Cyber Resilience Act (cepPolicyBrief COM(2022) 454)


Cyberattacks on software and hardware products cause enormous financial losses worldwide, more than 5.5 trillion euros solely in 2021. With the Cyber Resilience Act, the Commission strives to establish uniform cybersecurity rules for manufacturers, importers and distributors of products with digital elements (PWDE). The Centrum für Europäische Politik (cep) evaluates the draft positively. Exception: the non-transparent differentiation between critical products.


"Brussels aims to oblige the IT industry to massively improve cybersecurity already in the design and development phase. Subsequently, consumers should be able to recognise the security features already at the time of purchase. Accompanied with a specified deadline for the elimination of vulnerabilities, this strengthens the trust of customers. The Commission can only be congratulated on its proposal," says cep economist Philipp Eckhardt, who analysed the draft law with cep legal expert  Anastasia Kotovskaia. According to the cep experts, a weak point is the categorisation of critical products into classes 1 and 2. "This taxonomy is opaque and inconclusive," says Kotovskaia. Against this background, the transfer of powers to adopt delegated acts from the member states to the Commission is legally tricky, she says.

The Cyber Resilience Act (CRA) is to come into force only two years after its adoption. The cep estimates this timeframe as too ambitious. The CRA is designed to preserve a uniform, high level of cybersecurity for hardware and software products - from printers to routers as well as smart household helpers and industrial control systems. "The Commission's proposal is absolutely suitable for its purpose. However, affected  parties need sufficient time for careful implementation of the legal act," emphasise the cep experts.