The Center for Data Innovation (Transparency Register #: 367682319221-26) is pleased to submit this feedback on the European Commission’s consultation and call for evidence regarding the Cyber Resilience Act. The Center previously submitted feedback on the roadmap for the Cyber Resilience Act and has been closely following its development.
The Center would like to commend the European Union (EU) for focusing on the growing threat of cybersecurity incidents, which is predicted to cost $10.5 trillion by 2025. The EU has a critical role in promoting cybersecurity practices that counter global cybersecurity threats and the Cyber Resilience Act is a strong step in the right direction. The Cyber Resilience Act is intended to address gaps in the EU’s existing regulatory framework to improve cybersecurity in connected devices. The proposed regulation would apply a broad horizontal regulatory framework to products with digital elements—including connected devices and non-embedded software—to enforce cybersecurity standards across the digital supply chain. Unfortunately, the draft Cyber Resilience Act is too broad in scope and needs clearer definitions. The legislation’s fundamental pitfalls will burden businesses with compliance and undermine avenues for innovation like open source software. The following provides an overview of problems in the Cyber Resilience Act and how to address them. With targeted changes, the Cyber Resilience Act can promote better cybersecurity in the internal market without hurting competition and innovation across Europe.