Telecom vendors sound alarm over EU Cyber Resilience Act

Ericsson, Nokia and others have warned that the EU’s effort to apply common cybersecurity standards to connected devices may lead to ‘COVID-style’ supply chain disruption.

Their concerns are set out in a letter sent via lobby group DigitalEurope to internal market commissioner Thierry Breton; EU vice presidents Margaritis Schinas and Věra Jourová; Spanish secretary of state for digitalisation and AI Carme Artigas; and Italian MEP Nicola Danti.

In a nutshell, they argue that the EU currently lacks the capacity required to certify compliant products and components in a timely fashion, and that this will create bottlenecks in the system, resulting in products not being available for sale to European consumers.

Proposed last September, the Cyber Resilience Act (CRA) aims to impose common cybersecurity standards for what the EU classifies as “products with digital elements”. To achieve this, it will establish a framework for developing hardware and software with fewer vulnerabilities, and will require device makers to keep their products up to date with security patches throughout their lifecycle.

Other practical requirements include vendors carrying out cybersecurity risk assessments for individual products; ensuring components sourced from third parties do not jeopardise the security of their products; and producing clear and concise instructions for end users.

The CRA has a pretty broad scope when it comes to classes of product covered by its proposed legislation. They include software like operating systems, password managers and Web browsers, and hardware such as routers, smart meters, industrial IoT devices, processors, and physical network interfaces.

In order to sell a product subject to the CRA, vendors must demonstrate compliance, so some sort of certification process is needed, and this – claim the letter-senders – might cause hold-ups.

“Given the CRA’s wide scope and a lack of capacity, we face a situation where secure products cannot be placed on the market and will be blocked for EU customers. Europe cannot currently offer so many conformity assessments, creating bottlenecks as manufacturers must prove compliance through third party certifiers,” the signatories warned. “This will have a huge effect on the wider supply chains, as many of these components are crucial inputs for the European economy and the green transition. We risk creating a COVID-style blockage in European supply chains, disrupting the Single Market and harming our competitiveness.”

To mitigate these risks, the letter calls for self-assessment to be used as much as possible. They also want a minimum implementation period of two years to give them time to iron out the creases. They also want the number of products covered by the legislation to be significantly reduced.

As well as Ericsson chief Börje Ekholm and his opposite number at Nokia, Pekka Lundmark, the letter has also been signed by the CEOs of Bosch, Schneider Electric, Siemens, and antivirus software maker ESET.

These signatories are also highly critical of the CRA’s proposed requirement for vendors to report any unpatched security vulnerabilities within 24 hours of becoming aware of them. They argue that reporting such unpatched vulnerabilities exposes products to further cyberattacks. Furthermore, accumulated data about unpatched vulnerabilities would be a juicy target for hackers.

Instead, Ericsson et al want manufacturers to be permitted to prioritise patching vulnerable devices over immediate reporting of their flaws. They also want reporting to be limited to incidents that pose a significant security risk, and have echoed the European Parliament’s recommendation that an actively exploited vulnerability can only be defined as such if there is reliable evidence of a successful hack.

This is a tricky balancing act for all sides.

On the one hand, products being kept from sale due to EU red tape is not a good look. But on the other hand – and as the EU noted when it proposed the CRA – the global annual cost of cybercrime weighed in at €5.5 trillion in 2021.

Regulators across the world have already established rules for reporting and mitigating breaches, but given they still routinely happen, more needs to be done to reduce their frequency.

Ensuring a minimum standard of cybersecurity is ‘baked in’ to every product before it goes on sale is a worthy ambition, but opinions appear to differ on whether vendors themselves or third parties are best placed to ensure compliance.

Given the wheels of the EU’s legislative branch are already turning, vendors will have to move quickly if they want to prove that self-assessment is the way to go.

Get the latest news straight to your inbox. Register for the Telecoms.com newsletter here.