Telecommunications giants Ericsson, Nokia and other industry players have cautioned that the EU’s endeavor to apply universal cybersecurity benchmarks to connected devices could trigger supply chain interruptions comparable to those caused by COVID-19. This has been communicated in a letter dispatched via lobby group DigitalEurope to key stakeholders in the EU.
The premise of this argument is that the EU currently does not possess the required resources to certify products and components compliant with the proposed standards quickly enough. Delays in the certification process could create bottlenecks, hindering the availability of products to European consumers.
The Cyber Resilience Act (CRA), proposed last September, aspires to implement common cybersecurity standards for what the EU defines as “products with digital elements”. The legislation covers a wide range of software and hardware, which could pose a challenge for vendors needing to demonstrate compliance, resulting in potential stall-outs.
A key concern pointed out by the critics is the capacity crisis European conformity assessment faces. There’s a rising sentiment that secure products may be shut out from the EU market due to certification traffic congestions. This could potentially have far-reaching repercussions on the broader supply chains as many of these components are pivotal in both the European economy and the green transition, leading to a “COVID-style” bottleneck.
To combat such risks, the respondents suggest leaning heavily on self-assessment and require at least a two-year implementation period for adjustments. Additionally, they recommend narrowing down the number of products subject to the legislation.
Signatories, including the CEOs of Ericsson, Nokia, Bosch, Schneider Electric, Siemens and antivirus software maker ESET, have also positioned against the CRA’s mandate for vendors to divulge all unpatched security vulnerabilities within 24 hours of discovery. Reporting these vulnerabilities could potentially expose products to additional cyberattacks and create a treasure trove of compromised data for hackers.
Solutions offered by the companies involve giving certain leeway to manufacturers for patching vulnerable devices before reporting discrepancies. They also advocate for limiting reporting only to significant security risks and aligning with the European Parliament’s suggestion on defining actively exploited vulnerabilities.
Achieving equilibrium in this scenario is undoubtedly complicated. While safeguarding the EU consumer market with universal cybersecurity standards is commendable, the crux of the issue lies in whether the vendors themselves or third parties are best suited to ensure consistency.
Given that this legislation process is already underway, vendors need to act fast to demonstrate that self-assessment is the feasible option. The global annual cost of cybercrime, which amounted to €5.5 trillion in 2021, underscored the urgency of improving cybersecurity to reduce the frequency of such vulnerabilities and breaches.