ETNO-GSMA position paper on the Cyber Resilience Act
The Cyber Resilience Act (CRA) proposal comes at a time when European society, its citizens and businesses have been dealing with a crisis period marked by the COVID-19 pandemic and the war in Ukraine. The telecommunications sector has been capable of responding to these challenges and of demonstrating its robustness, by providing secure and reliable infrastructures and services that are essential for the functioning of the EU’s Digital Internal Market. However, telecommunication network operators are still faced with security gaps in their digital value chains that need addressing.
The Cyber Resilience Act (CRA) proposal comes at a time when European society, its citizens and businesses have been dealing with a crisis period marked by the COVID-19 pandemic and the war in Ukraine. The telecommunications sector has been capable of responding to these challenges and of demonstrating its robustness, by providing secure and reliable infrastructures and services that are essential for the functioning of the EU’s Digital Internal Market. However, telecommunication network operators are still faced with security gaps in their digital value chains that need addressing.
ETNO and GSMA recommend that the final CRA regulation meets the key objectives that have been pursued by the initial proposal:
- Apply horizontal rules covering the entire supply chain so as to ensure regulatory coherence, consistency and end-to-end security in the supply chain;
- Follow a risk-based approach to keep the framework proportionate and manageable for the various actors in the supply chain, since not all devices/software bear the same risk;
- Ensure that products, especially software, are built secure-by-design and remain secure throughout the lifecycle;
- Implement robust market surveillance capabilities to enforce the rules;
- Promote a level playing field between European and non-European competitors.
In light of these objectives, we recommend that co-legislators make some relevant changes to the draft regulation to effectively enhance the cybersecurity of products and services and the cyber resilience of the internal market:
- Improve the harmonization of the whole cybersecurity legislation in Europe, by introducing uniform concepts and definitions that would also supersede unclear or diverging notions in other relevant pieces of law.
- Make a clear distinction between networks within the scope of the NIS2 Directive and products with digital elements within the scope of the CRA. Specify clearly that electronic communications networks (ECN) are explicitly excluded from the scope of the CRA. ECN providers use products with digital elements supplied to them by third-party manufacturers to ensure a resilient and secure functioning of their networks. Under the CRA, manufacturers of these products must remain directly accountable and responsible for the security of those products, from conception and throughout their lifetime.
- Ensure that all products with digital elements that can be used for the security critical functions of an ECN are listed in Annex III.
- Further strengthen the risk-based approach, recognizing the differences between consumer and enterprise products and modulating the obligations for economic operators according to the different criticality of products.
- Keep Software-as-a-Service (SaaS) in scope of the CRA, as it is increasingly an integrated part of digital products and networks.
- Maintain the view that open-source software developed or supplied outside of a commercial activity should be firmly excluded from the proposal, but clarify that, when an economic operator monetizes and places a product that integrates open-source software on the market, that operator is responsible for the product, including updates, throughout its lifetime.
- Ensure that manufacturers support their products throughout the product-specific expected lifetime, whatever it might be, not a fixed number of years. All known vulnerabilities must be fixed in accordance to their risk level, without undue delay. Provide for responsible disclosure of known exploitable vulnerabilities, based on established norms and practices such as the Common Vulnerability Scoring System.
- Keep the reporting obligations proportionate to the risk so that they support a secure supply chain rather than hinder its functioning. This includes aligning requirements with the process, scope, and organizational setup of the notification requirements under the NIS 2 Directive.
- Strongly promote the use of existing international standards and use common specification only as a last resort.
We elaborate on our recommendations in the paper.
For questions and clarifications regarding this feedback, please contact Paolo Grassia (grassia@etno.eu), Director of Public Policy at ETNO, and Lotte Abildgaard (labildgaard@gsma.com), Director of Public Polict at GSMA.