The Netherlands is set to approve the proposal for the Cyber Resilience Act (CRA), a European law aimed at enhancing cyber resilience, this coming Wednesday. The European Commission introduced the CRA last September, which is expected to ensure safer hardware and software.
The proposed law mandates hardware and software suppliers to implement cybersecurity measures to secure their products. Manufacturers will be required to provide free security updates when vulnerabilities are discovered, and any misuse of security flaws and security incidents must be reported.
“With the CRA, European users, both consumers and business users, can rely on the hardware and software they use to be safe in the future,” said Adriaansens, the acting Minister of Economic Affairs.
Over the past few months, the European Council has been negotiating the CRA, with the Netherlands making several adjustments to the original proposal from the European Commission. One of the key changes is the support period during which the manufacturer remains responsible for releasing security updates for vulnerabilities. The European Commission proposed a maximum period of five years, but the Netherlands believes this should apply to the reasonably expected lifespan of the product.
The Netherlands also advocated for non-commercially offered open-source software to be exempt from the CRA. However, manufacturers who use such open-source software in a commercial product will fall under the CRA. There was also a call for a feasible reporting obligation for actively exploited security leaks for both Computer Security Incident Response Teams (CSIRTs) and manufacturers.
According to Adriaansens, the compromise text from the European Council aligns well with the wishes of the Netherlands. “For the Netherlands, this text is a further improvement compared to the original proposal from the Commission and provides a good basis for negotiations with the European Parliament.” The minister promises to send the compromise text to the Second Chamber as soon as it is made public.
The CRA is part of a broader effort to bolster cybersecurity across Europe, particularly within the financial sector. It sets uniform requirements for the security of network and information systems of companies and organizations operating in the financial sector, as well as critical third parties which provide ICT-related services to them. The core aim is to prevent and mitigate cyber threats.
The proposed law is subject to approval by the Council and the European Parliament before going through the formal adoption procedure. Once formally adopted, it will be passed into law by each EU member state. The relevant European Supervisory Authorities (ESAs) will then develop technical standards for all financial services institutions to abide by, from banking to insurance to asset management. The respective national competent authorities will take the role of compliance oversight and enforce the regulation as necessary.
