Cybersecurity: ZVEI publishes implementation recommendations

The informal discussions of the stakeholders around the CRA already started in September.

ZVEI is part of the informal discussions on the Cyber Resilience Act (CRA) between European legislators and other stakeholders. The European Commission had already published the draft of the CRA on 15 September 2022. ZVEI supports the basic idea of the CRA as a horizontal product regulation in the established legal framework for placing products on the market.

CRA must be feasible despite enormous breadth of products

According to the ZVEI, the goal of increasing the general level of resilience is desirable, but the realistic feasibility must always be taken into account in view of the enormous breadth of products affected and complex technical challenges.

The formal trilogue negotiations have now begun at the end of September 2023. The ZVEI has also drawn up recommendations for these negotiations. The most important aspects from the perspective of the electrical and digital industry are:

The classification logic of so-called "critical products" according to Article 6, which limits the choice of possible conformity assessment procedures.
The possibility for manufacturers to transparently determine and present the period of security support provided.
The coherent establishment of the Cyber Resilience Act as a central reference point for the cyber security of products.
Legally compliant requirements on vulnerabilities in products.
Realistic transition periods of at least 48 months in view of the very ambitious regulatory target.

With this paper, the ZVEI has now developed proposals for solutions to these and other problems.

The entire paper is available for download free of charge.