On 25 May, FERMA submitted its response to the European Commission’s public consultation on a Cyber Resilience Act (CRA), which aims to set a standard for the cybersecurity of digital goods and ancillary services in the EU.
Cyber risk management is a top priority for companies. In fact, it has grown in importance in recent years. For instance, in 2018 when FERMA surveyed European risk managers, 37% of the respondents identified cyber threats as the most critical to their organisation. This figure rose to 63% in 2022, according to our last European Risk Manager survey.
FERMA welcomes the European Commission’s initiative that seeks to harmonize practices at EU level and provide clear benchmarks on cyber security.
FERMA recommends to the European Commission to put in place a horizontal legislation for the CRA involving the implementation of a common regulatory approach. It will be applicable to all categories and risk profiles of ICT products in order to guarantee the functioning and harmonisation of the Internal Market. This will ensure certain level playing field and the development of the Digital Single Market.
FERMA has also emphasizes the importance of ensuring proportionality in the future CRA to guarantee fair competition by for instance, allowing self-assessment at a certain level of nature, scale and complexity of organisation (i.e. SMEs).
A transitional period in any form of EU intervention should also be foreseen for companies to adapt, given the quick evolution of cyber risks and threats.
Still, FERMA believes that the CRA is only a brick in the wall of cyber resilience in the EU. Therefore, FERMA calls on the European Commission to foster a global risk management approach to cyber resilience encompassing the identification, assessment and treatment of cyber risks. This global approach could draw upon FERMA’s work in the area of cyber risk governance.
FERMA has been an active contributor to the EU’s Digital Agenda for many years. In addition to the publication on cyber risk governance with ECIIA, FERMA has also produced a report on cyber insurance (here), a guide on AI in risk management (here), and has held multiple webinars on the topic including one on the GDPR (here).
- For content: firstname.lastname@example.org
- For media: Typhaine.email@example.com