Feedback to the European Commission on the Draft Cyber Resilience Act
The Center for Data Innovation has submitted feedback on the European Commission’s consultation and call for evidence regarding the Cyber Resilience Act. The Center previously submitted feedback on the roadmap for the Cyber Resilience Act and has been closely following its development.
The Center would like to commend the European Union (EU) for focusing on the growing threat of cybersecurity incidents, which is predicted to cost $10.5 trillion by 2025. The EU has a critical role in promoting cybersecurity practices that counter global cybersecurity threats and the Cyber Resilience Act is a strong step in the right direction.
Unfortunately, the draft Cyber Resilience Act is too broad in scope and needs clearer definitions. The legislation’s fundamental pitfalls will burden businesses with compliance and undermine avenues for innovation like open source software. Specifically, the European Commission should take the following steps to address the problems in the Cyber Resilience Act:
- Streamline the reporting obligations in the Cyber Resilience Act by either standardizing the requirements found in similar legislation or presuming conformity of a business if it satisfies a directive like NIS2.
- Clarifying product categories and technical specifications within the Cyber Resilience Act while creating flexible guidelines to implement the regulation on future technologies.
- Focus on sectoral regulatory intervention, ensuring that cybersecurity legislation is flexible, can evolve with technological advancements, and can be narrowed for specific industry needs.
- Clarify the definition of open source software and clearly exempt it from the of scope of the Cyber Resilience Act.
- Clarify questions around SaaS and other cloud computing services to ensure that businesses know whether they need to comply.