Cyber Resilience Act

from ITRE draft report on the Cyber Resilience Act

by Bundesverband der Deutschen Industrie e.V.

German industry’s position on the ITRE report –good first proposals for amendments, but further amendments urgently needed to minimise bureaucracy, ensure practicality and safeguard competitiveness

Evaluation of (selected) proposed amendments

German industry welcomes the European Commission’s proposal for the Cyber Resilience Act (CRA) in principle. The Cyber Resilience Act will – unlike the Cybersecurity Act – horizontally introduce cybersecurity requirements across product categories based on the principles of the New Legislative Framework. Moreover, the essential cybersecurity requirements introduced by the CRA will help essential and important entities to fulfil the supply-chain-related cybersecurity requirements introduced by Article 21 of the NIS 2-Directive. Nonetheless, there are areas, where the proposal should be improved during the ongoing legislative process. To this end, BDI welcomes the draft report by MEP Nicola Danti as it already proposes some very important changes to the Commission’s proposal, such as the longer implementation period In contrast, we see the introduction of multiple reporting obligations per vulnerability and incident as the wrong approach since it will tie up scarce IT security resources – both in terms of personnel as well as finances – without providing any benefits in terms of increasing Europe’s cyber resilience.

Below we discuss the amendments proposed by MEP Danti. We would appreciate, if Members of the European Parliament were to take our suggestions for further amendments into account.

Amendment 1 – Recital 1

German industry welcomes that Rapporteur Danti recognises the severe impact that cyberattacks have for the internal market. We support the Rapporteur in his evaluation that it is of utmost importance to increase the Union’s cyber-resilience through targeted measures. To this end, German industry advocates for the implementation of risk-adequate cybersecurity measures across all products with digital elements during the design, developmentandproductionphases as well as whenand while aproduct is placed on themarket. We therefore support the proposal for the Cyber Resilience Act (CRA) in principle.

Amendment 2 – Recital 2

Providing B2B and B2C consumers with information about the expected lifetime of products placed on the market and the provision of security updates is essential to turn cybersecurity into a criterion influencing a customer’s decision to buy a certain product. The CRA will facilitate this by introducing the expected lifetime of a product as well as requiring producers to maintain the resilience of their products against cyberthreats for a certain clearly defined period. German industry would appreciate if the wording inserted by MEPs’ amendments would mirror the wording agreed on in the Resolution on the EU’s Cybersecurity Strategy for the Digital Decade (2021/2568(RSP)

We therefore urge MEPs to amend MEP Danti’s proposal amendment as follows:

MEP Danti’s Amendment

(2) This Regulation aims to set the boundary conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufactures take security seriously throughout a product’s life cycle. It alsoaimsto create conditionsallowing users to take cybersecurity into account when selecting and using products with digital elements, for example by improving transparency on the expected lifetime of products placed on the market and the provision of security updates

BDI’s proposal for amending Recital 2

(2) This Regulation aims to set the boundary conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufactures take security seriously throughout a product’s life cycle. It alsoaimsto create conditionsallowing users to take cybersecurity into account when selecting and using products with digital elements, for example by improving transparencyon the minimum period during which a manufacturer will provide security patches and updates for maintaining the cyber-resilience of a given product with digital elements expected lifetime of products placed on the market and the provision of security updates.

Amendment 4 – Recital 4 a

(new)

German industry agrees with rapporteur Danti that the CRA must be proportionate by introducing risk-adequate cybersecurity requirements. However, we urge the Rapporteur and all other MEPs to refrain from watering down the horizontal nature of the Commission’s proposal to ensure clarity for customers and producers alike.

We therefore urge MEPs to amend MEP Danti’s proposal amendment as follows:

MEP Danti’s Amendment

The horizontal nature of this Regulation means that very different segments of the Union's economy will be impacted. It is therefore important that the specifities of each sector are taken into account and that cybersecurity requirements are proportional to the risk, as to avoid overburdening specific sectors. The Commission should detail these elements in the guidelines that it will publish to support businesses in implementing this Regulation.

BDI’s proposal for amending Recital 4 a (new)

Amendment 6 – Recital 8

While German industry in principle appreciates the European Commission’s proposal for the Cyber Resilience Act, we perceive the proposed amendment as too positive. Due to the very far-reaching scope of so-called critical products with digital elements in conjunction with the very short implementation period, many companies will have to dedicate a lot of extra work to remain compliant with the requirements introduced by the CRA. Therefore, the CRA – at least in the short-run – will not constitute a competitive advantage for European manufacturers.

We therefore urge MEPs to amend MEP Danti’s proposal amendment as follows:

MEP Danti’s Amendment

(8) By setting cybersecurity requirements for placing on the market products with digital elements, the cybersecurity of these products for consumers and for businesses alike will be enhanced. This also includes requirements for placing on the market consumer products with digital elements intended for vulnerable consumers, such as toys and baby monitors. These requirements will also ensure that cybersecurity is taken into account throughout the supply chains, making sure that final products with digital elements are more secure. In turn, this will represent a competitive advantage for the Union’s manufacturers, which will be able to showcase the cybersecurity of their products.

Amendment 8 – Recital 10

BDI’s proposal for amending Recital 8

German industry welcomes the proposal that only free and open-source software (OSS) supplied in the course of a commercial activity should be covered by the Cyber Resilience Act. However, to ensure that all (open source) software utilised within commercial activities – even those developed outside of commercial activities – fulfils a risk-adequate degree of cyber-resilience German industry considers it essential that the CRA’s cybersecurity requirements are also fulfilled by free and open-source software that has been developed or supplied outside the course of a commercial activity, as soon as OSS components are used in a commercial product (“monetised product”). In this case, however, the product manufacturer is responsible operator and not the OSS community. German industry would appreciate if manufacturers utilising non-monetised OSS components identifying vulnerabilities in such OSS components would inform the OSS community about the vulnerability as well as a possible fix. This would result in a win-win for all.

On a technical level, German industry would appreciate if, depending on the risk, checking the code of open-source software with a SAST software would be sufficient. In contrast, a manual code review ofOSS would be basically impracticable, due to themassive resources required to perform such a check

Amendment 10 – Recital 14 a (new)

German industry appreciates the clear exclusion of spare parts that are destined to replace identical components – as well as products or components used in installed systems – during repair operations in legacy products with digital elements. This is essential to ensure that manufacturers provide their customers with spare parts, and thus the possibility to utilise their products with digital elements as long as possible, while at the same time not overburdening them with eternal cybersecurity requirements. However, manufacturers of spare partsmust be required to inform their customers in a proportionate way that the spare part is not maintained in terms of cybersecurity updates.

As most companies do not have an exclusive spare part production, it is paramount to delete the word “exclusively” from the proposed amendment or to replace the verb “manufactured” with the verbs “provided / sold” to ensure that spare parts do not fall within the scope of the Cyber Resilience Act.

MEP Danti’s Amendment

(14 a) This Regulation should not apply to components that are exclusively manufactured in order to replace identical components during repair operations in legacy products with digital elements, in order to avoid that products with digital elements already circulating in the internal market have to be withdrawn due to the lack of spare parts.

BDI’s proposal for amending Recital 14 a (new)

(14 a) This Regulation should not apply to components or products that are exclusively provided manufactured in order to replace identical components during repair operations in legacy products with digital elements, in order to avoid that products with digital elements already circulating in the internal market have to be withdrawn due to the lack of spare parts.

Amendments 13 & 54 – Recital 18 a (new) & Article 9 a (new)

In principle, German industry appreciates that besides the price of a product in public procurement also the cyber-resilience of a product shall be taken into account. However, while thegeneral intention of the amendments is a good one, we object the proposal that in public procurement only products with a “high level of cybersecurity and long expected product lifetimes” shall be considered. Publicly procured products must not fulfil an abstract “high level of cybersecurity” but rather a risk-adequate level – which is mirrored by the intended use of product in the CRA. In the same vein, a “long expected product lifetime” is too abstract especially when considering the huge variety of products covered by the CRA. Therefore, we would prefer the deletion of this part of the sentence as well.

In addition, we object the second sentence of the amendment as it is directed against core principles of fair competition in the European Single Market. Both private customers as well as commercial users would be discriminated against compared to the public sector

Therefore, German industry urges MEPs to amend MEP Danti’s amendment as follows:

MEP Danti’s Amendment

(18 a) When procuring products with digital elements, Member States should give priority to products that have a high level of cybersecurity and long expected

BDI’s proposal for amending Recital 18 a (new)

(18 a) When procuring products with digital elements, Member States should only procure give priority to products that have a product lifetimes, in order to improve their ability to deal with cyber threats, as well as to ensure the efficient use of public resources. Furthermore, Member States should ask manufacturers to fix as a matter of urgency vulnerabilities that affect publicly procured products with digital elements.

Amendment 15 – Recital 19 a (new) high risk-adequate level of cybersecurity and long expected product lifetimes, in order to improve their ability to deal with cyber threats, as well as to ensure the efficient use of public resources. Furthermore, Member States should ask manufacturers to fix as a matter of urgency vulnerabilities thataffect publicly procured products with digital elements.

German industry welcomes that ENISA must adhere to industry best-practices such as responsible vulnerability disclosure. It is paramount that vulnerabilities are only published once a mitigating measure is offered by the respective manufacturer.

Amendments 17 & 53 – Recital 27 a (new) & Article 6 a (new)

While in principle German industry recognises the motivation for instituting an Expert Group on Cyber Resilience, care must be taken to avoid creating “yet another expert group” which will lead to another sub-forum of specialist discussion. Thus, we urge MEPs and the European Council to carefully examine if there already exists a suitable forum which could take over the task envisaged to be taken over by the new expert group. Should such an Expert Group on Cyber Resilience be newly established, both manufacturers of products with digital elements as well as corporate users should be represented in such an expert group in order to enable such companies to contribute their expertise in the development of the Cyber Resilience Act – and here, in particular its scope.

Amendment 19 & 58 – Recital 32 a (new) & Article 10 – paragraph 6 – subparagraph 2 a (new)

We strongly disagree with the obligation to install automatic updates in the B2B contexts. While in B2C context, this may indeed improve the overall level of cybersecurity, since consumers often neglect available security updates, it is, however, different for B2B products. First, the level of cybersecurity awareness and in-house expertise among B2B customers is usually quite high, and therefore, customers can make their own decisions about the installation of software updates. Second, due to very specific industrial use contexts, the generic updates would not be suitable for B2B customers since they would need to be tailored to specific environments where software is deployed. Usually, customers have a high degree of control over these processes. Finally, most B2B use cases ofproducts with digital elements are not suited for automatic updates – for example, updating a product with digital elements utilised in a critical infrastructure or a manufacturing context could significantly impair the service provision or the manufacturing process. Therefore, we recommend to delet the requirement of automated updates in B2B contexts.

InformingB2C customers ofthe endof its expectedproduct lifetimeand thathence,security updates are no longer made available, is a suitable step to keep private customers wellinformed.German industry would appreciate if the wording inserted by MEPs’ amendments would mirror the wording agreed on in the Resolution on the EU’s Cybersecurity Strategy for the Digital Decade (2021/2568(RSP).

We therefore urge MEPs to amend MEP Danti’s proposal amendment as follows:

MEP Danti’s Amendment

(32 a) Manufacturers should ensure, where possible and particularly in business-to-consumer environments, thatsecurity updates are installed automatically in order to remedy potential vulnerabilities as soon as possible. Users should retain the possibility to de-activate this feature. Once a product with digital elements has reached the end of its expected product lifetime and security updates are no longer made available, manufacturers should inform users in a simple and clear manner, for example via the display of a user-friendly notification.

BDI’s proposal for amending Recital 32a

(32 a) Manufacturers should ensure, where possible and particularly in business-to-consumer environments, thatsecurity updates are installed automatically in order to remedy potential vulnerabilities as soon as possible. Users should retain the possibility to de-activate this feature. Once a product with digital elements has reached the end of its expected product lifetime and the period after which security updates are no longer made available, manufacturers should inform users in a simple and clear manner, for example via a newsletter to which the user subscribed after purchasing a product with digital elements or the display of a userfriendly notification.

Amendment 20 & 59 – Recital 32 b (new) & Article 10 – paragraph 6 – subparagraph 2 b (new)

German industry strongly objects the proposal that manufacturers have to publish the source code when they define the product lifetime shorter than 5 years. While we recognise the regulator’s intention to prevent manufacturers from deliberately reducing their obligations, we urge the Members of the European Parliament to protect the manufacturer’s intellectual property Requiring manufacturers to publish their IP could be detrimental for Europe’s long-term economic competitiveness. Therefore, rather than requiring manufacturers to publish their source-code, the European co-legislators should encourage all manufacturers to provide updates for an adequate duration

MEP Danti’s Amendment for Article 10 –paragraph 6 – subparagraph 2 b (new)

Where manufacturers set the expected period lifetime to a period shorter than five years and therefore have ended the handling of vulnerabilities in accordance with the essential requirements set out in Section 2 of Annex I, manufacturers shall provide free access to the source code of their products with digital elements to legal persons that commit to extend the provision of vulnerability handling services, particularly security updates. Access to the source code shall only be provided as part of a contractual arrangement, which shall protect the ownership

BDI’s proposal concerning Article 10 –paragraph 6 – subparagraph 2 b (new) [deletion] of the product with digital elements and prevent the dissemination of the source code to the general public. The obligation to provide free access to the source code shall cease to apply once the productlifetime has reached five years.

Amendment 24 – Recital 37

German industry welcomes the clarification that manufacturers don’t have to publish the Software Bill of Materials (SBOM) While SBOMs are particularly useful for developers if they actually utilise them to identify and address vulnerabilities in dependency chains throughout the software development lifecycle, not having to publish is essential for manufacturers to protect their IP

Henceforth, the respective reference in Annex II (6) should be deleted.

Amendment 36 – Recital 69

The Cyber Resilience Act’s very broad scope has far-reaching implications for its implementation. At the same time, the CRA will only become fully effective once the organisational framework conditions specified in the law are in place. German industry believes that the implementation period of 12 to 24 months is too short to implement the essential requirements across all products with digital elements according to Article 2 (1). This is the case, as the Cyber Resilience Act constitutes the first regulatory act on the European internal market to horizontally regulate the cyber resilience of products. Consequently, companies across sectors have to review their internal measures for CRA-conformity / or even have to set up respective measures, and have to implement a vulnerability handling mechanism that accommodates the requirements set out in Annex I Section 2. Moreover, the Member States must organise the market surveillance outlined in Article 43. To this end, new organisational structures have to be defined and new employees have to be hired. Furthermore, harmonised European standards have to be developed – either from scratch or based on IEC 62443. To this end, the European Commission has to issue the standardisation request. All this will take more than the proposed 12 to 24 months. Consequently, we welcome Rapporteur Danti’s proposal to extend the implementation period to 40 months.

Amendment 38 – Recital 71

a (new)

It is paramount that all public bodies involved in the market surveillance as well as other dimensions of implementation of this regulation are sufficiently staffed. To this end, we welcome the proposal to increase ENISA’s by 8.5 FTE.

Amendment 39 – Article 2 – paragraph 1

German industry regards it as paramount that the Cyber Resilience Act references the intended use of a product in order to fulfil the necessary risk-based approach. In this regard, we perceive MEP Danti’s amendment 39 as a step in the wrong direction that needs to be reversed. In practice, any device with any kind of I/O mechanism can have a “data connection”, meaning that the Regulation would in effect apply uniformly to all electronic products. This is too far-reaching, the possibility to create stand-alone products must remain.

Therefore, we would like to extend the definition by “bidirectional” to exclude simple, benign products like read-only I/O sensors

MEP Danti’s proposal for an amendment

1. This Regulation applies to products with digital elements that can have a direct or indirect data connection to a device or network.

BDI’s proposal for amending Article 2 –paragraph 1 keeping EU Commission’s proposal:

1. This Regulation applies to products with digital elements that can have whose intended or reasonably foreseeable use includes a direct or indirect bidirectional logical or physical data connection to a device or network.

= deletion of amendment

Amendment 40 – Article 2 – paragraph 4 a (new)

German industry appreciates an exclusion of spare parts that are provided to replace identical components during repair operations in legacy products with digital elements. This is essential to ensure that manufacturers provide their customers with spare parts, and thus the possibility to utilise their products with digital elements as long as possible, while at the same timenot overburdening them with eternal cybersecurity requirements. However, manufacturers of spare parts must be required to inform their customers in a proportionate way that the spare part is not maintained in terms of cyber-security updates. However, the current amendment isn’t clear enough, because spare parts could also be products as well as components.

Following our remarks above, we would appreciate the deletion of the term “exclusively” or to replace the verb “manufactured” with the verbs “provided / sold” as most companies do not produce spare parts separately but as part of their normal production process of certain components. Henceforth, the insertion of “exclusively” could result in the exclusion of such products from the definition according to Article 2 Paragraph 4a.

MEP Danti’s proposal for an amendment

4 a. This Regulation does not apply to components that are exclusively manufactured as spare parts for products with digital elements that have been placed on the market before the application date of this Regulation referred to in Article 57.

BDI’s proposal for amending Article 2 –paragraph 4 a (new)

4 a. This Regulation does not apply to components or products that are exclusively provided manufactured as spare parts for products with digital elements that have been placed on the market before the application date of this Regulation referred to in Article 57.

Amendment 48 – Article 6 – paragraph 3

To enable companies – especially SMEs – to implement the far-reaching requirements to be introduced under the Cyber Resilience Act, it is paramount that the Commission swiftly publishes the legal basis for the implementation. To this end, we welcome the reduction of the time span from 12 to 6 months which the CRA grants the Commission for publishing the delegated act in accordance with Article 50

To ensure that all relevant stakeholders are consulted in the process of defining products as critical products in future, German industry would appreciate if the following additional paragraph was introduced

MEP

Danti’s proposal for an amendment BDI’s proposal for an additional paragraph in Article 1

The Commission shall establish a process under which a product which is a candidate to be a critical product can be reviewed in a collaborative process by all relevant stakeholders, including manufacturers and users, to assess the security risk posed by potential cybersecurity issues with the product, whether and how much designating the product as critical would likely reduce that risk, and the costs associated with designating the product as critical. If such assessment clearly establishes that designating that product as critical would materially reduce the security risk posed to the users of the product and that the value of such reduction would outweigh the costs to the manufacturer and other parties, the product may be designated as critical under this Regulation.

Amendment 55 – Article 10 – paragraph 4

As stated above, German industry welcomes the proposal that only free and open-source software (OSS) supplied in the course of a commercial activity should be covered by the Cyber Resilience Act. However, to ensure that all software fulfils a risk-adequate degree of cyber-resilience German industry considers it essential that the CRA’s cybersecurity requirements are also fulfilled by free and open-source software that has been developed or supplied outside the course of a commercial activity,as soon as OSS components are used in a commercial product (“monetized product”). In this case, however, the product manufacturer is responsible operator and not the OSS community. German industry would appreciate if manufacturers utilising non-monetized OSS components identifying vulnerabilities in such OSS components would inform the OSS community about the vulnerability as well as a possible fix. This would result in a win-win for all.

Amendment 56 – Article 10 – paragraph 6 – subparagraph 1

German industry recognises the rationale behind the proposed amendment. Since a “onesize-fits-all” approach is not suitable for such a huge variety of products as covered by the Cyber Resilience Act, rigid timeframes are not useful. However, in contrast to definea product lifetime, MEPs should oblige manufacturers to define the period during which security updates are provided. While this might be shorter than a theoretic product lifetime – which significantly varies according to the usage of a product with digital elements. Thereby, customers would know for how long a given product possesses a risk-adequate level of cyberresilience. This timeframe should be stated on the product, its packaging or in contractual agreements.

MEP

Danti’s proposal for an amendment

Whenplacingaproduct withdigital elements on the market, the manufacturer shall define the expected product lifetime. In doing so, the manufacturer shall ensure that the expected product lifetime is in line with reasonable consumer expectations and that it promotes sustainability and the need to ensure long-lasting products with digital elements. Manufacturers shall ensure that vulnerabilities of that productare handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I during at least the expected product lifetime. Where applicable, the expected product lifetime shall be clearly stated onthe product, its packaging or be included in contractual agreements.

BDI’s proposal for amending Article 10 –paragraph 6 – subparagraph 1

Whenplacingaproduct withdigital elements on the market, the manufacturer shall define the period in which security updates are provided expected product life-time. In doing so, the manufacturer shall ensure that the period in which security updates are provided expected product lifetime is in line with reasonable consumer expectations and that it promotes sustainability and the need to ensure long-lasting products with digital elements. Manufacturers shall ensure that vulnerabilities of that product are handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I during the period stated in sentence 1 at least the expected product lifetime. Where applicable, the period in which security updates are provided expected product lifetime shall be clearly stated on the product, its packaging, or be included in contractual agreements.

Amendment 61 – Article 10 – paragraph 10 – subparagraph 1 (new)

German industry recognises the need to inform all customers in a user-friendly way. Especially pointing out the intended use of a product will be paramount in such information. To this end, we support the amendment proposed by MEP Danti especially since it requires manufacturers to provide such information online and not in a printed format

Amendment 65 in conjunction with Amendment 64 – Article 11 – paragraph 1 a (new) German industry disapproves of Rapporteur Danti’s proposal to introduce four reporting obligations per vulnerability discovered by a manufacturer. This will massively increase the compliance costs associated with the implementation of the CRA. In light of the massive shortage of cybersecurity professionals in Europe – amounting to more than 100,000 in Germany alone – such a massive increase in reporting obligations and bureaucracy is the wrong approach. Cybersecurity professionals should dedicate their time to increasing the resilience of products with digital elements aswell ascompanies, rather than writing reports. Moreover, it is paramount that manufacturers of products with digital elements should only have to report such incidents once within the EU (i.e. either to ENISA or to one Member State).

MEP Danti’s proposal for an amendment

1 a. Manufacturers shall submit to ENISA the vulnerability notification referred to in paragraph1 in accordance with the following procedure:

(a) an early warning, without undue delay and in any event within 24 hours of becoming aware of the actively exploited vulnerability, which shall detail whether any knowncorrective or mitigatingmeasure is already available;

(b) a vulnerability notification, without undue delay and in any event within 72 hours of becoming aware of the actively exploited vulnerability, which, where applicable, shall update the information referred to in point (a), detail any corrective or mitigating measures taken and indicate an assessment of extent of the vulnerability, including its severity and impact;

(d) a final report not later than one month after the submission of the vulnerability notification under point (b), including at least the following: (i) a detailed description of the vulnerability, including its severity and impact; (ii) where available, information concerning the actor(s) exploiting or having exploited the vulnerability; (iii) details about the security update or other corrective measures that

BDI’s proposal for amending Article 11 –paragraph 1 a (new)

1 a Manufacturers shall submit to ENISA via a secure mechanism to be established by ENISA the vulnerability notification referred to in paragraph 1 within 72 hours of becoming aware of the actively exploited significant vulnerability, which shall detail whether any known corrective or mitigating measure is already available;

1 b In case a mitigating measure is not available at the time of reporting the significant vulnerability to ENISA according to subparagraph 1a, the manufacturer shall inform ENISA without undue delay as soon as a mitigating measure is available.

[deletion of the Amendment proposed by MEP Danti] have been made available to remedy the vulnerability.

Amendment 67 & 70 – Article 11 – paragraph 2 & Article 11 – paragraph 4

German industry appreciates MEP Danti’s limitation of incidents that manufacturers have to report to ENISA to significant incidents as this will significantly reduce the implementation costs manufacturers have to shoulder and – more importantly so – will allow companies to focus their scarce IT security resources on critical topics.

In addition to the proposed amendments, we would appreciate if MEPs would limit the amount of information that a manufacturer has to send to ENISA to the utmost minimum, to ensure that a potentially malicious actor that intercepts the transmission of these information would not be able to exploit the vulnerability subsequently. Moreover, the national competent authorities or ENISA should provide assistance should manufacturers require it when handling the vulnerability.

MEP Danti’s proposal for an amendment

2. The manufacturer shall notify to ENISA any significant incident having impact on the security of the product with digital elements in accordance with paragraph 2b ENISA shall, without undue delay, unless for justified cybersecurity risk-related grounds, forward the notifications to the single pointof contact designated in accordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] of the Member States concerned and inform the market surveillance authorityabout thenotified significant incidents. The mere act of notification shall not subject the notifying entity to increased liability.

BDI’s proposal for amending Article 11 –paragraph 2

2. The manufacturer shall notify to ENISA any significant incident having impact on the security of the product with digital elements in accordance with paragraph 2b. ENISA shall, without undue delay, unless for justified cybersecurity risk-related grounds, forward the notifications to the single point of contact designated in accordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] of the Member States concerned and inform the market surveillance authority about the notified significant incidents. The mere act of notification shall not subject the notifying entity to increased liability. The significant incident notification shall include strictly necessary information to make the competent authority aware of the incident and allow the entity to seek assistance if required.

Economic operators that are also identified as essential entities or important entities under the NIS2 and who submit their incident notification pursuant to the NIS2 should be deemed compliant with the requirements in point 2 of this Article.

Amendment 68 – Article 11 – paragraph 2 a (new)

Since the reporting obligations pursuant to Article 11 paragraph 2 address security-related incidents and vulnerabilities, only those incidents that have implications for the security of a product should fall within the scope of Article 11 paragraph 2. Henceforth, subparagraph b should be deleted.

MEP Danti’s proposal for an amendment

2 a. An incident shall be considered to be significant if:

(a) it has caused or is capable of causing severe operational disruption of the production or the services for the manufacturer concerned, that would impact the security of a product; or

(b) it has affected or is capable of affecting other natural or legal persons by causing considerable material or nonmaterial damage.

BDI’s proposal for amending Article 11 –paragraph 2 a (new)

2 a. An incident shall be considered to be significant if:

(a) it has caused or is capable of causing severe operational disruption of the production or the services for the manufacturer concerned, that would impact the security of a product; or

(b) it has affected or is capable of affecting other natural or legal persons by causing considerable material or nonmaterial damage.

Amendment 69 – Article 11 – paragraph 2 b (new)

Following our argumentation concerning amendment 65, German industry disapproves of Rapporteur Danti’s proposal to introduce four reporting obligations per incident discovered by a manufacturer. This will massively increase the compliance costs associated with the implementation of the CRA. In light of the massive shortage of cybersecurity professionals in Europe – amounting to more than 100,000 in Germany alone – such a massive increase in reporting obligations and bureaucracy is the wrong approach. Cybersecurity professionals should dedicate their time to increasing the resilience of products with digital elements as well as companies, rather than writing reports. Moreover, it is paramount that manufacturers of products with digital elements have to report such incidents only once within the EU (i.e. either to ENISA or to one Member State).

MEP Danti’s proposal for an amendment

2 b. Manufacturers shall submit the incident notification referred to in paragraph 2 to ENISA in accordance with the following procedure:

(a) an early warning, without undue delay and in any event within 24 hours of becoming aware of the significant incident, which, where applicable, shall indicate whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact;

BDI’s proposal for amending Article 11 –paragraph 2 b (new)

2 b. Manufacturers shall submit the incident notification referred to in paragraph 2 to ENISA in accordance with the following procedure:

(b) an incident notification, without undue delay and in any event within 72 hours of becoming aware of the significant incident, which, where applicable, shall update the information referred to in point (a) and indicate an initial assessment of the significant incident, including its severity and impact, as well as, where available, the indicators of compromise;

(d) a final report not later than one month after the submission of the incident notification under point (b), including at least the following: (i) a detailed description of the incident, including its severity and impact; (ii) the type of threat or root cause that is likely to have triggered the incident; (iii) applied and ongoing mitigation measures; (iv) where applicable, the cross-border impact of the incident; malicious acts or could have a cross-border impact;

(e) in the event of an ongoing incident at the time of the submission of the final report referred to in point (d), Member States shall ensure that entities concerned provide a progress report at that time and a final report within one month of their handling of the incident.

(ab) an incident notification, without undue delay and in any event within 72 hours ofbecoming aware of the significant incident, which, where applicable, shall update the information referred to in point (a) and indicate an initial assessment of the significant incident, including its severity and impact, as well as, where available, the indicators of compromise;

(bd) a final report no later than one month after the conclusion of handling the incident not later than one month after the submission of the incident notification under point (b), including at least the following: (i) a detailed description of the incident, including its severity and impact;

(ii) the type of threat or root cause that is likely to have triggered the incident; (iii) applied and ongoing mitigation measures; (iv) where applicable, the cross-border impact of the incident;

Amendment 78 – Article 17 a (new)

German industry appreciates MEP Danti’s proposal that the Commission shall publish a handbook / guidelines to support in particular SMEs as well as other economic operators in their ambitions to apply the Cyber Resilience Act correctly and swiftly

Amendment 82 – Article 23 – paragraph 5

Since large companies are confronted with international competition, bureaucratic burden must be minimised for all enterprises – regardless of their size.

MEP Danti’s proposal for an amendment

5. The Commission is empowered to adopt delegated acts in accordance with Article 50 to supplement this Regulation by the elements to be included in the technical documentation set out in Annex Vto takeaccount of technological developments, as well as developments encountered in the implementation process of this Regulation. The Commission shall strive to minimise the administrative burden for micro, small and medium sized enterprises.

BDI’s proposal for amending Article 23 –paragraph 5

Amendment 83 – Article 24 – paragraph 2 a (new)

Since manufacturers of (critical) products with digital elements will have to invest significant resources into ensuring that their products comply with the requirements stated in specific standards, German industry appreciates MEP Danti’s proposal to grant manufacturers six months time after harmonised standards, common specifications or European cybersecurity certification schemes shall be in place before the conformity assessment procedure referred to in Article 24 paragraph 2 applies. However, even this six-month grace period will most likely be too short for companies to adapt products to the specifications laid out in a standard. Therefore, we would appreciate if the period was to be increased to 12 to 18 months.

Amendment 86 – Article 29 – paragraph 7a

In light of the existing massive lack of cybersecurity experts in Europe, favouring one actor along the supply chain over others cannot be the solution. Rather, in a first step, the thirdparty certification of productsmust be limited to the number of products that can behandled by conformity assessment bodies.

MEP Danti’s proposal for an amendment

7 a. Member States and the Commission shall put in place appropriate measures to ensure sufficient availability ofskilledprofessionals, in order to minimise bottlenecks in the activities of conformity assessment bodies.

BDI’s proposal for amending Article 29 –paragraph 7a [deletion]

Amendment 89 – Article 29 – paragraph 9a

It is unclear how a fair categorisation of products under the consideration of the intended use could be ensured without getting into too much detail. Wrong or ambiguous categorizations would direct repercussions on the fair competition between market actors. Moreover, we do not see the added value of such an additional database, especially since manufactures will already have to state clearly and transparently the time for which security updates and patches are provided. In general, the language should be aligned around the goal of the CRA to raise the cybersecurity of products. Referring to expected product lifetimes instead of the period during which security updates and patches are provided could lead to misunderstandings in the manufacturer-vendor-customer relations, and problems with other regulations, such as the ESPR.

MEP Danti’s proposal for an amendment

9 a. Market surveillance authorities shall provide to the Commission data about the average expected product lifetime set by the manufacturers, divided per category of product with digital elements. The Commission shall publish this information in a publicly accessible and user-friendly database.

BDI’s proposal for amending Article 29 –paragraph 7a

Amendment 104 – Article 55 – paragraph 3 a (new)

German industry appreciates the proposal that manufacturers may choose to comply with the requirements of this Regulation on a voluntary basis before the date of application referred to in Article 57, as this will increase a speedy compliance of some products with the requirements ofthe CRA and thereby increase the resilience of the Unionas a whole. Moreover, we welcome the proposal to repeal Commission Delegated Regulation (EU) 2022/30 as soon as the Cyber Resilience Act comes into effect.

Amendment 106 – Article 57 – paragraph 2

German industry welcomes the proposal to increase the implementation period for Article 20 of the CRA from 12 to 20 months and of the rest of the CRA from 24 to 40 months. This timeframe will ensure that standardisation bodies, manufacturers of products with digital elements and market surveillance authorities can prepare for the implementation of the requirements according to the CRA.

Amendment 107 – Annex I – Part 1 – point 2

Deleting the requirement that “Products with digital elements shall be delivered without any known exploitable vulnerabilities” is paramount. Otherwise, it would have been very likely that many products with digital elements would have to be discarded when entering the internal market since new vulnerabilities are constantly discovered since the cyber threat landscape constantly changes. Nonetheless, we would appreciate if the regulation was to differentiate more clearly between vulnerabilities in terms of their security implications.

Amendment 108 – Annex I – Part 1 – point 3 – point -a (new)

The language introducedby Amendment 108 isnot verypractical as it will lead todestroying fully functional products with digital elements that have a vulnerability even in cases when an update is available that could remedy this vulnerability. Therefore, German industry urges the co-legislators to amend Annex I Section 1 (2) in such a way, that it directly references the vulnerability handling process of Annex I Section 2, so that it would be possible to implement an automatic update check when a product with digital elements is first connected to the internet by its end user / integrator to fulfil the essential cybersecurity requirements set out in Annex I. This should be understood as current state-of-the-art.” In addition, having to destroy products with digital elements that have a known exploitable vulnerability for which an update is available, but which can no longer be sold as they do not fulfil the requirement “without any known exploitable vulnerability” would not be acceptable from a sustainability-perspective. Products with digital elements that have a vulnerability, but for which an update is available and that can be immediately installed at the time of their first use, should be allowed to be sold.

MEP Danti’s proposal for an amendment

(-a) be delivered without known exploitable vulnerabilities

BDI’s proposal for amending Annex I –Part 1 – point 3 – point -a (new)

(-a) be delivered without known exploitable vulnerabilities If a manufacturer of a product with digital elements ensures that the said product directly at the first time of use runs an automatic update-check and installs all available updates or alternatively provides the user with an easy to follow description of how to perform updates manually, it fulfils the requirements under sentence one.

Amendment 109 – Annex I – Part 1 – point 3 – point a German industry welcomes the proposal to deliver alls products with digitale elements with a secure-by-default configuration including the possibility to reset the product to its original state while retaining all security updates. Such an option is essential, since in future, everyone can assess far-reaching information about known vulnerabilities via ENISA’s vulnerability register. Henceforth, to avoid (re)exploitation of already known vulnerabilities it is essential that security updates are kept even in case of a reset of a product.

Suggestions for further amendments

German industry would appreciate if the members of the ITRE committee of the European Parliament could agree on the following additional amendments:

Scope (Article 2)

EU Commission’s proposal

4 The application of this Regulation to products with digital elements covered by other Union rules laying down requirements that address all or some of the risks covered by the essential requirements set out in Annex I may be limited or excluded, where:

(a) such limitation or exclusion is consistent with the overall regulatory framework applying to those products; and

(b) the sectoral rules achieve the same level of protection as the one provided for by this Regulation.

The Commission is empowered to adopt delegated acts in accordance with Article 50 to amend this Regulation specifying whether such limitation or exclusion is necessary, the concerned products and rules, as well as the scope of the limitation, if relevant.

Proposal for an Amendment

(a) such limitation or exclusion is consistent with the overall regulatory framework applying to those products; and

(b) the sectoral rules achieve the same level of protection as the one provided for by this Regulation.

Sentence 1 also applies to dual use products with digital elements originating from the range of national security that are provided outside security-related areas in CRA relevant use cases.

Explanation: Since products with digital elements designed for national security environments already fulfil the highest security level of CRA requirements or even exceed such requirements, an additional certification shall not be mandatory when manufacturers of such products with digital elements sell high security solutions into regular (non-national security) markets (reverse-dual-use) Such a clarification is paramount, since some products with digital elements, which are primarily designed for national security scenarios, are also placed on the internal market for other application scenarios. Double certification requirements and duties must be avoided as they would not increase the resilience of such products

Critical products with digital elements (Article 6)

EU Commission’s proposal Proposal for an Amendment

(5) The Commission is empowered to adopt delegated acts in accordance with Article 50 to supplement this Regulation by specifying categories of highly criticalproducts with digitalelements for which the manufacturers shall be required to obtain a European cybersecurity certificate under a European cybersecurity certification scheme pursuant to Regulation (EU) 2019/881 to demonstrate conformity with the essential requirements set out in Annex I, or parts thereof. When determining such categories of highly critical products with digital elements, the Commission shall take into account the level of cybersecurity risk related to the category of products with digital elements, in light of one or several of the criteria listed in paragraph 2, as well as in view of the assessment of whether that category of products is:

(5) The Commission taking nto account the advise of the Expert Group referred to in [Article 6a] is empowered to adopt delegated acts in accordance with Article 50 to supplement this Regulation by specifying categories of highly critical products with digital elements for which themanufacturers shall be required to obtain third-party certification based on international standards or comparable European standards a European cybersecurity certificate under a European cybersecurity certification scheme pursuant to Regulation (EU) 2019/881 to demonstrate conformity with the essential requirements set out in Annex I, or parts thereof. When determining such categories of highly critical products with digital elements, the Commission shall take into account the level of cybersecurity risk related to the categoryof products with digital elements, in light of one or several of the criteria listed in paragraph 2, as well as in view of the assessment of whether that category of products is:

Explanation: The drafting process of the European Cloud Services scheme pursuant to Regulation (EU) 2019/881 was marked by a very highly level of intransparency and a massive lack of stakeholder involvement. Based on this experience as well as the very long time required to develop such a scheme, German industry opposes the idea of granting the European Commission exclusive powers to specify categories of highly critical products with digital elements for which the manufacturers shall be required to obtain a European cybersecurity certificate under a European cybersecurity certification scheme pursuant to Regulation (EU) 2019/881 to demonstrate conformity with the essential requirements set out in Annex I, or parts thereof. Rather than relying on the very time-consuming process of developing cybersecurity certification schemesunder the Cyber SecurityAct, international or European standards should be the basis for certification. Moreover, industry concerns mustbetaken into account when definingproductsas “highly critical”. To thisend, theproposedExpert Group on Cyber Resilience should be allowed to provide binding expertise to the European Commission.

Obligations of manufacturers (Article 10 and Annex I)

EU Commission’s proposal Proposal for an Amendment

6a. Manufacturers of products with digital elements when offering security updates for a period longer than initially stated can charge customers for the provision of these updates. Customers have the right to opt-out from the provision of such updates and must be informed – in an appropriate manner –about the respective consequences in terms of a reduced cyber-resilience of their product.

Explanation: German industry urges the European co-legislators to enable manufacturers of products with digital elements to charge their customers for the provision of security updates after the initially communicated timeframe. This would encourage manufacturers to provide updates and thereby enhance the longevity, and hence, sustainability of a product with digital elements while at the same time recognise the significant efforts associated with the development and provision of updates.

EU Commission’s proposal Proposal for an Amendment

15. The Commission may, by means of implementing acts, specify the format and elements of the software bill of materials set out in Section 2, point (1), of Annex I. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 51(2).

Explanation: Article 10.15 and ITRE Amendment 31 and 63 empower the Commission to specify the format and elements of the software bill of materials (SBOMs) that would bypass established standardization processes developing consensus-based, market-driven, fair, inclusive, and transparent standards. SBOMs can be complex and large, and if multiple formats are required in different jurisdictions, this places additional burden on the manufacturer, regardless of whether the manufacturer operates in Europe or supplies products with digital elements to the EU. German industry strongly recommends that SBOMs specifications are left to international conventions and standards developed through multistakeholder expert engagements ensuring that SBOMs specifications are aligned with widely adopted international standards and proven software development practices.

EU Commission’s proposal Proposal for an Amendment

16. Government bodies of Member States must, without undue delay, inform manufacturers of products with digital elements about any vulnerability they are aware of.

Explanation: German industry welcomes the European Commission’s core idea that manufacturers shall only place those products with digital elements on the market that fulfil essential cybersecurity requirements, such as security-by-design andprotection from unauthorisedaccessby appropriate control mechanisms. Moreover, we appreciate that all manufacturers are required to implement, in a structured manner, a vulnerability handling process. To ensure that manufacturers of products with digital elements are made aware of all known vulnerabilities, German industry urges the European colegislators to require government bodies – both at supranational, national and regional level – to share their knowledge of vulnerabilities, i.e. backdoors, with the respective manufacturer and refrain from legislation that allows exploitation of vulnerabilities in order to break or circumvent encryption. Vulnerabilities are a security risk for all and weaken Europe’s cyber-resilience. Henceforth, the Cyber Resilience Act can only achieve its intended goal if both manufacturers and government bodies contribute their fair share. Such an obligation should be introduced in a separate piece of legislation by Member States and should come into effect not later than at end of the implementation period of the CRA

Reporting obligations of manufacturers (Article 11)

EU Commission’s proposal Proposal for an Amendment

1a. ENISA shall, after having consulted relevant stakeholder groups, establish a digital reporting mechanism, which enables manufacturers of products with digital elements via Application Programming Interfaces (API) and a web-based form to fulfil their reporting obligations pursuant to paragraph 1.

Explanation: The co-legislators should establish a fully digital information flow and secure reporting mechanism both to ENISA as well as between ENISA, competent national authorities, and market surveillance bodies for reports according to Article 11 point 1 to facilitate the reporting requirements and thereby to avoid unnecessary bureaucracy. Manufacturers of products with digital elements should only have to report such incidents once within the EU (i.e. either to ENISA or to one Member State) Due to the massive gap in cybersecurity professionals, amounting to more than 104,000 IT security specialists in Germany alone1, efficient reporting mechanisms based on the once-only principle are crucial to ensure that companies can focus on incident and vulnerability handling rather than on reporting the same information to various national and EU institutions.

EU Commission’s proposal

2. The manufacturer shall, without undue delay and in any event within 24 hours of becoming aware of it, notify to ENISA any incident having impact on the security of the product with digital elements. ENISA shall, without undue delay, unless for justified cybersecurity risk-related grounds, forward the notifications to the single point of contact designated in accordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] of the Member States concerned and inform the market surveillance authority about the notified incidents. The incident notification shall include information on the severity and impact of the incident and, where

Proposal for an Amendment

2. The manufacturer shall, without undue delay and in any event within 24 hours of becoming aware of it, notify to ENISA any significant incident having a significant impact on the security of the product with digital elements. ENISA shall, without undue delay, unless forjustified cybersecurity risk-related grounds, forward the notifications to the single point of contact designated in accordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] of the Member States concerned and inform the market surveillance authority about the notified incidents. The incident notification shall include information on the severity and impact of the incident and, applicable, indicate whether the manufacturer suspects the incident to be caused by unlawful or malicious acts or considers it to have a crossborder impact. where applicable, indicate whether the manufacturer suspects the incident to be caused by unlawful or malicious acts or considers it to have a cross-border impact. To ensure a common level of reporting, ENISA will, within 6 months after the ratification of this Regulation set out what constitutes a significant incident and a significant impact.

Explanation: To ensure uniformity in terms of information reported to ENISA as well as clarity in terms of understanding of the CRA’s reporting obligations among economic operators, an EU-wide unison understanding of what constitutes a significant incident needs to be established by ENISA. To this end the development of guidelines is paramount.

EU Commission’s proposal Proposal for an Amendment

3a. ENISA shall forward after a remedy to a vulnerability has been published all information notified by manufacturers of products with digital elements pursuant to paragraphs 1 and 2 to the national competent authorities for cybersecurity in an electronic format via secure channels.

Explanation: To ensure that the competent national authorities are aware of the current threat landscape as well as currently exploitable vulnerabilities, an exchange of information between the EU and Member State level is paramount. To this end an information sharing platform must be established.

Other cases in which obligations of manufacturers apply (Article 16)

EU Commission’s proposal Proposal for an Amendment

A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of the product with digital elements shall be considered a manufacturer for the purposes of this Regulation.

That person shall be subject to the obligations of themanufacturer set out in Articles 10and 11(1), (2), (4) and (7), for the part of the product that is affected by the substantial modification or, if the substantial modification has an impact on the cybersecurity of the product with digital elements as a whole, for the entire product.

A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of the product with digitalelements and places the product on the market / makes the product available on the market shall be considered a manufacturer for the purposes of this Regulation.

Explanation:Whenever a companymodifiesa product with digitalelements to correspond to its internal requirements but does not place that product on the market, it shall not have to fulfil the obligations a manufacturer under the CRA has to fulfil.

Article 24 – paragraph 3a (new)

EU Commission’s proposal Proposal for an Amendment

Where products with digital elements have equitable hardware or software, one product model can be representative of a family of products for the purposes of the following conformity assessment procedures:

(a) the internal control procedure (based on module A) set out in Annex VI; or

(b) the EU-type examination procedure (based on module B) set out in Annex VI followed by conformity to EU-type based on internal production control (based on module C) set out in Annex VI;

Explanation: The principle of similarity reducing assessment effort by accepting one product as representative of a family/category of products for assessment purposes due to them having equitable hardware and/or software.

Article 39a (new) – International Cooperation

EU Commission’s proposal Proposal for an Amendment

The European Commission shall contribute to the Union’s efforts to cooperate with third countries by including this Regulation in Mutual Recognition Agreements on conformity assessment, subject to full reciprocity and to the support of the Party to the Agreement in question.

Explanation: The principle of reciprocity eliminates duplication by accepting the entities’ assessments or certification in lieu of one’s own. The EU already has Mutual Recognition Agreements in place with variouscountries for ConformityAssessmentbutthese need to be updatedtoapply in the CRAcontext.

Article 42

EU Commission’s proposal Proposal for an Amendment

Where necessary to assess the conformity of products with digital elements and the processes put in place by their manufacturers with the essential requirements set out in Annex I and upon a reasoned request, the market surveillance authorities shall be granted access to the data required to assess the design, development, production and vulnerability handling of such products, including related internal documentation of the respective economic operator.

Explanation: Since access to the source code of a product with digital elements has far-reaching implication for protecting the resilience of a product with digital elements as well as for protecting a manufacturer’s intellectual property, an access for the market surveillance authorities to such source code should be granted in a location under the control the manufacturer.

Annex II (6) – SBOM

EU Commission’s proposal

if and, where applicable, where the software bill of materials can be accessed;

Proposal for an Amendment

Explanation: Since SBOMs are still in their “infancy”, and as such, have not yet achieved the required maturity level on how they should be implement-ed, shared and used. Therefore, it will be critical to ensure that regulators allowand supportthe private sector to coalesceon the standard-basedconcepts and formats that work best for given industries and organisations. We therefore would appreciate if this reference to SBOMs was deleted in Annex II (6).

Evaluation of (selected) proposed amendments

MEP Danti’s Amendment

BDI’s proposal for amending Recital 2

(new)

MEP Danti’s Amendment

BDI’s proposal for amending Recital 4 a (new)

Amendment 6 – Recital 8

MEP Danti’s Amendment

Amendment 8 – Recital 10

BDI’s proposal for amending Recital 8

BDI’s proposal for amending Recital 32a

a (new)

Danti’s proposal for an amendment BDI’s proposal for an additional paragraph in Article 1

Danti’s proposal for an amendment

MEP Danti’s proposal for an amendment

BDI’s proposal for amending Article 11 –paragraph 2

Amendment 78 – Article 17 a (new)

MEP Danti’s proposal for an amendment

Suggestions for further amendments

Scope (Article 2)

EU Commission’s proposal

Proposal for an Amendment

Critical products with digital elements (Article 6)

EU Commission’s proposal Proposal for an Amendment

Obligations of manufacturers (Article 10 and Annex I)

EU Commission’s proposal Proposal for an Amendment

EU Commission’s proposal Proposal for an Amendment

EU Commission’s proposal Proposal for an Amendment

Reporting obligations of manufacturers (Article 11)

EU Commission’s proposal Proposal for an Amendment

EU Commission’s proposal

Proposal for an Amendment

EU Commission’s proposal Proposal for an Amendment

Other cases in which obligations of manufacturers apply (Article 16)

EU Commission’s proposal Proposal for an Amendment

EU Commission’s proposal Proposal for an Amendment

Article 39a (new) – International Cooperation

EU Commission’s proposal Proposal for an Amendment

Article 42

EU Commission’s proposal Proposal for an Amendment

Annex II (6) – SBOM

EU Commission’s proposal

Proposal for an Amendment

This article is from:

ITRE draft report on the Cyber Resilience Act