European industry is increasingly affected by cyber-attacks, almost all of which are due to vulnerabilities in information technology. Production downtimes are regularly the result. It is therefore right that the European Commission is now introducing mandatory and uniform requirements for the European Union with the so-called Cyber Resilience Act.

Frankfurt, 15/09/2022 – Commenting on the European Commission’s proposal for cybersecurity requirements for products, Hartmut Rauen, Deputy Executive Director of VDMA, says:

“European industry is increasingly affected by cyber-attacks, almost all of which are due to vulnerabilities in information technology. Production downtimes are regularly the result. It is therefore right that the European Commission is now introducing mandatory and uniform requirements for the European Union with the so-called Cyber Resilience Act. In the future, connected devices, including machinery and plants, will only be allowed on the European market if they meet basic cybersecurity requirements. The EU Commission is thus going the whole hog when it comes to cybersecurity.

From the perspective of the mechanical and plant engineering industry, the proposal contains many positive points. In particular, the VDMA expressly welcomes the concept of autonomous, risk-based implementation based on the New Legislative Framework, which has been successful in many cases. The clear demarcation from other technical regulations, such as the Machinery Regulation, is also suitable for avoiding duplicate requirements.

“It is right that the European Commission is now introducing mandatory and uniform requirements for the European Union with the so-called Cyber Resilience Act.”

Hartmut Rauen, Deputy Executive Director of VDMA

However, the undifferentiated classification of core components for networked machines and systems as “critical products” is problematic. This generalization will lead to unnecessary additional burdens for manufacturers, since many industrial components are only used in non-critical areas. Here, reference to the intended use of the products would help.

However, the timely availability of harmonized standards will be crucial to the success of the Cyber Resilience Act. In the absence of appropriate standards, bottlenecks in the availability of approved products are inevitable. We therefore call on the European Commission to issue corresponding standardization mandates at an early stage, which the standardization organizations must swiftly adopt and implement in close cooperation with industry. The development of harmonized standards must not be delayed under any circumstances.”