CE cyber-mark for products and software?

On 15 September 2022, the European Commission issued a proposal for the Cyber Resilience Act (CRA). The CRA aims to bring more secure products to the market and make security more transparent. At the same time, the EU’s cyber defence capability will be enhanced.

The objective is to ensure that hardware and software are less vulnerable and manufacturers consider security seriously throughout their products’ lifecycles. This is also a way of protecting consumers, other users and the market from cybersecurity incidents.

The CRA will cover products with a digital element that can be connected to another device or network, whether directly or indirectly. The CRA will also cover software. Areas subject to specific regulations, such as civil aviation and hardware and software made exclusively for national security or defence applications, will be beyond the scope of the new regulation.

In the future, it will only be possible to sell products and software that meet the requirements of the CRA. There may be some exemptions – for example, in the cases of exhibitions and demonstrations or for limited testing of software under development – provided that it is clearly stated that the requirements of the Act have not been met. A CE marking would be used to indicate conformity.

The proposal includes obligations on manufacturers, importers and distributors. It also contains provisions on evaluating conformity, assessment bodies, market supervision and enforcement, and penalties.

The CRA’s aims are good – but care must be taken in preparation

Improving network security is a worthy aim. The proposal will improve security in areas not yet subject to information security regulations.

The CRA is an important link in the regulatory chain: the Critical Entities Resilience (CER) Directive safeguards operators and services that are critical to the security of supply, and the Network and Information Security Directive (NIS 2) addresses the resilience of network and cloud service operators. The regulations must be clear and free of overlaps with other regulations.

Special attention should be paid to ensuring that the CRA does not impose an additional administrative burden on the parties it concerns. For example, the obligation to disclose information security breaches should be clearly defined so that each incident only needs to be reported to one authority rather than several different parties.

The criteria and assessment process for determining conformity must be transparent, predictable, and based on international standards to ensure the uniform application of the CRA throughout the EU. The assessment of conformity must not hinder the uptake of new technology or weaken the competitiveness of the EU. For example, the construction of nationally important 5G and 6G networks must not be delayed if the network equipment does not receive the approvals required by the CRA, the process takes too long, or the assessment bodies have a backlog of assignments.

The CRA should, therefore, use risk-based requirements and assessment procedures. Independent assessment should only be required for the most critical network devices. A manufacturer’s self-assessment should, in principle, be sufficient for other products. A risk-based approach to obligations ensures that the obligations are proportionate to the risk. Excessively burdensome obligations must not be imposed when there is no justified need for them.

The CRA proposes granting delegated legislative powers to the European Commission. This authority must be clear, precisely defined, proportionate, appropriate and justified to prevent the regulation and the scope of obligations from becoming unpredictable.

What next?

The Finnish Government is currently drawing up a statement to the Finnish Parliament to preliminarily establish Finland’s position for further negotiations. The negotiations are expected to begin in earnest in spring 2023, when Sweden will hold the EU presidency.

The Ministry of Transport and Communications has established a wide-ranging network of authorities and stakeholders, including the key players in both areas, to support the negotiations. One of Finland’s strengths is that we can get around the table and have an open and frank discussion on our common goals and the means to achieve them.

Marko Lahtinen, Legal Affairs Manager, FiCom