FERMA believes the Cyber Resilience Act (the CRA) will improve cybersecurity in the EU but also sees problems arising in the areas of obligations and fines.
The European Commission’s proposed regulation, the CRA, aims to impose cybersecurity requirements on all products ‘with digital elements’. In other words, the CRA aspires to introduce a need for ‘cybersecurity by design’.
Further, the proposed CRA would impose a duty of care for the life cycle of products and will also introduce fines for non-compliance. It purports to do for cyber security what GDPR has done for data privacy.
In FERMA’s feedback to the European Commission, we emphasised two main concerns:
- The obligations on manufacturers, distributors and importers are extensive and the reality with digital products is that it is often infeasible to evidence 100% full compliance; and,
- The introduction of fines for non-compliance may have a variety of unintended consequences, such as stifling innovation or disincentivising investment.
FERMA, as the representative body of the risk profession at EU-level, is happy to see such a strong focus on risk assessment and risk management throughout the requirements in the CRA.
There are, however, a vast number of regulations in the digital sphere, which when looked at on the whole comprise a complex regulatory landscape.
FERMA will therefore seek to inform its Members and network on the evolving needs and requirements concerning cyber resilience.