X Logo PNGs for Free Download

Linkedin Logo PNG, Linkedin Logo Transparent Background - FreeIconsPNG

Click to select an image from the multimedia database

Environment
Digital Construction
Safety
Industry and Market
Our Sector in Figures

Cyber Resilience Act: Construction equipment manufacturers take stock of the political agreement reached in trilogues

The EU negotiators from the Spanish Presidency of the Council and the European Parliament reached an informal agreement on the main provisions of the Cyber Resilience Act (CRA), the new EU regulation introducing a set of cybersecurity requirements for the design, development, production and making available on the market of connected products.

Cyber Resilience Act

Following two months of intense discussions at both technical and political level, the EU legislators found a compromise on the key outstanding issues during interinstitutional negotiations at the last political meeting (‘trilogue’) of 30 November. The deal aims at bridging the main differences between the Parliament’s and Council’s mandates. Co-legislators provisionally agreed on the political elements of the CRA in record time, but discussions are still ongoing at the technical level. The draft text may thus be subject to further amendments, although limited only to non-political provisions. 

The new cybersecurity law for connected products constitutes a priority file for CECE’s membership due to the impact expected once in application. Moving from the consolidated industry’s position, an overview of the draft elements deemed relevant for construction equipment manufacturers can be found below. 

  • The definition of in-scope products remains very broad. However, spare parts are now always excluded regardless of the applicability date of the regulation – In line with CECE’s recommendation.
  • The classification of critical products has been simplified and based on two main criteria.
    As advocated by CECE, it is now binding that integration of Class I or Class II important products does not affect the level of criticality of the complete product.
  • Manufacturers’ obligations on vulnerability handling follow the ‘support period’ approach, which is now linked to the expected use time. In line with CECE’s advocacy, a 5-year timeframe (although as minimum threshold) has been identified for the provision of security updates after placing products on the market.
  • The reporting mechanism is now aligned with NIS2 and ENISA’s role is strengthened. In line with CECE’s key ask, manufacturers shall notify incidents to the competent CSIRT, and to ENISA, via the single reporting platform within 24h (early warning), within 72h (incident notification), and within 14 days after a mitigating measure is available (final report).
  • The transition period before the CRA becomes applicable has been slightly extended to 36 months The new cybersecurity rules for connected products will apply 3 years after the entry into force of the new regulation. This will give construction equipment manufacturers a limited timeframe (until mid-2027) to comply with the new product requirements, especially in consideration of the complexity of machinery products.

As regards the next steps, once the work at the technical level has been concluded, the text of the provisional political agreement reached in trilogue have to be formally endorsed by both Parliament and Council. The text will also need to undergo a legal-linguistic revision before being published in the Official Journal of the EU (publication expected in mid-2024).

CECE will continue monitoring the developments on this relevant piece of legislation until its publication in the OJEU. In addition, members will be supported throughout the implementation phase of the new cybersecurity requirements in view of the Commission’s plans to publish guidance and consult relevant stakeholders.

More news