Document: 2023_01_23_PP_on_the_CRA.pdf

CEMA welcomes the Cyber Resilience Act, a horizontal legislation dedicated to cybersecurity and covering the whole chain from suppliers to manufacturers of end-products. As already presented in this newsletter, it is understood that the legislation’s main focus is on the more critical products, those in the frontline to prevent cyber-attacks. However for machines there can be many entry points to get into the machine architecture, also through physical hacks.

The timeline proposed to achieve the Act is ambitious, in particular as the standards that provide more clarity on its application are missing. In fact, the Commission is still performing an assessment before engaging to mandate standardisation activities. The Commission’s assessment on the timeline could be inspired by their focus on the critical products. That does not make it suitable for the enormous list of products in scope and in particular for integrators of such products like the agricultural machinery industry.

Depending on how the scope of the CRA will have to be interpreted, machine electronics hardware updates and machine network architecture updates might be necessary at a completely different level. The effort to realize these changes is considerably higher than updates to the existing development processes, as well as software updates to the machine software.

In any case, the agricultural machinery sector also does not want, for its own architectures, to be forced to use standards from other industries. The development of our own standard is ongoing and, once published, the initiative should be rewarded with a harmonised status under the Cyber Resilience Act.

Our message to legislators: If the scope of the essential requirements is not clarified and, linked to that, a more realistic timeline for non-IT products is provided, it is impossible to become compliant with the whole fleet overall, and quality of implementation will suffer. We want to deliver with proven and validated high quality adaptations, preferably following a domain-specific standard as guidance for all companies, including the many SMEs.

You can find the full position here.