E.DSO, representing Europe’s leading Distribution System Operators (DSOs), welcomes the opportunity to comment on the Proposal for a Regulation on cybersecurity requirements for products with digital elements - Cyber Resilience Act (CRA). The CRA can offer a long-term solution to help manufacturers, distributors, importers, users, and authorities strengthen cybersecurity across the value chain. For this to happen, however, we must consider measures that make compliance clear and actionable rather than generate new uncertainty.
We welcome and support the proposed changes on the topic "providing security updates by manufacturers for the entire life cycle of a digital element (not only for a maximum 5 years)" and the consideration of the topic "Responsible Vulnerability Disclosure". Both amendments will significantly strengthen the security of Europe's critical infrastructures and we truly hope that this will also be reflected in the final version of the Cyber Resilience Act.
Having this in mind, as leading operators of critical infrastructures, we have concerns about specific provisions that could eventually lead to unnecessary expenses and the misuse of security resources. After a wide analysis conducted among DSO of various countries and dimension, in this statement, we draw some observations which are of utmost important for the Cyber Resilience Act to be promptly implemented promptly.
Please download the document to read its full content.