11 October 2023

Cyber Resilience Act: BEUC's recommendations for the Trilogue negotiations

There are aspects of significant concern which remain, notably the proposal from Council to reduce - instead of expand – the list of critical products in Annex III (enshrining the absence of consumer devices while removing essential products for internet security, such as internet routers)..

The European Commission proposed the Cyber Resilience Act (CRA) in September 2022.1 In July 2023, both the Council2 and the European Parliament3 reached their respective positions, which led to the beginning of interinstitutional negotiations in September 2023.

Overall, BEUC welcomes the improvements suggested by co-legislators to the Commission proposal. For example, we welcome the Council position to introduce a clear risk methodology for high-risk products (Article 6), the proposal from Parliament to expand the list of critical devices to include consumer products (Annex III), or to strengthen consumer representation and redress, including the addition of the CRA to the Annex of the Representative Actions Directive (article 54a of the Parliament’s position). This will allow consumers to collectively seek legal remedies.
However, there are aspects of significant concern which remain, notably the proposal from Council to reduce - instead of expand – the list of critical products in Annex III (enshrining the absence of consumer devices while removing essential products for internet security, such as internet routers) or the open question on whether manufacturers will be required to handle vulnerabilities and provide security updates throughout the expected lifetime of their products, or only for a limited support period (Article 10(6)).

BEUC calls on legislators to ensure that the CRA is fit for purpose and can fully deliver a high level of consumer protection. BEUC therefore makes the following recommendations:
1)
To broaden the scope with very limited exclusions and have clear definitions.
•
Co-legislators should expand and clarify that the CRA applies to relevant remote data processing solutions such as Software-as-a-Service when necessary for digital products to perform their functions, as per Council’s position (Recitals 9. 9a).
•
Co-legislators should refrain from any further exclusions from the scope, as per the Parliament’s position (Article 2).
1 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52022PC0454
2 https://data.consilium.europa.eu/doc/document/ST-11726-2023-INIT/en/pdf
3 https://www.europarl.europa.eu/doceo/document/A-9-2023-0253_EN.pdf
2
•
Co-legislators should follow the definitions proposed by the Council for ‘consumer’ (art. 3, 21a) as well as product ‘recall’ and ‘withdrawal’ (art. 3, 41, 42). The Council’s proposal to delete the definitions of ‘critical products with digital elements’ and ‘highly critical products with digital elements’ (art. 3, 3-4), and the Parliament’s proposal to introduce a definition of ‘support period’ should be rejected.
2)
Manufacturers should monitor and address security vulnerabilities during a product’s entire expected lifespan....

 more at BEUC

© BEUC