Government endorses the Commission’s proposal for Cyber Resilience Act

Ministry of Transport and Communications
Publication date 10.11.2022 13.58
Press release
Image: Mika Pakarinen, Keksi/LVM
Image: Mika Pakarinen, Keksi/LVM

On 10 November 2022, the Government submitted a Union communication to Parliament on the European Commission's proposal for Cyber Resilience Act (CRA). The Government supports the objective of the proposed regulation to place products on the market that are safer to use in the cyber domain.

The European Commission published a proposal for a Regulation of the Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements, known as the Cyber Resilience Act, on 15 September 2022. The proposal responds to cybersecurity developments in which hardware and software are increasingly subject to cyberattacks, adding significant costs to consumers. The proposal is new and would lay down minimum cybersecurity requirements in the single market for hardware and software with digital elements.

The Act would complement the current legislative framework on cybersecurity, which includes the Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive), and the Cybersecurity Act. The Commission's proposal is a part of the new EU Cyber Security Strategy adopted in December 2020 and its objectives.

Security of connected devices requires major improvement

The Government endorses the aims of the proposed regulation to improve the cybersecurity of digital products and ancillary services, to increase the transparency of security features and to provide the consumers with more information to support their choices and purchase decisions. The Government regards improving the security of connected devices and software as a major development issue in the cybersecurity sector that needs addressing.

The Government is also in favour of shifting more responsibility for the security of products in the cyber domain from users to manufacturers. As the number and role of connected devices and software increases, the need to ensure their security and respond to potential vulnerabilities during the product's life cycle will also grow.

"Digital products and services provide a lot of opportunities but, at the same time, pose information security risks. The Act very successfully puts cybersecurity in the same category as other rules of conformity. With requirements covering entire life cycles of products and services, we can better protect consumers and help them make safe purchases," says Minister of Transport and Communications Timo Harakka.

The Government considers it important that EU regulation on digital products form a clear and coherent package, ensuring that the requirements set on operators are unambiguous and proportionate. Keeping this in mind, the relationships between the EU regulations on cybersecurity requirements should be unambiguous and overlapping regulation should be avoided. The Government broadly supports the risk-based approach in setting the requirements and obligations.

What next?

The Government submitted a Union communication to Parliament on the matter on 7 November 2022. The communication will be considered by the Grand Committee, to which the relevant special committees submit their statements.

At the EU level, the proposal will be discussed by the European Parliament and the Council. Once the proposal is adopted, economic operators and EU countries will have two years to adapt to the new requirements. An exception to this is the obligation of manufacturers to report on exploited vulnerabilities and incidents that would already apply one year after entry into force.

Inquiries:

Outi Slant, Senior Specialist, tel. +358 29 535 9298, [email protected]

Veikko Vauhkonen, Senior Specialist, tel. +358 50 340 0578, [email protected]