The Cybersecurity Coalition recently concluded a delegation to Paris and Brussels, where we met with major European institutions such as the Organization for Economic Co-operation and Development (OECD), the National Security Agency of France (ANSSI), French Ministry of Europe & Foreign Affairs, DG Connect, EU Commission, EU Parliament and member state PermReps. The main topic of discussion was the proposed Cyber Resilience Act (CRA).

It’s clear that the CRA is a comprehensive piece of cybersecurity legislation that, if done correctly, can meet its objective to bolster the security and resilience of products with digital elements. As written, however, the CRA has all of the right aims but is structured in a way that will undermine its effectiveness.

The Coalition has offered a number of detailed recommendations in our formal response to the European Commission’s CRA proposal that would help provide more clarity to stakeholders, align with existing global standards and international best practices, and improve cybersecurity in connected devices. For the overall bill to operate effectively as a policy, it should be separated into a series of discrete bills targeting each one of its major focuses: consumer IoT, operational technology (OT) and enterprise. Broad ambitions are good, but they must be executed in a way that is functional, operational, and maximizes security.

With this in mind, below are some key takeaways in response to the CRA proposal:

• Leverage International Cybersecurity Standards: Ensuring that all devices leverage best-in-class international standards will establish that the CRA effectively uplifts the cybersecurity of connected products across the European market. For example, rather than recreating the wheel, ETSI 303 645 is a globally applicable standard that can be used, which establishes security baselines for consumer IoT devices.
• Embed Risk Management: Fostering a global risk management approach and pushing products to embed “security by design” would put the CRA in a better position to level up cybersecurity.
• Drive Useful Incident Reporting: The CRA should harmonize incident reporting requirements with General Data Protection Requirements (GDPR) and NIS2 by reporting only high, severe, and emergency-level incidents to the Computer Security Incident Response Team (CSIRT) of the Member States concerned, without undue delay, and in any event within 72 hours of becoming aware of the significant cybersecurity risk.
• Streamline Reporting of Known Exploited Vulnerabilities: Empowering ENISA to publish an external catalogue of known exploited vulnerabilities and more narrowly identify the vulnerabilities that must be reported will avoid over-reporting of insignificant vulnerabilities.

The CRA can be a landmark piece of legislation that improves cybersecurity in Europe and beyond. In its current form, however, it will serve as a boon to the compliance industry, without providing commensurate security benefits to consumers.

‍