The European Cyber Security Organisation (ECSO), representing the European cybersecurity community, welcomes the ambitious proposal for the Cyber Resilience Act (CRA). ECSO has consulted with its diverse Membership on the CRA and has come forward with a position paper. ECSO supports the work done over the years by the European Union to secure the European Digital Single Market with legislations and investments, and continues to advocate for more European Strategic Autonomy, Digital Sovereignty and Cyber Resilience.
With its position paper, ECSO Members welcome the proposal of the CRA and support its objective, whilst providing suggestions to the co-legislators to ensure that such implementation does not impose unnecessary burden on the European industry.
ECSO supports European small and medium enterprises and asks the co-legislators to consider how the CRA will affect SMEs, to ensure that the implementation will be manageable for all. To minimise its impact on SMEs, ECSO recommends aligning, when possible, the CRA with existing EU legislation, such as the Cybersecurity Act, the NIS2 Directive, the DORA, and the AI act, as well as providing guidelines and financial support to help SMEs to better comply with the CRA.
ECSO also suggests making the CRA more ambitious by:
- Having a broad scope for both hardware and software and including endpoint Software as a Service solutions.
- Letting manufacturers decide the length of the product life cycle with a minimum of 5 years. A clarification on how legal liabilities will articulate throughout the entire supply chain is also needed.
- When it comes to reporting obligations, having an alignment with the NIS2 Directive, resulting into a 24-hour deadline for early warning and a 72-hour deadline for notification.
- Having a provision for the regulation for confidential reporting to ENISA to ensure that 0-day vulnerabilities remain confidential.