Criticism of the European Commission's Cyber Resilience Act Proposal

Criticism of the European Commission's Cyber Resilience Act Proposal

The Center for Data Innovation has submitted feedback on the European Commission's consultation regarding the Cyber Resilience Act (CRA) initiative. The CRA aims to improve cybersecurity by addressing gaps in the existing regulatory framework for digital products and services.

The European Commission has outlined five broad policy options for the CRA. These options focus on balancing enforcement of cybersecurity standards with minimizing administrative burdens and avoiding overly broad regulations.

Policy Options and Their Implications

1. Maintaining the status quo (no new regulation)
2. Benefits: Avoids additional regulatory burden on manufacturers and distributors; no disruption to current market practices.
3. Drawbacks: Fails to address growing cybersecurity risks in connected devices; inconsistent security standards across the EU increase vulnerabilities and cyber threats.
4. Broad horizontal regulation applying uniform requirements to all digital products
5. Benefits: Ensures comprehensive cybersecurity coverage; creates consistent standards across industries and products.
6. Drawbacks: May impose disproportionate burdens on smaller companies and on products not posing significant risks; risks stifling innovation due to overly prescriptive rules.
7. Targeted regulation with differentiated requirements based on product risk categories
8. Benefits: Focuses resources on high-risk products and critical infrastructure, increasing protection where most needed; reduces compliance cost for low-risk products.
9. Drawbacks: Requires careful risk assessment and clear product classification to avoid loopholes or inconsistent implementation; adds complexity to compliance.
10. Phased implementation with transitional periods and impact assessments
11. Benefits: Allows businesses time to adapt to new requirements, reducing disruption; supports capacity building among member states and industry; enables effective evaluation of impact before full enforcement.
12. Drawbacks: Prolongs full cybersecurity improvements; potential for uneven adoption over time.
13. Exemptions for certain software types and existing regulated industries
14. Benefits: Avoids duplicative regulation where robust sector-specific cybersecurity rules already exist; minimizes burden on free and open-source software unless commercialized.
15. Drawbacks: Potential gaps in coverage if exemptions are too broad or ambiguously defined; complicates regulatory scope.

Strategies for Effective Pursuit

To improve cybersecurity practices while avoiding maintaining the status quo or imposing broad horizontal regulation, the European Commission can:

• Adopt a risk-based regulatory framework focusing on high-risk digital products and ensuring essential cybersecurity requirements align with product risk.
• Implement phased enforcement with clear timelines, supporting transitional measures including technical specifications and stakeholder consultations to ease adaptation.
• Conduct thorough impact assessments assessing both supply and demand sides and member states’ capacity before expanding compulsory certification, ensuring pragmatic and feasible implementation.
• Maintain clear exemptions and simplifications for small companies, non-commercial projects, and sectors already subject to specific cybersecurity rules to minimize unnecessary burden and encourage innovation.
• Promote transparency and cooperation by mandating incident reporting to national cybersecurity teams (CSIRTs) only for significant incidents, balancing security and operational feasibility.

By combining these approaches, the Commission can strengthen cybersecurity standards across the EU internal market in a balanced, flexible, and effective manner that encourages security by design and continuous risk management without stifling innovation or overburdening industry.

The Importance of Action

With global cybercrime predicted to cost $10.5 trillion by 2025, the need for effective cybersecurity measures is more pressing than ever. The European Union, with its focus on the growing threat of cybersecurity incidents, can play an important role in bolstering cybersecurity practices. The CRA initiative seeks to work with existing legislation like the Cybersecurity Act and the Directive on the security of Network Information Systems to achieve this goal.

The filing cautions against maintaining the status quo and pursuing broad horizontal regulation. It offers suggestions on how the Commission may pursue the other policy options, emphasizing the need for a balanced approach that encourages innovation while improving cybersecurity.

The Commission has requested evidence for its impact assessment on these policy options, and the filing provides valuable insights based on the current state of the cybersecurity landscape. The filing does not recommend maintaining the status quo or broad horizontal regulation, instead advocating for a more targeted and flexible approach.

[1] European Commission. (2021). Cyber Resilience Act. Retrieved from https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12522-Cyber-Resilience-Act

[2] European Commission. (2021). Impact Assessment. Retrieved from https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12522-Cyber-Resilience-Act/documentation

[3] European Commission. (2021). Public Consultation. Retrieved from https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12522-Cyber-Resilience-Act/stakeholders-consultation

[4] European Commission. (2021). Questions and Answers. Retrieved from https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12522-Cyber-Resilience-Act/questions-and-answers

1. The Center for Data Innovation's feedback offered suggestions for the Cyber Resilience Act (CRA), emphasizing the importance of a balanced approach that encourages AI and data innovation while improving cybersecurity.
2. To strike a balance between enforcement of cybersecurity standards and avoiding overly broad regulations, the European Commission should consider a risk-based regulatory framework for digital products, focusing on high-risk ones.
3. In the pursuit of effective cybersecurity policies, the Commission should prioritize promoting AI and data innovation within the framework of these regulations to ensure that the EU remains competitive in the global technology landscape.

Read also: