The Cyber Resilience Act: How to make Europe more digitally resilient?
If the EU’s new Cyber Resilience Act truly wants to improve the EU’s digital security landscape, it must do more than introduce an industry certification scheme: true IT security requires long-term software support, transparent and safe vulnerability handling and disclosure, and an acknowledgment of the essential role of free and open software communities in Europe’s digitisation.
The European Parliament and EU member states are currently negotiating the Cyber Resilience Act (CRA), a new Regulation proposed in 2022 aimed at bolstering the digital security of connected devices in the EU. The CRA proposes auditing and certification requirements on software and hardware manufacturers of connected devices and includes a minimum period for which they must provide software security fixes for their products.
However, the EU will fall short of achieving its goal unless legislators fix the proposal’s shortcomings. That is why EDRi’s position paper recommends that the EU legislators substantially improve the CRA by:
- Requiring manufacturers to guarantee 10 years worth of software security updates and to clearly communicate the end-of-support date of each individual product on its packaging;
- Exempting free and open source software projects that are provided not-for-profit or by micro-enterprises from the burden of this Regulation;
- Increasing the transparency of security vulnerability handling and disclosure;
- Including a criminal and civil liability safe harbour for vulnerability handling and disclosure practices of good faith security researchers.
The measures recommended by EDRi are designed to improve the discovery and fixing of software security vulnerabilities and maximise the long-term benefits of secure software installed on our devices.
Guaranteed long-term software updates from manufacturers not only improve the EU’s overall digital security landscape, they also substantially contribute to reducing electronic waste. Under its Circular Economy Action Plan 2020 and the European Green Deal, the EU wants mobile phones and other devices to be durable, easily repairable by consumers and reusable for as long as possible. That’s why the latest EcoDesign Proposal puts forward an obligation for manufacturers to allow consumers to more easily replace smartphone and tablet batteries.
Yet, a longer product lifetime will fail to have any impact if device manufacturers stop providing software security fixes after a short period of time. This is particularly problematic for devices that consumers could and want to use for a longer period of time, such as smartphones, tablets, and ‘smart’ home appliances like TVs, fridges and washing machines.
The CRA should create incentives for manufacturers to showcase long software support, device security and device sustainability as unique selling points for customers, and in doing so make us more resilient against cyberattacks.
- Response by EDRi member Vrijschrift to the European Commission’s consultation on the CRA
- Response by the Document Foundation to the European Commission’s consultation on the CRA
- Open Source Initiative: Why the European Commission must consult the Open Source communities
- EDRi member Privacy International’s position on the EU Cyber Resilience Act