ECSO contributes to the European Commission’s public consultation on the Cyber Resilience Act to help establish common cybersecurity rules for manufacturers and vendors of tangible and intangible digital products and ancillary services. Digital products and ancillary services create opportunities for EU economies and societies. But they also lead to new challenges – when everything is connected, a cybersecurity incident can affect an entire system, disrupting economic and social activities.
ECSO’s members believe that the Cyber Resilience Act (CRA) should constitute the cornerstone of all the cybersecurity regulation in the European Union by providing horizontal principles and promoting consistency and harmonisation with existing, forthcoming, and revised sectoral legislation:
- The CRA should have a broad scope and include all digital services and devices that could represent a security risk. Standalone software should be kept out of the scope of the CRA as it has very specific applications (dominated by the implementation environment and context of use).
- Risk categorisation should be identified according to the destination of a product and the risk environment in which it will operate, not just its technical characteristics.
- The CRA should further require security by design and by default to strengthen the resiliency of all digital products and ancillary services, mandate implementation of minimum-security requirements and other best practices like security updates throughout the products life cycle, encryption for data at rest and data in transfer as well as Multi-Factor Authentication (MFA) for all products addressed to the consumer market.
- ECSO believes that the producers of digital products, across the entire supply chain, should be required to design their products following the principles of SecDevOps and Zero Trust.
- The CRA should also encourage the creation and implementation of an EU-wide Vulnerability Disclosure Policy (VDP) together with bug bounty programmes to reward cybersecurity researchers for their work and ensure a safer online environment.
- In addition, ECSO encourages the creation of an EU-wide cybersecurity label to transparently inform businesses and end-consumers, that are not IT experts, on the origins of each product, its cybersecurity level, and its environmental impact. This label should be very simple to read and would not replace existing certification schemes, but it could be used to encourage the consumption of digital devices and services produced in the EU that comply with EU legislation and standards.
- ECSO believes that trustworthy EU solutions, meeting stringent security standards, can gain a unique selling point that can differentiate them from cheaper unsecure solutions.
Click here to read ECSO’s full contribution.
ECSO unites more than 270 European cybersecurity stakeholders, including large companies, SMEs and start-ups, research centres, universities, end-users, operators, associations, and national administrations. It works with its Members and Partners to develop a competitive European cybersecurity ecosystem providing trusted cybersecurity solutions and advancing Europe’s cybersecurity posture and its technological independence.