Cyber Resilience Act aiming to set new rules for digital products should avoid duplication with other automotive legislation
The European Commission is looking to publish of a new Cyber Resilience Act to regulate new digital products and ancillary services. The initiative aims to address market needs and protect consumers by introducing common cybersecurity rules for manufacturers and vendors of tangible and intangible digital products and ancillary services.
CLEPA supports the Commission’s objective of enhancing and ensuring a high level of cybersecurity for digital products and related services, and the objective of setting up a level playing field for vendors. Promoting the cybersecurity of products will help to mitigate potential vendor losses and have a positive effect on the economy, provided the measures are appropriate, risk-based, and flexible enough not to hinder innovation.
While the goal of the Cyber Resilience Act should be to harmonise the regulatory landscape for product cybersecurity under a single, central, and coherent reference point, the Commission should take into account existing vertical legislation for specific industries and/or product groups, and the importance of avoiding duplication, or worse, contradiction between the different sets of rules. In the transport sector’s case, both automotive companies and motor vehicles are already subject to extensive cybersecurity requirements. In the EU, motor vehicles must undergo a homologation process (type-approval) before they can be placed on the market, to ensure their safety and security. In this context, the type-approval framework includes two UNECE Regulations on cybersecurity (UN Reg. 155) and on software updates (UN Reg. 156) which, together, set technical requirements encompassing the entire vehicle’s cybersecurity.
In: CLEPA News, Connectivity & Automation, Cybersecurity