.