Cyber Resilience Act: addressing the game of risk

In the current proposal, around 10% of products are either classed as ‘critical’ or ‘most critical’, including the vast majority of home appliances. However, to strike a balance, it is important to make a clear distinction. 

Today we live in an increasingly digitalised world. For this reason, the safety of our homes can no longer be viewed in only the physical sense. This is especially true if we think that, by 2024, the number of smart homes will equal the population of Australia. These days, at the click of a button, we can monitor the condition of our homes. By tailoring our cooling and heating devices, based on our actual consumption patterns, our lives become easier while saving on costs and energy.

Every time that we interact with our smart applications, we generate enormous amounts of data. Which makes it fundamental to secure them against any potential threat. The EU’s proposed Cyber Resilience Act (CRA) would introduce mandatory cybersecurity requirements for any home appliance with digital elements. Essentially, the Act aims to establish a secure infrastructure while bolstering the cybersecurity of products placed on the European market. 

The current EU framework applicable to digital products already comprises several pieces of legislation, making it necessary to ensure good cohesion between Union policies. Having a centralised legal reference point for manufacturers to abide by is key to avoiding repetition and conflict of regulations, which would risk creating a legislative patchwork within the internal market, increasing legal uncertainty for both manufacturers and users by adding an unnecessary burden on companies to comply with a number of requirements for similar types of products.

In the current proposal, around 10% of products are either classed as ‘critical’ or ‘most critical’, including the vast majority of home appliances. However, to strike a balance, it is important to make a clear distinction. Take for example the exchange of data when using a washing machine versus using a mobile banking app. The two applications present different levels of cybersecurity risk. We could in fact classify the mobile banking application as ‘high risk’, in that it secures our savings and regulates transfers, and the washing machine data, mainly containing washing cycles information, as ‘low risk’. A considerable difference.

This is something that standards must reflect as each connected product faces its own specific level of cybersecurity risk. Products classified as ‘most critical’ will be subject to mandatory, external, third-party assessment, replacing the current and long-proven self-assessment, this way adding an extra layer when placing products on the market, with no added value for consumers.

The EU's Cyber Resilience Act was proposed in April 2021 and is currently in the process of being discussed and negotiated by the European Parliament and the Council of the European Union.