The Commission’s proposal for a Cyber Resilience Act is the first-ever EU-wide legislation of its kind laying down new horizonal cybersecurity requirements for the placing on the market of cybersecurity requirements for all connected digital products (both hardware and software), including machinery products.
The proposed regulation adds to the existing EU regulatory framework on cybersecurity which consists of NIS 2 Directive (EU) 2016/1148 addressing the cyber-resilience of EU businesses and the Cybersecurity Act, which establishes a framework for voluntary certification schemes for ICT products, services and processes. It also complements Delegated Regulation (EU) 2022/30 on interconnected radio equipment products.
CECE welcomes the European Commission’s proposal for a Cyber Resilience Act. Construction equipment manufacturers are already committed to addressing cybersecurity risks, even though the number of cyber-attacks targeting our products remains limited.
However, CECE members believe that the impact of this legislation should not be underestimated. This is mainly due to the very broad scope of this Regulation and the inconsistencies of the announced timeframe for its implementation in light of the machinery products’ lifecycle of decades and corresponding legacy.
The scope of the proposed regulation is too broad and needs clarification as regards the products covered. CECE recommends that connected digital products placed on the market before the CRA application date together with their related spare parts are excluded from the CRA scope, even if the latter are placed on the market after the CRA applies.
To maintain a well-functioning internal market and to avoid unnecessary double assessment and/or certification, we endorse the approach that a default category product embedding a compliant critical product (listed in Annex III) is not considered a critical product itself.
In addition, CECE stresses the need for a sufficient implementation timeframe to allow the industry to update the whole product system and comply with the CRA requirements given the complexity of construction machinery products.
CECE Position Paper - CECE comments on the Cyber Resilience Act proposal