INTERVIEW / Danti: “With Cyber Resilience Act European companies more competitive, but need support”

From the correspondent in Strasbourg – It is a new dawn on the European continent for digital product security: the Cyber Resilience Act passed the test of the final vote in the plenary of the European Parliament today (March 12), and now everything is set for the entry into force of the first EU-wide legislation for cybersecurity and resilience, which will introduce mandatory security requirements for products with digital elements throughout their lifecycle. “With today’s vote, Europe equips itself with the necessary legislative tools to strengthen the cybersecurity of connected products and respond to hacker attacks behind which – increasingly – Russia, China and other countries hostile to us are hiding,” stressed the European Parliament rapporteur for the Cyber Resilience Act, Nicola Danti (Italia Viva), in an interview for Eunews following the approval of the new EU Regulation with 517 votes in favor, 12 against, and 78 abstentions.

What products are affected by the Cyber Resilience Act, and what will change for cybersecurity at the European level?

“The Cyber Resilience Act is one of the most important European Union initiatives in terms of cybersecurity because, for the first time, it regulates all connected products. We are talking not only about smartphones or laptops but also smart appliances, microchips, industrial machinery, as well as the software and apps we use more and more every day. Nowadays, everything is connected to the network and can be a gateway for malicious attackers, causing costs, data loss, and disruption of production activities.

With the Cyber Resilience Act, anyone who wants to sell a product – whether physical or ‘virtual’ such as software – will have to ensure that essential requirements are met, including the obligation to provide security updates during the product’s lifecycle. In short, the goal is simple: to put cybersecurity first from the research and development phase and throughout the life cycle to equip citizens and businesses with safer products. A fundamental norm to address what has now become a real emergency and which, on a global scale, caused record costs of 5.5 trillion euros in 2021.”

What obligations and costs will it entail for European companies?

“The Cyber Resilience Act will, in the medium to long term, make European companies more competitive against international competitors because they will be able to market more secure and higher quality products. But we are well aware that this Regulation will have, especially in the first phase, significant costs for the productive fabric, which will have to invest to ensure adequate vulnerability management procedures and produce the necessary documentation to demonstrate compliance with the Regulation.

It is why Parliament has urged to accompany companies  in the implementation of the Regulation with appropriate levels of financial support through European programs such as Digital Europe. We also provided simplified procedures for micro and small businesses, whose resources are certainly not comparable to those of large companies in the digital world. In addition, we have given businesses time to adapt to this legislation, the obligations of which will come into effect 36 months after publication in the Official Journal.”

What role will open-source play in the Cyber Resilience Act?

“The inclusion of open-source in the Cyber Resilience Act has been one of the issues we have been most concerned about. It is critical for Parliament to protect the driving force that this community has for the entire digital ecosystem. So, we have tried to exclude all open source developers who would not have the resources or business processes necessary to implement the regulation. But we cannot think of excluding open source software tout court even when they have a clear commercial size, precisely in light of their importance to the health of the network. The right compromise found during the negotiations – including only commercial open source software controlled by a single organization – will help the community strengthen its development processes and put cybersecurity first, making open source even more important to the digital world.”

EU Parliament and Council negotiators on the day of the political agreement on the Cyber Resilience Act (Dec. 1, 2023)

Is the European Union ready in terms of expertise to deal with cybersecurity challenges, also considering the hacker attacks sponsored by China and Russia?

“It is clear that regulations and directives are not enough in this new terrain of what, for all intent and purposes, can be considered a new hybrid war. It is crucial for the EU to invest in skills: those of professionals with a very high level of specialization, first and foremost, who will be decisive in ensuring the resilience and capacity of our continent to respond to attacks.

Our young people too often choose to go abroad after studying in Europe because their skills are valued and rewarded. Reversing this trend must become a priority. Meeting the cybersecurity challenge requires creating a widespread culture of cybersecurity: each of us must have the basic skills to recognize threats and attempted attacks in our private lives and the workplace. On this, Member States and the EU must start investing right now to know how to fight threats that, every day, more and more, put our economy and the security of our citizens at risk.”.”