Computer & Communication Industry Association

New EU Cybersecurity Rules Are Well-intended, but Introduce Unnecessary Red Tape

Brussels, BELGIUM – The European Commission presented today a new Cyber Resilience Act (CRA), seeking to create extensive approval processes that a wide range of digital products and services would have to undergo before they can be sold and used on the EU market.

The Computer & Communications Industry Association (CCIA Europe) supports the Commission’s objective of strengthening cyber resilience across the EU. Today’s proposal, however, introduces extensive red tape that could slow down, or even stall, the roll-out of new technologies and services that Europe needs.

The draft rules set up an elaborate approval process for stand-alone software and “connected” products that consumers and businesses use, from mobile and desktop operating systems and antivirus software to smart meters.

The CRA also has major ramifications for all kinds of services which use software and hardware covered by the Act throughout their supply chain. This would affect cloud storage, messaging and email, online marketplaces, search engines, and even social networks for instance.

Concretely, web hosting providers or cloud vendors may not be able to provide their services in Europe unless they make the switch to new EU-approved servers, containing EU-approved microprocessors and other components.

Any important software update would also trigger another round of conformity checks before the updated product can be rolled-out in Europe. This means that EU consumers and businesses have to wait longer than other regions before they can update their smartphone or computer. Finally, high-risk artificial intelligence (AI) applications would have to undergo extra conformity checks on top of the approval process set out by the EU’s upcoming AI Act.

The CRA proposal will now be reviewed by the European Parliament and EU Member States.

The following can be attributed to CCIA Europe’s Public Policy Director, Alexandre Roure:

“The Cyber Resilience Act is an opportunity to raise the cybersecurity level of ‘connected’ products and online services sold and used across Europe. However, policymakers should ensure that complex and long approvals do not unnecessarily hold back the supply of important new technologies that Europe needs.”

“These cybersecurity rules should strive to weed out bad products from the EU market, but the current CRA proposal would lead to innovative products piling up in waiting rooms before they can be used by Europeans. Instead the new rules should recognise globally-accepted standards and facilitate cooperation with trusted trade partners to avoid duplicate requirements.”