European Commission consultation on the proposal for a Cyber Resilience Act | GSMA Accompanying Written Response

Download

Friday 27 May 2022 |

European Commission consultation on the proposal for a Cyber Resilience Act | GSMA Accompanying Written Response image

The GSMA welcomes the opportunity to provide input to the European Commission’s public consultation on the proposal for a Cyber Resilience Act. We generally support the initiative to introduce cyber resiliency requirements throughout the value chain, which would help address the imbalance caused by the NIS framework. As such, we hope that the following can serve as constructive contribution to the European Commission’s deliberations.

Although the number of connected devices continues to the rise exponentially and operators are committing efforts and investments to protect their infrastructure and consumers in a widening threat landscape, there remain limited incentives for companies to properly invest in security in a market where consumers, often unknowingly, chose price over security.

While critical infrastructure providers such as telecoms are already subject to stringent security requirements, providers of hardware and software are not fully covered under the current regulatory and policy framework. The resulting vulnerability of the ecosystem is exacerbated by the tendency of consumers to purchase cheaper, often imported consumer products that fall below EU security standards, thus creating a non-playing field for companies investing in security.

In addition, the dilemma of this market setting is compounded by an incoherent regulatory framework, in which the existence of several sectoral legislations not only produce confusion and unnecessary additional costs stemming from overlap but are also not fit-for-purpose due to the rising difficulty of confining products in an increasingly interconnected world to a single sector. In turn, a continuation of said approach will result in the unequal treatment of consumers while undermining their trust.

While some measures identified by the European Commission could indeed be effective in raising the level of cybersecurity in digital products, the most beneficial measure is the development of a coherent, horizontal framework that applies to all actors and digital products and services in the supply chain. In particular, common mandatory security requirements for hardware and software products and services are necessary for consistency and end-to-end security to be realised throughout the value-chain.

Furthermore, building products and services secure-by-design and protecting them throughout the entire life-cycle is equally essential for the security of the digital ecosystem. It is for example critical for hardware manufactures and software developers to provide regular security updates, to prevent attacks and provide immediate remedies to mitigate any attacks. Robust market surveillance to enforce existing rules is crucial for improving consumers’ security and leveling the playing field.

Finally, these horizontal rules must be applied by a risk-based approach that ensures a proportionate and manageable distribution of liability for the various actors in the supply chain. This approach, and resulting measures such as metrics for determining the risk level of components and common EU risk-assessments, is particularly crucial as not all hardware and software bear the same risk.

To summarise, we recommend the European Commission to consider the following measures in the upcoming legislative proposal for a Cyber Resilience Act:

  • Apply horizontal rules covering the entire supply chain so as to ensure regulatory coherence, consistency and end-to-end security in the supply chain;
  • Follow a risk-based approach when drafting the legislative proposal;
  • Ensure products are built secure-by-design and remain secure throughout the lifecycle;
  • Implement powerful market surveillance to enforce existing rules;
  • Level the playing field between European and non-European competitors.
For more information please contact:

Lotte Abildgaard

Director Public Policy, Europe , GSMA

Lotte leads the public policy initiatives on the regulatory files in GSMA Europe, coordinating activities to advance the members’ positions on a range of topics including net neutrality, roaming, cyber security and the wider debate on a proportionate framework to sustain long term investments in connectivity across Europe.

Lotte has broad experiences from the telecommunications sector working with regulators and policymakers at national, European and international level. She was heading up Telenor’s Representative Office for 6 years where she positioned Telenor in various EU policy debates besides focusing on international relations between the EU and Asia. She also spent 3 years at Telenor’s headquarter in Oslo supporting Telenor Group in its relationship with international stakeholders.

Before joining GSMA’s Brussels Office, Lotte was employed by a large Danish bank where she implemented new financial regulation as a senior project manager.

Lotte is a Danish native and holds a master of agricultural economics from University of Copenhagen.

[email protected]