New EU Cybersecurity Rules Are Well-intended, but Introduce Unnecessary Red Tape

BY Kasper Peters
September 15, 2022

Brussels, BELGIUM – The European Commission presented today a new Cyber Resilience Act (CRA), seeking to create extensive approval processes that a wide range of digital products and services would have to undergo before they can be sold and used on the EU market.

The Computer & Communications Industry Association (CCIA Europe) supports the Commission’s objective of strengthening cyber resilience across the EU. Today’s proposal, however, introduces extensive red tape that could slow down, or even stall, the roll-out of new technologies and services that Europe needs.

The draft rules set up an elaborate approval process for stand-alone software and “connected” products that consumers and businesses use, from mobile and desktop operating systems and antivirus software to smart meters.

The CRA also has major ramifications for all kinds of services which use software and hardware covered by the Act throughout their supply chain. This would affect cloud storage, messaging and email, online marketplaces, search engines, and even social networks for instance.

Concretely, web hosting providers or cloud vendors may not be able to provide their services in Europe unless they make the switch to new EU-approved servers, containing EU-approved microprocessors and other components.

Any important software update would also trigger another round of conformity checks before the updated product can be rolled-out in Europe. This means that EU consumers and businesses have to wait longer than other regions before they can update their smartphone or computer. Finally, high-risk artificial intelligence (AI) applications would have to undergo extra conformity checks on top of the approval process set out by the EU’s upcoming AI Act.

The CRA proposal will now be reviewed by the European Parliament and EU Member States.

The following can be attributed to CCIA Europe’s Public Policy Director, Alexandre Roure:

“The Cyber Resilience Act is an opportunity to raise the cybersecurity level of ‘connected’ products and online services sold and used across Europe. However, policymakers should ensure that complex and long approvals do not unnecessarily hold back the supply of important new technologies that Europe needs.”

“These cybersecurity rules should strive to weed out bad products from the EU market, but the current CRA proposal would lead to innovative products piling up in waiting rooms before they can be used by Europeans. Instead the new rules should recognise globally-accepted standards and facilitate cooperation with trusted trade partners to avoid duplicate requirements.”

Related Articles

CCIA Encouraged As Bill Aimed At Boosting Interoperability, Efficiency In Government Software Licensing Advances From Committee

Sep 28, 2022

Washington – The Computer & Communications Industry Association applauded the Senate Homeland Security and Governmental Affairs Committee for advancing legislation that would promote interoperability and efficiency in federal software procurement. The bill, “Strengthening Agency Management and Oversight of Software Assets Act” (SAMOSA, S. 4908), sponsored by Senator Gary Peters (D-Mich.) and Senator Bill Cassidy (R-La.),…

Product and AI Liability: Updating EU Rules for Digital Age Requires Balanced Approach

Sep 28, 2022

Brussels, BELGIUM — Today, the European Commission presented its new Artificial Intelligence (AI) Liability Directive and proposed a revision of the EU Product Liability Directive (PLD). With these initiatives the Commission wants to bring Europe’s product liability regime and consumer protection into the digital era. The Computer & Communications Industry Association (CCIA Europe) commends the…

CCIA Testifies Before District of Columbia Council On Artificial Intelligence

Sep 22, 2022

Washington – The District of Columbia Council Committee on Government Operations and Facilities will hear from experts Thursday about the potential impacts of proposed legislation, B24-0558, aimed at regulating automated decision making. Khara Boender, State Policy Director for the Computer & Communications Industry offered written comments and expressed to the Committee that CCIA shares their…