Press Release

Updated EU Cyber Resilience Act receives mixed reactions from security experts

Mon 9 Oct 2023

New updates to Article 11 of the EU Cyber Resilience Act (CRA) have raised concerns, as dozens of global cybersecurity experts warn it could create unnecessary risks for consumers and businesses.

The CRA aims to set out cybersecurity requirements for products with digital elements, bolstering cybersecurity rules for software and hardware to protect businesses and consumers from inadequate security features.

“Timely and accurate reporting of vulnerabilities is crucial for organisations, not only to protect their own organisation, but others along the supply chain, as well as alerting software providers to potential issues,” said Achi Lewis, Area VP EMEA for Absolute Software.

Article 11 will now require software publishers to disclose any unpatched vulnerabilities to the EU Agency for Cybersecurity (ENISA) within 24 hours of exploitation.

Information on vulnerabilities would then be passed on to various government agencies responsible for member state security, making software providers feed their known vulnerabilities into a ‘real-time database’ containing information on unpatched flaws to provide agencies with an overview of ongoing or potential security issues.

This comes as part of an effort from EU lawmakers to ensure greater transparency and accountability, speed up vulnerability disclosures, and ultimately protect consumers.

“The current patching landscape is messy. IT managers already have a difficult job managing a work-from-anywhere device fleet so ensuring patching is up to date is an important step to bolstering security, and new vulnerability reporting rules as part of the Cyber Resilience Act will support organisations to stop vulnerabilities spreading.

These actions will better prepare organisations to prevent cyber incidents, as well as improve response protocols when attacks occur,” added Lewis.

However, in an open letter signed by senior figures at over 50 organisations, including Google, the Electronic Frontier Foundation, and the CyberPeace Institute, experts said that aspects of the article are ‘counterproductive and will create new threats that undermine the security of digital products and the individuals who use them’.

Within the open letter, the critics argue that by having a repository of unmitigated vulnerabilities that could be targeted by threat actors, organisations are placed at heightened risk.

They believe the action merely presents a prompt to a trend of ‘rushing the disclosure process’, placing greater strain on security teams and software providers, and could result in botched patches.

In response, the open letter recommended that mandatory reporting requirements should be changed to within 72 hours of ‘effective mitigation’ to prevent the risk of exploitation.

Hungry for more tech news?

Sign up for your weekly tech briefings!

Send us a correction Send us a news tip