The European Commission presented on 15th September 2022 a proposal for a new Cyber Resilience Act to protect consumers and businesses from products with inadequate security features.

The Cyber Resilience Act is a long-awaited horizontal legislation dedicated to cybersecurity, which will create a level playing field, increasing the level of security overall for digital products in Europe and with minimum burden for industry.

CEMA welcomes the Cyber Resilience Act, a new piece of New Legislative Framework (NLF) legislation, which will be the glue for any previous attempt to increase cybersecurity measures, from the Radio Equipment Directive to the Machinery Directive. Though the latter legislations pinpoint the need for cybersecurity measures in relation to the overall health and safety requirements for network and product, no detailed specifications had been provided so far. In comparison, the car industry had already ISO/SAE 21434 ‘Road vehicles — Cybersecurity engineering’, which formed the basis for the UNECE Regulation 155.

The new act is clearly inspired by frontrunners like the automotive industry. What makes it more suitable for the industrial product market, with its wide portfolio of products, is that third party involvement is limited to two types of risk categories – called critical products – the list of which can be found in Annex III, with Class I representing smaller risk with e.g. password managers, network interfaces or Industrial Automation & Control Systems (IACS), and Class II representing higher risk with e.g. CPUs, operating systems, or routers/modems.

For the bulk of digital products in scope, self-assessment and thus self-certification, according to the NLF rules, would suffice.

The agricultural machinery industry welcomes this approach and will do a thorough check on the specific requirements and the timeline, in collaboration with the Agricultural industry Electronics Foundation (AEF), in support of legislators. 

Proposal for regulation on horizontal cybersecurity requirements for products with digital elements

Proposal for regulation on horizontal cybersecurity requirements for products with digital elements - ANNEXES