Cyber Resiliency Act – The Commission’s proposal

The Federation of Finnish Enterprises welcomes the Commission’s proposal for a Cyber Resiliency Act and subscribes to its main objectives.

In our assessment, the Regulation would, if implemented effectively, improve SMEs’ internal cybersecurity by enabling them to acquire and operate safer digital products. Owing to new rules, SMEs could also rest assured their digital solutions remain safe through regular patches and updates aimed at fixing vulnerabilities. It is also likely the Regulation would lower the risks of external cyberthreats emerging from SMEs’ supply chains.

What is more, a higher level of cybersecurity could provide European companies a competitive edge in global markets where the value of safe products and services is likely to increase over time.

SMEs and cybersecurity

The financial and other risks of cybersecurity incidents posed by vulnerable digital products can be significant for SMEs. The risks keep rising, thanks to the fast expansion of digital technologies in everyday business operations and opportunities this provides for malign actors.

The cybersecurity of SMEs depends to a large extent on the quality of digital products and services they use and the diligence and care the manufacturers and providers of these products and services exhibit.

In our experience, SMEs often find it difficult to tell secure solutions and providers from insecure ones due to the lack of transparency of cybersecurity features and standards. The absence of trust creates uncertainty and can result in SMEs holding back their much-needed investments in digitalisation.

According to our recent survey, 34 percent of Finnish SMEs regard cyberattacks and data breaches as a high or reasonably high risk for business. Only seven percent of SMEs see no risk at all. 61 percent report obstacles in ensuring their cybersecurity, the biggest challenges being inadequate skills and the costs of cybersecurity.

SaaS solutions

SMEs are increasingly reliant on cloud-based digital services, including so-called software-as-a-service (SaaS) solutions. According to our recent study, 73 percent of Finnish SMEs use cloud services. About a half of SMEs feel they depend on platform services, many of which run in the cloud.

SaaS solutions would however not be in the scope of the Regulation, with the exception of remote data processing solutions relating to a product with digital elements. Although the intention of this exception is reasonable, it is formulated vaguely and needs to be clarified in the final text to reduce the legal uncertainty for all economic actors.

It is possible, as pointed out in the draft Regulation, other EU-level legislation (e.g., NIS2 directive) is enough to ensure the adequate cybersecurity of cloud services. Given the growing significance of SaaS solutions for SMEs and other end-users, both as stand-alone services and parts of digital product bundles, we would recommend the legislators to reassess the impacts of this legislative framework and, if necessary, amend it.

Requirements for products with digital elements and obligations of manufacturers

The Regulation would establish harmonized and technology-neutral cybersecurity requirements for products with digital elements placed on the single market. This is welcome as the patchwork of rules would hamper the ability of manufacturers, especially of small and medium size, of digital products to operate and scale up across European markets.

For SMEs acting as end-users, it is crucial that digital products remain safe throughout their life cycle, from deployment to decommissioning. Manufacturers of digital products have a key role in ensuring that cybersecurity vulnerabilities are handled swiftly and remedied effectively and free of charge. This includes informing the users about the relevant aspects of a vulnerability and its fixes and any action this might require from the user. Manufacturers should also incentivize users and other actors to disclose any potential or exploited vulnerability related to a product they may have detected.

In our view, the essential cybersecurity requirements, listed in Annex I, the manufacturer shall ensure through a conformity assessment procedure, and the information and instruction the manufacturer shall accompany the product by, outlined in Annex II, establish a solid basis for products with digital elements to be secure by default and through the life cycle.

We are in favor of a risk-based approach to conformity assessment procedures. It is warranted that digital products with more critical security implications should undergo stricter procedures. The merits of classifying individual products or technologies as critical, as done in Annex III of the proposal, should however be re-evaluated. A list of high-risk products runs the risk of omitting a number of critical solutions from the outset and of being constantly outdated in terms of technology and its critical use cases. Therefore, as an alternative, we ask the legislators to consider a use-case-based approach to categorizing high-risk, similar to the proposed AI regulation. Products whose intended use would fall within these parameters would need to be more closely scrutinized in terms of their conformity to the essential cybersecurity requirements.

Although only a limited number of digital products would need to undergo a more rigorous third-party conformity assessment, it can nevertheless be foreseen that insufficient assessment resources in notified bodies can become a bottleneck in some Member States, hampering the access to markets. The Commission and Member States should proactively promote and support conformity assessment bodies and ensure manufacturers can have their legal obligations fulfilled without undue delay.

The obligations the Regulation would impose on manufacturers of digital products are not insignificant and are likely to burden them with new compliance-related costs. As the burden is relatively larger for small and medium-sized manufacturers, the EU and national authorities should make every effort to alleviate it, e.g., by ensuring the costs of third-party compliance assessments remain SME-friendly and by providing SME-focused guidance.

Importers and distributors

A uniform set of requirements would also be in the interest of importers and distributors of digital products, since this would allow a reduced and simplified process of verifying a product’s cybersecurity.

The Regulation would however also set new obligations for importers and distributors. As most importers and distributors are small or medium-sized, these obligations should be proportionate and take into account their capabilities to assess whether a product and its manufacturer live up to the essential cybersecurity requirements. Distributors especially ought to be able to take the cybersecurity verifications of the manufacturers at a face value and to have no or only limited liability in case of unsafe products.

CE marking

After having conducted the necessary compliance assessment procedures, the manufacturer would be required to draw up an EU declaration of conformity of products with digital elements with the essential requirements of the Regulation and to follow up by affixing a visible CE marking to products in question. This is only reasonable, given the purpose of the Regulation, but does raise some concerns.

Many digital products already bear CE markings based on various rules, standards, and specifications. This can make the CE regime hard to decipher for end-users, causing unnecessary uncertainty also in terms of the EU-wide cybersecurity marking. We therefore underline the need to seek ways to improve the identification of the cybersecurity-specific CE label. This would be particularly important in the immediate aftermath of the application of the Regulation when older products which may not meet the new cybersecurity requirements and newer compliant products co-exist in the market.

Open source and test versions

We agree with the proposal that non-commercial open-source software should remain outside the scope of the Regulation. It is also sensible the Regulation would allow manufacturers to make available unfinished software, such as alpha versions, beta versions or release candidates, as long as the version is only made available for the time necessary to test it and gather feedback.

Both provisions are important for companies and other organizations conducting research, development and innovation on digital products and should be respected by Member States.

The Federation of Finnish Enterprises