EU Cyber Resilience Act May Cause Bottlenecks, Companies SayDigital Europe Says Third-Party Assessments Could Ensnare Supply Chains
Heads of major European tech companies are calling on trading bloc lawmakers to revise a proposed cybersecurity law, which they argue will create bottlenecks that disrupt the supply chain.
Legislation being fast-tracked into law by the European Parliament dubbed the Cyber Resilience Act, requires manufacturers of certain high-risk products to undergo a third-party risk assessment before bringing products to market. The proposal, put forward by the European Commission in 2022, passed a key parliamentary committee in July and was fast-tracked to negotiations between lawmakers and the European Council, a body of direct nation-state government representatives, in talks mediated by the European Commission.
Europe lacks the capacity to perform that many third-party assessments, said the CEOs of companies including Siemens, Ericsson, and Schneider Electric in a letter spearheaded by trade association Digital Europe.
"We risk creating a COVID-style blockage in European supply chains, disrupting the single market and harming our competitiveness," the letters states, referring to manufacturing disruptions caused by the 2020 onset of the novel coronavirus pandemic. The proposal could affect anything from washing machines to cybersecurity products, the letter says.
A counterproposal backed by the European Council would greatly narrow the number of critical products subject to mandatory third-party security assessments. Under the council's position, only "hardware devices with security boxes," smart meters and smartcards would be subject to third-party certification.
Digital Europe said the proposal would still pose bottleneck risks even if the council prevails in trilogue talks, due to language in the bill requiring products at lesser risk of self-certifying to meet security standards. Self-certification will be possible only if the European Union approves harmonized self-certification standards. "There won’t be sufficient time for standards to be finalized and, in general, for the private and public sector to prepare for the new compliance regime," a Digital Europe official told Information Security Media Group.
Letter signatories also are concerned about a provision requiring software developers to report vulnerabilities within 24 hours of their discovery.
With Europe currently witnessing a cybersecurity workforce shortage, the letter argues, the proposed clause could result in a high volume of reporting beyond the capacity of cyber agencies to handle.
Similar concerns were raised by cybersecurity experts, who recently warned that nation-states and other hacker groups could target a centralized database for reporting vulnerabilities to access zero-days and other critical flaws for hacking campaigns (see: Cyber Mavens Slam Europe's Cyber Resilience Act).
In Monday's letter, the company heads called on the EU officials to amend the proposed 24-hour vulnerability deadline to only include actively exploited flaws that pose "a significant cybersecurity risk."
They added that manufacturers should be allowed to make a "judgment call" on what flaws to patch "based on justified cybersecurity-related grounds."