- considers it essential to strengthen the collective response to cyber-attacks and to consolidate the process of harmonising national-level cybersecurity in terms of operational rules and tools, to prevent different national approaches creating legal uncertainties and obstacles;
- considers it important to point out that, while it is commendable that the Cyber Resilience Act (CRA) covers virtually all digital products, its practical application might be problematic given the considerable and complex monitoring and oversight it entails;
- points to the need to clarify precisely the material scope of the CRA, with particular reference to products with digital elements and software;
- points to the need to clarify the criteria that apply to the services provided by the certification authorities in order to take account of the specific needs of SMEs;
- notes that manufacturers will be obliged to report both vulnerabilities in their products and any security incidents, informing the European Union Agency for Cybersecurity (ENISA). In this regard, it will be important that ENISA be provided with the necessary resources to carry out effectively and in a timely manner the important and sensitive tasks entrusted to it;
- suggests that the Commission draw up guidelines to guide manufacturers and consumers on the exact rules and procedures that apply in practice, in order to avoid any uncertainty when it comes to interpretation of this legislative proposal vis-a vis other legislation on cybersecurity;
- notes that the relationship between the certification authorities under the CRA and other bodies authorised to certify cybersecurity under other legislation, as well as the operational coordination between the surveillance authorities provided for in this proposal and those already operating in accordance with other legislation applicable to the same products are not entirely clear.
For more information please contact the INT Section Secretariat.