Information Technology
Cyber Resilience Act (cepPolicyBrief COM(2022) 454)
cepPolicyBrief
"Brussels aims to oblige the IT industry to massively improve cybersecurity already in the design and development phase. Subsequently, consumers should be able to recognise the security features already at the time of purchase. Accompanied with a specified deadline for the elimination of vulnerabilities, this strengthens the trust of customers. The Commission can only be congratulated on its proposal," says cep economist Philipp Eckhardt, who analysed the draft law with cep legal expert Anastasia Kotovskaia. According to the cep experts, a weak point is the categorisation of critical products into classes 1 and 2. "This taxonomy is opaque and inconclusive," says Kotovskaia. Against this background, the transfer of powers to adopt delegated acts from the member states to the Commission is legally tricky, she says.
The Cyber Resilience Act (CRA) is to come into force only two years after its adoption. The cep estimates this timeframe as too ambitious. The CRA is designed to preserve a uniform, high level of cybersecurity for hardware and software products - from printers to routers as well as smart household helpers and industrial control systems. "The Commission's proposal is absolutely suitable for its purpose. However, affected parties need sufficient time for careful implementation of the legal act," emphasise the cep experts.