News Hub

Tech companies warn of pandemic-level supply chain disruption due to EU cybersecurity rules

Written by Wed 8 Nov 2023

A group of companies, including Siemens, Ericsson, and Schneider Electric, have issued a warning about the potential impact of the proposed EU Cyber Resilience Act (CRA). They believe it could result in pandemic-level supply chain issues.

In a letter to the European Commission, industry group Digital Europe said disruptions could hit millions of products. This includes cybersecurity products, components for heat pumps, cooling machines, high-tech manufacturing, washing machines, and toys.

The CRA requires manufacturers to examine the cybersecurity risks of their products. They must also take measures to fix problems for five years or through the expected lifetime of the products. The CRA was proposed by the European Commission last year. 

“The law, as it stands, risks creating bottlenecks that will disrupt the single market,” said Chief Executives of the companies in a joint letter to European Union Industry Chief, Thierry Breton, and EU Digital Chief, Vera Jourova.

Given the CRA’s wide scope and lack of capacity, the companies could face a situation where secure products cannot be placed on the market and will be blocked for EU customers. As a result, the CRA may risk creating a COVID-style blockage in European the supply chain, disrupting the single market and harming competitiveness.

“Europe cannot currently offer so many conformity assessments, creating bottlenecks as manufacturers must prove compliance through third-party certifiers for products listed in Annex III. This will have a huge effect on the wider supply chains, as many of these components are crucial inputs for the European economy and the green transition,” said the companies.

The signatories proposed amending the current act to maximise the possibility of self-assessment, introduce an implementation period of a minimum of 48 months to allow for the development of harmonised standards, and significantly reduce the list of higher-risk products in Annex III.

Other signatories to the letter include the CEOs of Nokia, Bosch, and Slovakian software company ESET.

Cyber Resilience Act Raises Cybersecurity Concerns

The letter emphasised past concerns raised by the companies to the European Commission regarding the reporting of vulnerabilities. Digital Europe said the proposed extension of vulnerability reporting to ‘unpatched’ vulnerabilities will severely harm their collective cybersecurity.

Digital Europe requested key safeguards if co-legislators of the Act ‘insist on including actively exploited vulnerabilities within the scope’. This includes the requests that manufacturers should be allowed to make a judgement call to prioritise patching. 

Digital Europe also suggested reporting should be limited to incidents and vulnerabilities that pose a significant cybersecurity risk.

The proposed CRA will also apply to importers and distributors of devices that connect to the internet. The EC published the draft legislation in September 2022, with the law scheduled to take effect in 2024.

Hungry for more tech news?

Sign up for your weekly tech briefings!

Written by Wed 8 Nov 2023

Send us a correction Send us a news tip