The Cyber Resilience Act (CRA), the comprehensive legislation addressing Internet of Things (IoT), enterprise, and Operational Technology (OT), is on track to potentially pass by the end of this year.

With Spain holding the Presidency of the Council of the European Union (EU), they’ve made significant strides in moving the needle on the CRA. Today, the European Parliament and the Council respectively voted and agreed on a common position on security requirements for digital products – a decision that was needed to signal the negotiating phase. 

Negotiations with the three EU institutions will begin in September, and signs point to the Spanish wanting to get the CRA over the finish-line by the end of that month. There’s debate as to whether that’s feasible or if it will be punted to next year. Given that this will be the last full-term Presidency before the next European elections in June 2024, Spain seems determined to advance ongoing priorities and establish the groundwork for an open and innovative EU cyber policy framework.

The unwelcome news is despite commendable progress, the CRA still needs work before being passed into law. The good news is if in the case the Spanish can’t finalize the file before their term is up, the CRA will roll over to the next member state assuming the Presidency. This will result in a restart in the legislative procedure, creating room for further influence, and reconsideration of controversial provisions. 

Public opinion on the CRA is still mixed. While it’s touted as having the potential to become the most important cybersecurity legislation ever adopted, others call out the concerning provisions that if left unaddressed would contradict cybersecurity best practices and risk undermining the security of digital products and those who use them.

Just last week, the Center for Cybersecurity Policy and Law hosted MEP Bart Groothuis on our podcast, Distilling Cyber Policy, where he mentioned his major concerns with conformity assessments, vulnerability disclosure and software liability (check out the episode here). While the text has gone through various iterations from the Commission, Parliament, and Council, and positive modifications have been made, there are still problems unaddressed with these three issues, as well as others. 

Conformity Assessments:

Device manufacturers need to perform conformity assessments to demonstrate that a product is compliant with security obligations. But these requirements are broad and not focused on areas of substantial risk. 

MEP Groothuis said there are not enough conformity assessment bodies to conduct the assessment for the outlined products or enough expertise available to service the assessment bodies, which could limit or delay innovative technologies entering the EU market. 

There are also security risks associated with mandating conformity assessments, which include “critically prolonging the timeframe to provide security updates and drastically diminishing the cybersecurity provider’s ability to quickly react to fast evolving threats,” Groothuis said. 

Vulnerability Disclosure:

The CRA requires manufacturers to notify the European Union Agency for Cybersecurity (ENISA) of any actively exploited vulnerabilities in products with digital elements within 24 hours. However, these vulnerabilities are unlikely to be mitigated within such a brief period of time, leading to dozens of government agencies possessing a real-time database of software with unmitigated vulnerabilities. 

Aggregating exploitable vulnerabilities in a central repository is problematic as it may lead to other government agencies misusing that information for their own purposes, MEP Groothuis said. “[It’s a] brilliant idea to ruin the internet and its safety because it’s a honeypot for any agency in the world,” he added.

While the Council’s version of the text moves this sensitive task from the hands of ENISA to those of the national Computer Security Incident Response Teams (CSIRTs), neither the Parliament nor Council’s positions have addressed the cyber risks that would result from disclosing unpatched vulnerabilities. 

Software Liability:

The CRA also addresses cybersecurity software liability, providing a framework for liability issues. However, additional regulation is needed to address the risks posed by software from certain countries and clear legislation is needed to hold both telecom operators and software producers accountable for secure systems, MEP Groothuis said.

Generally, the CRA has the right aims, however, there are worrisome and excessively broad requirements that potentially undermine the security the legislation intends to enhance. The Center for Cybersecurity Policy and Law will continue to closely monitor significant updates and developments related to the CRA as the file moves through the legislative process. 

‍