Our position on the EU Cyber Resilience Act (CRA)
The text of the draft Regulation should be improved with amendments to ensure that current company practices do not result in serious harms for consumers or negatively impact devices’ sustainability.
- Software is what keeps our devices secure, functional, compatible with the latest apps, and protected against known security vulnerabilities. Out-of- date software on an otherwise functioning device can be a door to one’s bank account or the intimacy of one’s life, render a device unusable, or worst still endanger safety and life even.
- While obligations to ensure that products with digital elements receive long term security software support are welcomed, the text of the Draft Regulation fails to distinguish between the various categories of products with digital elements that currently exist on the market. Instead, the Commission proposal adopts a blanket approach for all devices and merely obliges manufacturers to provide security updates only for a maximum of 5 years or even less should the expected lifespan of a device be shorter than this.
- The draft Regulation grants national market surveillance authorities sweep powers, which come without explicit safeguards to prevent them from stockpiling vulnerabilities at the cost of undermining IT security and data integrity. It needs to go further and ensure that any known vulnerability is immediately fixed and then publicly disclosed by device manufacturers as part of the product’s change log or release notes.
- While the draft Regulation rightly seeks to exempt free and open-source software (FOSS), certain FOSS projects might nevertheless be covered by the Regulation, and thus subject to the obligations it seeks to impose, because, for example, they might provide support services for a fee or they might receive donations.
Privacy International welcomes the aim of the Cyber Resilience Act to bolster cybersecurity rules to ensure more secure hardware and software products. Nevertheless, we note that the proposal put forward by the European Commission contains certain shortcomings which could both hamper innovation and harm consumers who are increasingly relying on digital products and services.
It is essential these shortcomings, detailed below, are effectively addressed by the EU co-legislators through the introduction of specific amendments to ensure that the aim of the proposed Regulation is not undermined, and that consumers’ devices and data remain secure in our connected world. Notwithstanding any other issues that could potentially arise in the context of the Commission’s proposal, the scope of the present brief is limited to business-to-consumer (B2C) concerns with regard to the duration of security software support, the handling of software vulnerabilities, and free and open-source software (FOSS).