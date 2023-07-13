Several IT and tech industry groups have issued a list of recommendations for improving the EU Cyber Resiliency Act (CRA), currently being crafted by EU co-legislators. The associations have urged the co-legislators not to prioritize speed over quality in finalizing their positions to avoid unintended outcomes, citing problematic aspects that need to be addressed in the current proposal.

The EU CRA aims to set out new cybersecurity requirements for products with digital elements, bolstering cybersecurity rules for hardware and software to protect consumers and businesses from inadequate security features. It was first put forward by Ursula von der Leyen, president of the European Commission (EC), in September 2021, with an initial proposal published in September 2022.

The recommendations aim to improve cybersecurity and resilience while addressing key concerns shared by companies of all sizes from a variety of sectors including software developers, device-makers, and component manufacturers, according to a document from global tech trade association the Information Technology Industry (ITI) Council. The ITI issued the recommendations alongside the Developers Alliance, The Software Alliance, and the Computer & Communications Industry Associations (CCIA).

CRA's scope should be narrower and clearer

The first recommendation made by the collective is that the proposed scope of the CRA should be made narrower and clearer. "Any reference to 'remote data processing solutions' should be excluded from the scope of the CRA to ensure legal clarity, and to avoid overlaps with existing legislation and unnecessary burden," they wrote.

Software as a service, platform as a service, or infrastructure as a service should not be considered within the scope of the CRA, and this clarification should be reflected in the core legal text to provide greater legal certainty and to facilitate implementation across the EU, the recommendation read.

It also called for greater clarity regarding open-source software (OSS), suggesting that a clear exception of OSS should be included in the core legal text. "The unique characteristics of OSS must be taken into account through the entire proposal, also when creating obligations for manufacturers for OSS components that are integrated into products."