ETNO-GSMA position paper on the Cyber Resilience Act

Download

The Cyber Resilience Act (CRA) proposal comes at a time when European society, its citizens and businesses have been dealing with a crisis period marked by the COVID-19 pandemic and the war in Ukraine. The telecommunications sector has been capable of responding to these challenges and of demonstrating its robustness, by providing secure and reliable infrastructures and services that are essential for the functioning of the EU’s Digital Internal Market. However, telecommunication network operators are still faced with security gaps in their digital value chains that need addressing.

The number of connected devices marketed in the EU has risen exponentially in the past years and is expected to continue to do so. Newer generations of connectivity and the maturing of 5G networks will enable the rapid growth of the Internet of Things (IoT): the number of active IoT connections in Europe is expected to reach 370mn in 2023, up from 204mn in 2021, and is forecasted to reach 770mn by 20300F1. This will broaden the threat landscape significantly, demanding more efforts and investments by operators to protect their infrastructure and users.

At the same time there are limited incentives other than reputational risk for companies to properly address security, especially in the enterprise market. Whilst critical infrastructure providers such as telecoms are already subject to stringent security rules, providers of hardware and software are not fully covered by the current EU policy and regulatory framework, thereby leaving gaps and increasing the vulnerability of the entire ecosystem.

For operators of critical infrastructure, it is paramount to ensure network and service resilience through a better allocation of responsibility for cybersecurity along their value chain. Vendors of digital products that become an integral part of the critical services delivered to end-users are often best placed to manage their own vulnerabilities, and thus to address cyber threats related to their own products in the first place. Clear mandatory requirements for hardware manufacturers and software developers to manage and mitigate cybersecurity risks would greatly enhance the level of security and robustness of digital products used in telecom networks and services.

Therefore, we welcome harmonised cybersecurity requirements for digital products in the proposed CRA, which can bridge the regulatory shortcomings in cybersecurity responsibility and liability cascading in several sectors. It is critical that the CRA improves the cybersecurity of digital products in business-to-business (B2B) environments, particularly of those products that are employed in the critical functions of users that operate in critical sectors.

Key recommendations

ETNO and the GSMA recommend that the final CRA regulation meets the key objectives that have been pursued by the initial proposal:

  • Apply horizontal rules covering the entire supply chain so as to ensure regulatory coherence, consistency and end-to-end security in the supply chain;
  • Follow a risk-based approach to keep the framework proportionate and manageable for the various actors in the supply chain, since not all devices/software bear the same risk;
  • Ensure that products, especially software, are built secure-by-design and remain secure throughout the lifecycle;
  • Implement robust market surveillance capabilities to enforce the rules;
  • Promote a level playing field between European and non-European competitors.
Download
For more information please contact:

[email protected]