Reactie Cyberveilig Nederland op Cyber Resilience Act

Response to European Commission Public Consultation on the Cyber Resilience Act

Naarden, 25-05-2022

We appreciate the opportunity to respond on behalf of Cyberveilig Nederland, the association of the cybersecurity sector in the Netherlands, to the European Commission Public Consultation on the Cyber Resilience Act. Cybersecurity is essential for a digital society Our societies within the EU are highly digitized and connected. This offers many opportunities for the social and economic challenges facing the EU. Unfortunately, this makes us also vulnerable for cyber incidents. Therefore, we see the need for common standards to improve the cybersecurity for products in the European internal market, as stated by the European Commission. Cyberveilig Nederland, the association of cybersecurity companies in the Netherlands, agrees with the importance that all the digital products, processes and services must be trusted to be digitally secure. Therefore, we would welcome the upcoming Cyber Resilience Act (CRA).

However, Cyberveilig Nederland would like to give some points of attention:

• The focus of the CRA should be on setting cybersecurity requirements that covers all forms of both digital products and services, irrespective if they are offered for consumer or business/industrial purposes and irrespective if they are linked to a physical product. However, critical infrastructures require different cybersecurity safeguards than home-computing applications or simple office environments. Striking a balance between these different fields is complex and asks further elaboration of the CRA.

• The level of security for software products is higher in almost all phases. A lot of hardware related security only occurs at a very late stage of development, and the possible flaws are complex to solve once the product is in use. Therefore, the CRA should cover the entire lifecycle of digital products, processes and services through a duty of care based on the latest state of technology.

• A risk based approached is necessary to increase cybersecurity in businesses, public administrations and for consumers using digital products and services. Therefore, the CRA should not be focussed on solely technical security. Effective cybersecurity is a combination of technique, organisation and the human factor.

• More and more digital attacks are taking place in the supply chain (e.g. SolarWinds). Many manufactures of hard- and software are located outside the European Union. How will the CRA do to hold these organisations accountable for their responsibilities?

• Various (cybersecurity) regulations are currently under development (NIS2.0, Cybersecurity Act) that foresee in a digital resilient EU. How will the EC ensure that these regulations reinforce and are aligned each other? • Trust services or critical infrastructures require different cybersecurity safeguards than home-computing applications or simple office environments. The cybersecurity maturity level varies widely and also the self-reliance differs enormously.

To summarize, the discussion about the need and content of a Cyber Resilience Act could provide an opportunity to harmonize European cybersecurity obligations and achieve more legal consistency between national and European levels. We also welcome the objective of setting up a level playing field for vendors. Promoting the cybersecurity of products will help to mitigate potential vendor losses and have a positive effect on the economy and innovation in the EU. Therefore, Cyberveilig Nederland welcomes the CRA.

We would be pleased to have further dialogue with the European Commission and to discuss any comments or questions you may have regarding our responses.

We can be reached as follows: Petra Oldengarm, director (petra@cyberveilignederland.nl) Liesbeth Holterman, strategic advisor (liesbeth@cyberveilignederland.nl) Yours sincerely, Liesbeth Holterman Strategic advisor Cyberveilig Nederland

 

De link vind je hier.

De brief vind je hier.

Reactie Cyberveilig Nederland op  Cyber Resilience Act