Position on the upcoming Cyber Resilience Act

The TÜV Association welcomes the Commission’s intention of establishing binding cybersecurity requirements for a broad range of products and services by establishing the Cyber Resiliance Act.

© Pete Willis via Unsplash

To date, the EU is lacking an all-encompassing approach to cybersecurity. Cybersecurity provisions in current legislation are either limited to specific product groups or are only applicable on a voluntary basis. The EU Commission has recognized this significant regulatory gap and announced to propose a Cyber Resilience Act (CRA) in the third quarter of 2022. Among the options considered is a horizontal regulatory intervention introducing cybersecurity requirements for a broad scope of tangible and non-tangible digital products and ancillary associated services.

The TÜV Association welcomes the Commission’s intention of establishing binding cybersecurity requirements for a broad range of products and services. However, instead of developing new and detailed horizontal cybersecurity requirements in the CRA as such, the EU legislator should built upon the existing EU cybersecurity framework. With the Cybersecurity Act (CSA)1 adopted in 2019, there is a highly suitable regulation already in place that establishes comprehensive cybersecurity requirements for products, services and processes through its cybersecurity certification schemes. The only flaw is its
voluntary character. Therefore, the CRA should make the CSA schemes, together with their associated assurance levels and conformity assessment procedures, legally binding. This approach will lead to a swift adoption of cybersecurity provisions without creating overlapping or diverging requirements.

Policy recommendation: making the schemes of the Cybersecurity Act binding through the Cyber Resilience Act

  1. Formulate only the overarching cybersecurity requirement in the CRA
  2. Make the CSA scheme binding through a direct reference clause in the CRA
  3. Include a conflict-of-law rule

The product, ICT product, ICT service or ICT process shall be constructed, designed or built in such a way that it offers risk-adequate protection (robustness) against cyber-attacks, i.e. in particular that a cyber-attack on the ICT product, ICT service or ICT process must not impair the legal rights of users or third parties, in particular the protection of life and limb, including privacy. Within this, the specifications of the respective relevant schemes of the CSA including their risk assessment level
must be complied with.

Suggested wording for the key provision of the Cyber Resilience Act

*Please refer to the supplementary expert opinion on the compatibility between the CSA and the NLF by Prof Gerald Spindler, page 32.

Download the position

Position on the upcoming Cyber Resilience Act