Siemens, Ericsson and Nokia fear supply chain problems due to Cyber Resilience Act

Siemens, Ericsson and Nokia fear supply chain problems due to Cyber Resilience Act

The European Commission’s Cyber Resilience Act could potentially cause problems for supply chains. So say CEOs of several tech companies in a recent warning letter from advocacy organization DigitalEurope.

According to the advocacy organization’s warning letter, the EC’s proposed Cyber Resilience Act (CRA) is potentially problematic for the single digital market the EU wants to create. The letter was signed by the CEOs of Siemens, Ericsson, Schneider Electric and others, including Nokia and ESET. Parts of the European bill would cause potential “congestion” in the chain that would eventually cause delivery problems.

DigitalEurope further writes that these blockages could affect the supply of thousands of products, from washing machines to toys, as well as key components such as heat pumps, refrigeration equipment and high-end manufacturing equipment. In doing so, the advocacy group even speaks of a scale of supply chain problems equivalent to those during the pandemic.

What is the CRA?

The CRA sets out the requirements that manufacturers must meet regarding cybersecurity. Companies must identify and resolve these risks for all their products, for example, by releasing and implementing security updates for five years after purchase or throughout the life of the equipment.

Possible solutions

The authors of the letter, therefore, come up with several possible solutions that could be included in further versions of the EU law. Among them, the list of products at cybersecurity risk should be drastically revised downward.

In addition, manufacturers should be allowed to fix known vulnerabilities rather than having to research them first. Ideally, these should be vulnerabilities that are currently being actively exploited. They would also like to conduct these investigations into potential cybersecurity risks of their products.

Soon, European member states and EU legislators will discuss further what exactly the CRA should regulate in terms of cybersecurity for (industrial) products. Earlier, the European open-source community warned of potential problems surrounding the new legislation.