TÜV Association calls for further tightening of the Cyber Resilience Act

The EU Commission has presented a proposal for mandatory requirements for the cybersecurity of hardware and software products. Compliance with the requirements for all critical products should be mandatorily assessed by independent bodies.

©Kaffebart via Unsplash

Berlin, 15. September 2022 – The TÜV Association welcomes today’s EU Commission proposal for a Cyber Resilience Act (CRA) in principle, but calls for its further tightening. "We welcome the objective to establish mandatory essential cybersecurity requirements for products with digital elements. This step is long overdue, as companies, authorities and citizens must be better protected against cyber-attacks," says Marc Fliehe, Head of Digitalisation and Cybersecurity at the TÜV Association. "However, the Cyber Resilience Act must not only define cybersecurity requirements, but it must also stipulate effective instruments with which compliance with these requirements can be reliably verified." Otherwise, the Cyber Resilience Act will remain a toothless tiger. Fliehe: "Cybersecurity must finally become an integral part of product safety, from connected toys to DSL routers to security-relevant digital applications in critical infrastructure."

According to the Commission proposal, products will be categorized into different risk classes. However, many products with an increased risk-level ("critical products" according to Annex III, Class I) would be able to be placed on the market on the basis of a mere manufacturer's self-declaration. The TÜV Association considers this approach to be inappropriate as a self-declaration is not suitable for ensuring an adequate level of cyber security of connected products. A mandatory and consistent involvement of independent assessment bodies for critical products is indispensable to create the necessary trust in the security of digital technologies.

However, the TÜV Association welcomes that the EU Commission is considering the entire life cycle of digital products in its draft regulation by mandating corresponding security requirements for a product’s use phase. Essential security updates are to be provided over a period of up to five years allowing a longer use-phase of products and saving resources.

The draft Cyber Resilience Act establishes for the first time binding cybersecurity requirements for manufacturers and providers of "products with digital elements" throughout Europe. The proposed regulation covers hardware and software that is placed on the market as either end products or components. In the future, manufacturers and providers will have to take digital security into account within the product development stage ("security by design"), eliminate any vulnerabilities that occur during the product's life cycle and provide corresponding security updates.

The EU member states and the European Parliament will now scrutinize the proposed legislation. The TÜV Association will constructively support its further deliberation and subsequent implementation.