The European Commission has presented the proposal for the Cyber Resilience Act (CRA) regulation. The proposed measures are intended to regulate that the cybersecurity of digital products is already ensured as soon as they are designed, developed, manufactured and put into circulation. Furthermore, manufacturers are to be obliged to fix vulnerabilities and to report actively exploited vulnerabilities and incidents. Market surveillance and enforcement provisions are also included in the Cyber Resilience Act.
Prof. Norbert Pohlmann, eco Board Member for IT Security, believes it is understandable that the EU wants to make digital systems even more secure and resilient in the future. However, he does not see an automatic improvement in security in the planned rules: “Companies first have to check their existing security practices and documentation procedures to see if they comply with the new requirements. This is a bureaucratic effort that should not be underestimated,” says Prof. Pohlmann. “It does not create more security per se. Even if individuals certainly benefit from such a review, we can basically assume that for IT companies of all sizes, compliance requirements will initially create considerable burdens.”
Encryption must be further strengthened
How extensive the impact on companies will be, however, also depends on the extent to which the different sets of rules are compatible with each other and interlock. For example, the existing EU framework already includes the NIS and the NIS-2 Directive, as well as the Cyber Security Act, which the new Cyber Resilience Act is now supposed to complement. Here, Pohlmann also sees a risk of more uncertainty as to which EU regulation applies in which context. In his view, it would be desirable if the regulations were harmonised, consistent and coordinated.
“This applies especially with regard to the scope of application and the broad definitions,” says Pohlmann. Here, for example, demarcation problems between so-called critical and particularly critical products could arise. He would therefore like to see improvements and more clarity in the CRA. In addition, the role of the Commission with the Delegated Acts contributes to a certain legal uncertainty or lack of predictability when it comes to the Annex and the services recorded on it.
The IT security expert also sees a need for improvement in the area of encryption: “We need strong encryption technologies that must be consistently expanded, strengthened and proactively promoted,” Pohlmann continues. “Encryption is the central building block for IT security and trustworthiness.”
Pohlmann also calls for reporting obligations for state actors with regard to known vulnerabilities. Overall, he said, awareness of IT security also needs to be raised – both within the population and among users themselves. According to Pohlmann, there is still room for improvement, especially among small and medium-sized enterprises.
