Having performed a first assessment of the file, CEMA welcomes the Cyber Resilience Act (CRA). As already presented in this newsletter, the CRA proposal was put forward by the European Commission in September 2022. It follows the New Legislative Framework (NLF) principles, and provides a more generic framework on cybersecurity, like the Machinery Directive does for occupational safety, creating a level playing field, and increasing the level of security overall for digital products in Europe with minimum burden for the industry.
The Cyber Resilience Act assigns clear responsibilities in the chain, from both OEM (Original Equipment Manufacturer) and suppliers, and through the principle of placing on the market it clarifies these responsibilies even further, also in relation to imports. As such:
- when integrating products with digital elements in the EU, the supplier of this product has to make his own assessment and put the CE marking, while the integrator is responsible for the end product with its specific applications.
- when integrating these products with digital elements outside of the EU, the manufacturer of the final product has the full responsibility, following the essential requirements of Annex I, when placing this end product on the EU market.
As agricultural vehicles and machinery do not have the core functionalities described in Annex III for critical products, manufacturers can make use of self-certification.
There are two important questions that industry would like to see answered: will a domain specific approach be possible and can there be an improved timeline.
Just like the Machinery Directive allows manufacturers to develop domain specific standards, based on a risk assessment, so should the Cyber Resilience Act. While there is a need for generic horizontal standards, a risk assessment for a particular application and for specific safety functions, linked to machinery, would lead to more appropriate and proportionate cybersecurity measures. Though the CRA does not implicitely exclude this possibility, a clarification in the text could shed light on the scope of work for experts developing both horizontal and more domain specific standards.
The timeline is a much more pressing issue. While it can be called ambitious for some critical products with digital elements, for highly complex machinery, used in a versatile and high-demanding environment like agricultural machinery, the timeline proposed is impossible. The technical engineers specialised on the matter have identified the need for a complete architecture change-over which, due to the large number of interdependencies, can only be done per type. The agricultural machinery industry has a large number of types and a low volume per type. It is dependent on suppliers to provide information on their product with digital elements that will be integrated into the final machine. Its domain specific standard is in draft but expected to be out only by 2026. Given all this, CEMA underlines the high need for a staggered approach to implementation deadlines.
In conclusion, the agricultural machinery industry welcomes the approach put forward by the Cyber Resilience Act but urges legislators to clarify the possibility for domain-specific harmonised standards, and to propose a timeline that is ambitious for those mainly on the radar, identified as critical and highly critical products with digital elements, but that gives necessary lead time to complex machinery.