The European Union’s recently presented Cyber Resilience Act seeks to bolster the cybersecurity of digital products used by EU consumers. The Center for Data Innovation convened experts to discuss the Cyber Resilience Act, the basics of security-by-design, and what challenges the proposal faces.
Raluca Stefanuc, policy officer at DG Connect, explained that because previous legislation did not target connected devices, the Commission felt the Cyber Resilience Act needed to be a horizontal legislative framework. The draft NIS2 directive targeted the cyber resilience of critical economic services and supply chains, and the Cyber Security Act strengthened the mandate of ENISA and created voluntary cybersecurity verification schemes. Neither targeted connected devices and their embedded software, making the Cyber Resilience Act the first EU-level legislation to do so. Stefanuc acknowledged potential high compliance costs for businesses but argued these were necessary to ensure that businesses design products from the very beginning of the life cycle to mitigate cybersecurity vulnerabilities. She argued voluntary approaches did not incentivize security-by-design or effectively address vulnerabilities throughout a product’s lifecycle. Additionally, she clarified the definition of “commercial activity” within the Cyber Resilience Act, acknowledging that the Commission is monitoring third-party concerns over how the definition would affect free and open source software.
Anna Bosch, senior policy associate for ACT | The App Association, discussed the small and medium-sized enterprises affected by the proposal, which she described as especially vulnerable to cyber threats and malicious actors. According to Bosch, these businesses already have strong incentives to increase their cyber resilience without the mandates of the Cyber Resilience Act because they rely on consumer trust to succeed. She welcomed the commission’s proposal because it harmonized legislative expectations for smaller businesses. But, she also argued that a voluntary guidance approach would offer more flexibility and that light-touch regulation is best suited to address the continuously changing dynamics in cybersecurity. Further, Bosch warned regulators to pay attention to the compliance costs of the Cyber Resilience Act and the impact they’ll have on businesses.
Katerina Demetzou, policy counsel for global privacy for the Future of Privacy Forum, focused primarily on the Cyber Resilience Act’s interactions with the General Data Protection Regulation (GDPR). Demetzou described GDPR as a legal framework for the protection of personal data and all fundamental rights and freedoms when processing personal data. She argued that the Cyber Resilience Act’s focus on providing users access to information about products’ cybersecurity complimented GDPR’s obligation to make users aware of potential risks to their rights, including security. Demetzou also found similarities between security-by-design in the Cyber Resilience Act and data protection by design and by default, where GDPR promotes privacy-enhancing technologies like encryption and pseudonymization. Demetzou encouraged policymakers to look closely at the gaps each part of the supply chain faces and clarify how the Cyber Resilience Act could intervene to ensure an efficient allocation of regulation and support. She warned that there needs to be consistency between definitions in the Cyber Resilience Act and other legislation like GDPR and the AI Act to ensure clean legislative interactions.
Overall, all the panelists agreed that the current draft of the Cyber Resilience Act was a strong step towards harmonizing the EU’s cybersecurity landscape, minimizing legislative fragmentation, and incentivizing the Digital Single Market. But the disagreement between the panelists highlighted how further clarification is necessary, particularly regarding the Cyber Resilience Act’s legislative interactions, sections affecting free and open source software, and potential compliance costs for businesses.