More proportionate approach needed to determine product risk levels
The second recommendation calls for a more proportionate approach to determining a product’s risk-level, along with greater certainty for manufacturers to ascertain if a product is deemed a critical one. “A transparent and inclusive review process involving economic operators should be set up to determine whether a product is critical,” the groups wrote. This would avoid wrongfully designating too many products as “critical,” making them more expensive, and forcing organizations to unnecessarily redirect valuable cybersecurity resources towards implementing overly stringent requirements, to the detriment of focusing on tackling real risks, they argued.
For example, while the current approach for simplifying the criteria for allocating the products into the critical category goes in the right direction, the reference to “personal data processing” should be replaced by processing of “sensitive personal data” only, as any device today is processing personal data to some extent.
Mandatory reporting of unpatched vulnerabilities should be removed
The third recommendation is that, under the EU CRA, only patched vulnerabilities that have been actively exploited and pose a significant cybersecurity risk should need to be reported. “Mandatory reporting of unpatched vulnerabilities [currently proposed in the CRA] represents a serious concern recently signaled by a broad industry coalition. In general, it is crucial that the reporting obligations, including the reporting timeline and the competent authority, in both Article 11(1) and (2) are in line with the NIS 2 Directive,” it read.
Furthermore, only “significant” incidents should be subject to the reporting obligations of Article 11 to avoid an unmanageable reporting burden for manufacturers and responsible authorities, the collection added.
Work needed to avoid disproportionate obligations, increasing cybersecurity risks
More work is required to avoid disproportionate or impossible obligations, and obligations that increase cybersecurity risks, the final recommendation read. The CRA’s Annex I on essential requirements should establish proportionate obligations as the absolute obligation to “deliver a product without known exploitable vulnerabilities” is an impossible bar to set, as product security can be influenced by numerous factors including product deployment environment, the groups claimed. It also ignores the manufacturers’ margin of action before and after a product is placed on the market, they added. “This should be limited to any publicly known critical or highly critical vulnerabilities.”
Likewise, a mandatory security update period based on the “expected product lifetime” is a disproportionate and legally uncertain concept, and more clarity is needed. “Linking “expected product lifetime” solely to “reasonable user expectations” will create great legal uncertainty across the EU single market as the actual duration periods will ultimately be determined by national market surveillance authorities and courts, not manufacturers.”