ETNO-GSMA position paper on the Cyber Resilience Act


The Cyber Resilience Act (CRA) proposal comes at a time when European society, its citizens and businesses have been dealing with a crisis period marked by the COVID-19 pandemic and the war in Ukraine. The telecommunications sector has been capable of responding to these challenges and of demonstrating its robustness, by providing secure and reliable infrastructures and services that are essential for the functioning of the EU’s Digital Internal Market. However, telecommunication network operators are still faced with security gaps in their digital value chains that need addressing.

The number of connected devices marketed in the EU has risen exponentially in the past years and is expected to continue to do so. Newer generations of connectivity and the maturing of 5G networks will enable the rapid growth of the Internet of Things (IoT): the number of active IoT connections in Europe is expected to reach 370mn in 2023, up from 204mn in 2021, and is forecasted to reach 770mn by 20300F1. This will broaden the threat landscape significantly, demanding more efforts and investments by operators to protect their infrastructure and users.

At the same time there are limited incentives other than reputational risk for companies to properly address security, especially in the enterprise market. Whilst critical infrastructure providers such as telecoms are already subject to stringent security rules, providers of hardware and software are not fully covered by the current EU policy and regulatory framework, thereby leaving gaps and increasing the vulnerability of the entire ecosystem.

For operators of critical infrastructure, it is paramount to ensure network and service resilience through a better allocation of responsibility for cybersecurity along their value chain. Vendors of digital products that become an integral part of the critical services delivered to end-users are often best placed to manage their own vulnerabilities, and thus to address cyber threats related to their own products in the first place. Clear mandatory requirements for hardware manufacturers and software developers to manage and mitigate cybersecurity risks would greatly enhance the level of security and robustness of digital products used in telecom networks and services.

Therefore, we welcome harmonised cybersecurity requirements for digital products in the proposed CRA, which can bridge the regulatory shortcomings in cybersecurity responsibility and liability cascading in several sectors. It is critical that the CRA improves the cybersecurity of digital products in business-to-business (B2B) environments, particularly of those products that are employed in the critical functions of users that operate in critical sectors.

Key recommendations

ETNO and the GSMA recommend that the final CRA regulation meets the key objectives that have been pursued by the initial proposal:

  • Apply horizontal rules covering the entire supply chain so as to ensure regulatory coherence, consistency and end-to-end security in the supply chain;
  • Follow a risk-based approach to keep the framework proportionate and manageable for the various actors in the supply chain, since not all devices/software bear the same risk;
  • Ensure that products, especially software, are built secure-by-design and remain secure throughout the lifecycle;
  • Implement robust market surveillance capabilities to enforce the rules;
  • Promote a level playing field between European and non-European competitors.
For more information please contact:

Lotte Abildgaard

Director Public Policy, Europe , GSMA

Lotte leads the public policy initiatives on the regulatory files in GSMA Europe, coordinating activities to advance the members’ positions on a range of topics including net neutrality, roaming, cyber security and the wider debate on a proportionate framework to sustain long term investments in connectivity across Europe.

Lotte has broad experiences from the telecommunications sector working with regulators and policymakers at national, European and international level. She was heading up Telenor’s Representative Office for 6 years where she positioned Telenor in various EU policy debates besides focusing on international relations between the EU and Asia. She also spent 3 years at Telenor’s headquarter in Oslo supporting Telenor Group in its relationship with international stakeholders.

Before joining GSMA’s Brussels Office, Lotte was employed by a large Danish bank where she implemented new financial regulation as a senior project manager.

Lotte is a Danish native and holds a master of agricultural economics from University of Copenhagen.

[email protected]