The TÜV Association welcomes the European Commission’s intention of establishing binding cybersecurity requirements for a broad range of connected products with digital elements. Given the ever-increasing number of cybersecurity incidents across the Union, it is of paramount importance to provide consumers and businesses with secure products both at the time of purchase and over their entire lifecycle.
To date, the European Union is lacking an all-encompassing approach to cybersecurity. Cybersecurity provisions in current legislation are limited to specific product groups, incomplete or only applicable on a voluntary basis. Tackling the lack of an overall binding EU-cybersecurity framework, the TÜV Association would have welcomed if the European legislator had made use of the existing Cybersecurity Act (CSA) framework by making its schemes, together with their associated assurance levels and conformity assessment procedures binding. Instead, the European legislator opted for a new horizontal policy framework that, similar to the CSA, does not only cover tangible digital products such as connected devices, but also non-tangible digital products such as software products embedded into connected devices.
The TÜV Association welcomes that all products under the scope of the CRA will have to comply with the proposed cybersecurity requirements, irrespective of their risk level. Thus, all manufacturers will be obliged to take appropriate cybersecurity measures before placing their products on the market as well as during their products’ lifecycle.
Apart from setting out ambitious cybersecurity requirements, it is crucial to ensure their consistent and effective compliance. The European legislator has rightly chosen a risk-based approach: The higher the risk level of a product, the more stringent the applicable conformity assessment procedures. However, the proposal falls short of implementing the risk-based approach consistently and coherently. Substantial improvements are needed concerning the risk categorization, the chosen conformity assessment procedures as well as their interplay with sectoral product legislation. The following sections lay down the main areas for improvement and formulate policy recommendations.
Our central demands
- Stipulate an independent conformity assessment for all critical products
- Expand the list of critical products to include, amongst others, consumer products
- Require the application of harmonised standards to non-critical products for a presumption of conformity
- Ensure coherence with conformity assessment procedures in sectoral product legislation
- Ensure coherence with cybersecurity provisions of sectoral product legislation
Positionspapier "On the EU Commission proposal for a Cyber Resilience Act" (EN)