24 January 2023

BEUC: THE CYBER RESILIENCE ACT PROPOSAL

This proposal answers a longstanding need that BEUC and its members have identified and warned about repeatedly. Over the past years, BEUC members have demonstrated that too many connected products sold on the European market lack even the most basic security features. Too many products are putting consumers at risk on a daily basis.

BEUC – The European Consumer Organisation welcomes the European Commission proposal on the Cyber Resilience Act (CRA). 
BEUC fully supports the proposed introduction of mandatory, essential cybersecurity requirements for manufacturers, distributors and importers of digital products and their ancillary services, to ensure that these products are secure by design and by default.
However, substantial improvements are still needed regarding several aspects of the proposal, to ensure that it is fit for purpose and can fully deliver a high level of protection to consumers.
In particular, BEUC makes the following key recommendations:
1) A broader scope covering all types of digital products and associated services.
• The new rules must be applicable to all connected products, and their associated services, marketed to/intended for consumers.
• The scope should be expanded to cover all web-based services (e.g. Software-as-a-Service, websites) available to consumers.
2) Manufacturers should be obliged to monitor and address security vulnerabilities during a product’s entire expected lifespan.
• Mandatory cybersecurity requirements for manufacturers on vulnerability handling should apply throughout the product’s entire expected lifespan, and not be limited to a maximum period of five years.
• A threshold of five years to address vulnerabilities could eventually be a minimum limit, but not a maximum threshold.

3) The conformity assessment procedure must be strengthened.
• Third party assessment should be the rule to assess the conformity of ‘critical products with digital elements’ under Annex III.
• Self-assessment should only be allowed for those products which are not considered to be ’critical products with digital elements’ under Annex III.
• Harmonised standards should only be used to define technical requirements, not to replace legal obligations and requirements.
• Reliance on harmonised technical standards should not open the door to self-assessment in the case of ‘critical products with digital elements’, even those belonging to Class I.
4) ‘Critical products’ must include consumer products and be subjected to mandatory cybersecurity certification
• The legislation should mandate cybersecurity certification level “high” for ‘critical products with digital elements’ listed in Annex III while discarding other options, especially those relying on self-assessment.
• The list of critical products (Classes I and II) must have a broader scope, going beyond its current focus solely on products intended for industrial use.
• In particular, the list of ‘critical products with digital elements’ of higher risk (Annex III, Class II) must also be extended to include consumer products.
5) The market surveillance and enforcement framework must be clarified and improved.
• Effectiveness and consistency of market surveillance and enforcement must be strengthened, by providing for cooperation mechanisms between all market actors.
• There must be clear cross-sector cooperation mechanisms for relevant supervisory authorities.
• A ‘virtuous cycle’ of cooperation between consumers and national authorities should be encouraged.
• Enforcement at the national level should be reinforced at a technical level. Beyond a supporting role to the investigation procedures of the European Commission, the CRA proposal should also establish an explicit role for ENISA to assist national authorities in their investigations, at their own request. An alternative would be to create a technical body for this role.
6) Effective remedies and means of redress for consumers when obligations are not respected.
• Consumers have a right to cybersecure products and services, and should have a clear right to complain to a national authority and access judicial remedies when they are affected by non-compliance with the CRA obligations.
• Manufacturers should be required to make a complaint mechanism available and be obliged to react to consumer complaints within a short period of time, with a maximum of five working days.
• Affected users should have the right to remedies/compensation in case they suffer damages caused by non-compliance with the CRA.

• Consumer organisations/civil society organisations should be able to represent individual consumers in the exercise of their rights.
• The CRA must be added to the Annex of the Representative Actions Directive (RAD) to enable collective redress actions and injunctions in case of mass harm.

BEUC

© BEUC