PublishedSeptember 15, 2022

New EU Cybersecurity Rules Are Well-intended, but Introduce Unnecessary Red Tape

Brussels, BELGIUM – The European Commission presented today a new Cyber Resilience Act (CRA), seeking to create extensive approval processes that a wide range of digital products and services would have to undergo before they can be sold and used on the EU market.

The Computer & Communications Industry Association (CCIA Europe) supports the Commission’s objective of strengthening cyber resilience across the EU. Today’s proposal, however, introduces extensive red tape that could slow down, or even stall, the roll-out of new technologies and services that Europe needs.

The draft rules set up an elaborate approval process for stand-alone software and “connected” products that consumers and businesses use, from mobile and desktop operating systems and antivirus software to smart meters.

The CRA also has major ramifications for all kinds of services which use software and hardware covered by the Act throughout their supply chain. This would affect cloud storage, messaging and email, online marketplaces, search engines, and even social networks for instance.

Concretely, web hosting providers or cloud vendors may not be able to provide their services in Europe unless they make the switch to new EU-approved servers, containing EU-approved microprocessors and other components.

Any important software update would also trigger another round of conformity checks before the updated product can be rolled-out in Europe. This means that EU consumers and businesses have to wait longer than other regions before they can update their smartphone or computer. Finally, high-risk artificial intelligence (AI) applications would have to undergo extra conformity checks on top of the approval process set out by the EU’s upcoming AI Act.

The CRA proposal will now be reviewed by the European Parliament and EU Member States.

The following can be attributed to CCIA Europe’s Public Policy Director, Alexandre Roure:

“The Cyber Resilience Act is an opportunity to raise the cybersecurity level of ‘connected’ products and online services sold and used across Europe. However, policymakers should ensure that complex and long approvals do not unnecessarily hold back the supply of important new technologies that Europe needs.”

“These cybersecurity rules should strive to weed out bad products from the EU market, but the current CRA proposal would lead to innovative products piling up in waiting rooms before they can be used by Europeans. Instead the new rules should recognise globally-accepted standards and facilitate cooperation with trusted trade partners to avoid duplicate requirements.”

  • Press Releases

CCIA Releases State Competition Landscape Map

Washington –  State legislatures have introduced a range of bills that could seek to change whether the government protects competing companies from competition, much as Europe does. The U.S. h...
  • Press Releases

CCIA Research Center, Engine Study Finds Startups Rely on Free and Low-Cost Digital Tools to Compete

Washington – In partnership with Engine, the CCIA Research Center released a new study investigating the role of free and low-cost digital tools and services in the startup ecosystem. The study find...
  • Press Releases

CCIA Supports Indiana’s Proposed Online Literacy Legislation

Washington – Indiana is joining a growing number of states who are considering proposals that would establish a digital literacy school curriculum to help children learn how to more safely and respo...