Netnod's Response on Provisions Complementing the EU Cyber Resilience Regulation

Netnod submitted its response to the Ministry of Finance regarding the proposed supplementary provisions to the EU Cyber Resilience Regulation (SOU 2025:115 or Fi2026/00065).

Netnod generally welcomes initiatives to raise the cybersecurity level in the EU but maintains the view that legislation in a digital context, where services are built in layers (the "lasagna model"), should focus on ex-post accountability rather than ex-ante process regulation. The detailed comments address two main areas where the proposed legislation risks being counterproductive or ineffective:

Economic Support to Suppliers is Counterproductive

Netnod believes that the proposal for direct economic support to suppliers is incorrectly designed and risks distorting the market.

Recommendation: Market surveillance authorities should provide guidance, advice, and training, but no direct economic support should be given to suppliers. If state economic support is provided, it must be channeled to (end) customers. Customers can then, through market agreements, create a natural and market-driven incentive structure for suppliers to offer higher cybersecurity.

Overly Broad Secrecy Hampers Collective Learning

The proposed scope of confidentiality for information linked to incident reporting is too broad. The proposed strict duty of confidentiality and a 40-year secrecy period—which is "almost an eternity on the internet"—risks inhibiting cooperation and information sharing, which could lead to reduced cyber resilience.

Recommendation: Confidentiality must be strictly limited to purely economic and technical matters. It is crucial that the secrecy provision must absolutely not cover the measures that were recommended or taken in connection with an incident, as sharing information about actions taken is essential for collective learning and improving overall cyber resilience.