The EC is preparing a proposal for a Cyber Resilience Act (CRA) to establish common cybersecurity standards for digital products and ancillary services. Software and its entire life cycle, including embedded software, is explicitly in the scope of the CRA. NESSI welcomes this as software is essential for building secure and trustworthy products and systems.
NESSI has provided input to the EC’s public consultation and was invited by the EC to participate in workshops to provide input to a study supporting the preparatory work for the CRA. In both the public consultation and the workshops NESSI stressed that:
- New cyber security legislation and requirements need to be harmonized across EU Member States to avoid fragmentation, and they should not overlap or conflict with existing industry standards and regulation.
- When assessing the risk associated with a product, it is essential to consider the potential harm that can result from its usage and the severity of the harm. It is not the product per se that creates the risk, it is the usage of the product that creates risk.
- Consequently, certification at product level, looking only at the product without considering the specific context in which it is used, is not sufficient.
The scope of the CRA needs further clarification and refinement, including a more precise description of the product categories that the CRA should address, and a description of the risk categories that should be considered. The term “resilience” should be used with care, distinguishing when the focus is cybersecurity and when it is the broader area of the resilience of a product or service.