Netnod and Internetstiftelsen responds to the EU Commission's proposed adoption of the Cyber Resilience Act

On 19 September 2022, Netnod was given the opportunity by the EU to comment on the EU Commission’s adoption of the Cyber Resilience Act at the EU-level.

The full response is available here and in the EU-commission feedback process. Similarly, on the 21th of November, Netnod was given the opportunity by the Ministry of Finance (Finansdepartementet) to comment on the EU Commission's adoption of the Cyber Resilience Act at the Swedish level. Netnod and Internetstiftelsen (The Swedish Internet Foundation) together provided a full response available here.

Netnod welcomes the additional attention brought to the important topic of cybersecurity by the Cyber Resilience Act. However, Netnod believes that approach is fundamentally suboptimal and effort should instead be put towards accountability in the digital world. That is, instead of laying down ex-ante design requirements for digital products, the regulation should improve ex-post accountability processes in a digital environment. 

In particular Netnod is of the opinion that measures required by the regulation are ineffective and, in fact, counter productive. The measures are neither suitable nor sufficient and will, we believe, have a negative impact on society. The impact for all so called resource constrained actors (e.g. all actors) is that resources will be reprioritised from current security initiatives towards certification. What we need instead is for existing security initiatives to be encouraged and strengthened.

Netnod believes that the regulation should not enforce methods, but rather enforce accountability. One reason is the argument above, that certification is not an efficient measure for all situations; another reason is that methods and best practices change over time, so specifying a specific method in the regulation is a certain way to ensure that the regulation will soon become outdated.

Netnod believes that if one wants to increase cybersecurity in society then the Cyber Resilience Act will have the same effect as using a sieve if one wants to carry water.

In addition, there is a current trend to increase cybersecurity awareness, and this trend is likely to continue regardless of the regulatory focus on cybersecurity. As such, the regulation in some sense is not necessary. For example, having procurement processes that include security requirements, specifically for the public sector, might have a better effect and would also include positive stimuli in regards to innovation and the evolution of products and services.

Overall, Netnod welcomes the attention on cybersecurity; however, we have significant concerns with the implementation of the regulation.