Fostering Cyber Resilience for the 99%: DIGITAL SME calls for adequate support for SMEs to level up European cybersecurity
-
A targeted approach is needed in the Cyber Resilience Act: stronger cyber resilience should not come with disproportionate costs for SMEs
-
Standardisation organisations must ensure the adequate representation of SMEs as the backbone of Europe’s cybersecurity ecosystem
-
To unlock the potential of SMEs in after-sales markets, security updates must be provided for at least 5 years
In the context of a fragile geopolitical landscape worldwide, cybersecurity has become a fundamental asset to preserve the innovative capacity of digital solutions. The Cyber Resilience Act (CRA) introduces requirements for manufacturers placing on the market products with digital elements.
DIGITAL SME welcomes the efforts put forward in the CRA to ensure that European products are introduced in the market with a higher level of cybersecurity. At the same time, effective cybersecurity requires an end-to-end commitment that covers all actors in the supply chain of which SMEs are a crucial part.
This regulation will have a big impact on SMEs, which represent 99% of hardware manufacturers and software developers in the EU. If SMEs are to invest in complying with essential cybersecurity requirements that secure their innovative potential, EU policymakers need to bear in mind the additional costs generated by new binding horizontal requirements for SMEs.
Although SMEs will benefit from the harmonisation of requirements with existing EU cybersecurity legislation aiming at reducing fragmentation of rules, co-legislators need to consider measures that make compliance for companies clear and attainable. If the possibility for voluntary cybersecurity certification cannot be considered at this stage as an option for SMEs, then policymakers need to guarantee a degree of proportionality as well as adequate guidance and support for SMEs’ implementation of the new requirements.
Support to SMEs from public authorities should include funding, training and guides, as well as collection of SMEs’ feedback once the CRA is enforced. It is essential that EU institutions also provide SME-tailored guidance for the development of secure digital products at EU level. Example of the guidance needed by SMEs include guides produced by DIGITAL SME and Small Business Standards (SBS) to help SMEs implement relevant cybersecurity standards.¹ ²
In addition, the development of harmonised standards should be encouraged, on the basis of cybersecurity standards already available in Europe, by promoting the use of self-assessments and proportionality of conformity assessment procedures as a tool to enhance compliance by companies. In line with this objective, SMEs need adequate representation in standardisation committees and shall have a say in the standards implementing the CRA. When mandating the development of CRA standards to the European Standards Organisation, the Commission should instruct the latter with concrete measures and KPIs to ensure the development of SME friendly standards.
Furthermore, co-legislators should consider the establishment of regulatory sandboxes, based on the model that is introduced in the Artificial Intelligence Act. SMEs can benefit from a safe environment that allows them to test their software and cybersecurity products before entering the market. It is expected that regulatory sandboxes would facilitate compliance, boost innovation and contribute to regulatory learning. Public authorities at the national level should provide the right conditions to make the regulatory sandboxes effective for SMEs.
The CRA must also include considerations of sustainability. The ability of Original Equipment Manufacturers (OEMs) to impose complex security standards to restrict access to their devices by independent third parties, especially SMEs, should be limited. This measure would support companies in the after-sales markets and offer consumers the ‘right to repair’. It is critical that legislation limits the planned obsolescence of devices and promotes the extension of products life cycle. While the Commission proposed a limit of up to five years for the obligation to provide security updates by manufacturers, DIGITAL SME calls for extending the period to the entire life cycle of their products.
While the discussions on the CRA progress in the European Parliament ITRE Committee, DIGITAL SME acknowledges that the approach reflected in the ITRE Draft Report on the CRA goes in the right direction regarding SME guidance and support, where MEPs have put forward various amendments in that direction. In particular, DIGITAL SME would like to support the suggestion for a prolongation of the date from which the regulation would apply, thereby allowing for a longer transition period where SMEs can comply with the CRA on a voluntary basis and adapt to this Regulation ahead of its official implementation.
Digital resilience and adaptability are crucial elements to the survival and growth of any business, regardless of its size. In the face of parallel crises, promoting the cybersecurity of SMEs is critical and should be pursued by following a proportionate approach that fosters and secures Europe-led innovation.
Read the full DIGITAL SME position paper here. This position paper was made possible with the key inputs provided by the members of the DIGITAL SME Working Group Cyber.
¹SBS SME Guide on essential security controls for SMEs to protect user’s privacy and data and ensure GDPR compliance (based mainly on ISO 27002)
²SBS SME Guide for the implementation of ISO27001 Information Security Management