AIOTI WG Policy developed document on the draft Regulation on horizontal cybersecurity requirements for products with digital elements amending Regulation (EC) 2019/1020 (Cyber Resilience Act).
The full document can be found here.
AIOTI welcomes the move to regulate for greater cyber security. Our members are committed to providing security in our products, we welcome steps to create maximum trust among users and consumers of the safety, security, and resilience of their digital products.
AIOTI wants to point out that the value chain of manufacturing electronic devices is more complex than portrayed in the proposed regulation. For example, chip manufacturers often do not know the actual use of their processors. Similarly, software suppliers do not know how their product will be used. These decisions are made later in the value chain, for example, by the original equipment manufacturer (OEM). It is at the device level that decisions are made on which security features are implemented and knowledge of the criticality of end markets is known. We propose, therefore, that the minimum scope for EU Cyber Resilience Act (EU CRA) is at the device level: chips and embedded software components are removed from the proposed legislation.
In conclusions:
Security will not be improved by asking chip vendors to be assessed under the EU CRA draft. First, they don’t know where their chips go. Second, the security criteria specified in the draft regulation doesn’t apply in an obvious way to a chip without considering the full device software stack.
Given these issues it might be better if the regulation made clear that what is in scope are ‘devices’ (including its embedded Software), not including in isolation microprocessors/controllers and OS/imported software.