On 25 October, EIF organised a debate, hosted by MEP Marina Kaljurand on the EU proposed Cyber Resilience Act (CRA) with a focus on its contribution to the Europe’s Digital autonomy. The MEP was joined by the following guest speakers:
Lorena Boix Alonso, Director for Digital Society, Trust & Cybersecurity, DG CONNECT, European Commission
Heli Tiirmaa-Klaar, Director of the Digital Society Institute, European School of Management and Technology, Berlin
Elena Plexida, Vice President Government and IGOs Engagement, ICANN
Arnaud Taddei, Security Transformation Architects Practice Leader - International (EMEA, APAC) at Broadcom Software, Broadcom Inc.
MEP Marina Kaljurand set the scene declaring the importance of gaining sovereignty, acting autonomously, but, at the same time, avoiding protectionism. She mentioned some of the recommendations that concern autonomy: first, funding mechanisms and investments may not be enough to reach the targets; second, making realistic choices where efforts and resources retain existing strengths and gain position in innovative domains; third, identifying the type of threats to sovereignty and monitor risks; fourth, considering the importance of digital autonomy and proactive digital diplomacy. MEP Kaljurand pointed out that every EU citizen should be also a digital diplomat, a digital person, and a digital speaker. What is more, the Cyber Resilience Act is considered the first Internet of Things legislation in the world that aims at regulating common cybersecurity standards for connected devices and connected services.
The European Commission representative, Lorena Boix Alonso, claimed that cyber attacks are gradually increasing and affecting society. Two-thirds of cyber attacks come from the exploit of vulnerabilities in connected devices. According to her, the Cyber Resilience Act is needed because there is no sufficient incentive to fix cyber attacks in the market, while it is fundamental to put products in the market very quickly, as the nature of the market requires. Ms. Boix Alonso recognised that it is appropriate to start from the legislation framework that is working for many years and has high-level requirements. However, something simpler is needed, and producers will need to do a risk assessment and then define their standards. As a result, most of the products would not need to go through a third-party conformity assessment.
Heli Tiirmaa-Klaar, from the School of Management and Technology of Berlin, declared that she is aligned to the European Commission perspective. Since market is not taking care of security, a cybersecurity legislation is very much needed. It is fundamental having the transparent framework for all the producers, while the added value of the CRA is that consumers can do the informed choice. She stressed that the security issue is one of the largest impediments to achieve the goals of a digital Europe. Furthermore, digitalisation is not associated with trust and security, and the CRA provides an extra layer of security for both economic actors and consumers. Ms. Tiirmaa-Klaar argued that the Act would have a global impact because it is the first case in which the large market power is trying to set standards for the products. However, she recognised an impediment in the implementation side because of the lack of experts, underlining the skills gap and the cybersecurity workforce shortage in Europe.
Elena Plexida, from ICANN, stressed the importance of standardization. In the CRA, standards are being put forward in different initiatives as a way to demonstrate compliance. Compliance depends on the type of products at stake and ranges from self assessment to third party certification or it is implied through the implementation of EU standards. An increasing number of legislative initiatives include provisions for the development of harmonized European standards to demonstrate compliance. She highlighted that organizations like ICANN or IGF can provide the Internet because connected devices run on the same set of technical protocols, standards and identifiers. They are being used by the whole world because they are trusted and developed through bottom-up processes with the participation of experts and governments. Ms. Plexida concluded her speech by affirming that trust is the glue that keeps the Internet together and that fragmentation must be avoided.
Arnaud Taddei, from Broadcom Inc., acknowledged the good intention of the Cyber Resilience Act, the courage of the European Commission in facing cyber security issues, but also the real gap on IoT products and on the security products for consumers. From his perspective, as a security practitioner, security is about a number of trade-offs that need to be considered within the frame of the CRA. First, security, cost and risk: more security measures imply higher costs. Second, security time and market. Third, security, privacy and safety: privacy without security is meaningless. Mr. Taddei affirmed that certain countries in the EU are very weak on startups and some issues are recurrent. He concluded his speech with three additional considerations on the Cyber Resilience Act. First, standardisation experts may not fully understand the intention of Article 19. Second, it is hard to determine a foreseeable misuse of products. Third, it is necessary to organise notification as a whole for the EU.