Position paper on the European Commission’s proposal for a Cyber Resilience Act

Having products with digital elements that have strong cybersecurity requirements is the key to mitigate cybersecurity risks in the long term, thus, the proposed Cyber Resilience Act (henceforth CRA) will be a major step in improving product security. While the CRA lays down direct obligations only for manufacturers, importers, and distributors, it also seeks to improve the security of critical infrastructures by setting stricter conformity assessment requirements for critical products. For TSOs, as operators of critical infrastructure, it is, therefore, crucial that the CRA is designed in a way that optimally supports TSOs to mitigate cybersecurity risks and is coherent with other relevant EU legislations which aim to ensure cybersecurity of critical infrastructure.

In this respect, besides the CRA, TSOs will need to comply with two other EU cybersecurity legislations that address the cybersecurity of products: the Directive (EU) 2022/2555 of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive 2016/1148 (henceforth NIS2 Directive), and the upcoming Network Code on sector-specific rules for cybersecurity aspects of cross-border electricity flows (henceforthNCCS). The CRA should be aligned with both EU legislations, so that scarce cybersecurity resources are used most efficiently.

The CRA is already well aligned with the NIS2 Directive. Nevertheless, ENTSO-E believes that the alignment with the NCCS can be improved based on the proposals mentioned below.

ENTSO-E’s recommendations

The CRA should be aligned with the NCCS by:

adopting requirements developed under the NCCS as sectoral rules under the CRA;
using the results from the NCCS regional cybersecurity risk assessment for the electricity sector to determine which products are critical;
requiring manufacturers to consider the results from the NCCS regional risk assessment in the risk assessments they need to perform under the CRA.

Additionally, for the CRA to support cybersecurity risk mitigation for TSOs, more transparency should be provided to users regarding which risks a product can mitigate.

ENTSO-E’s recommendations

The Cyber Resilience Act should provide more transparency to users of critical products by:

requiring manufacturers to describe the threats mitigated in the user documentation;
requiring manufacturers to describe the assurance level in the user documentation;
defining clear criteria for when a reassessment needs to be performed for a product.

Read full document here