Joint Statement on Cyber Resilience Act : Manufacturers of long lasting industrial products

28 November 2023

We fully support the ultimate objective of the Cyber Resilience Act, which aims to cyber protect the products and increase their cyber resilience. It is of utmost importance to have effective processes for vulnerability management and handling, enabling manufacturers to promptly address security weaknesses.

Nevertheless we, a diverse coalition of European associations representing various sectors, that manufacture long life cycle products in industrial context s (B2B) and long manufacturing processes, express our concerns regarding Article 10 Annex 1 , Article 16 and Article 57 of the Cyber Resilience Act (CRA).

Indeed, the applicability of these provisions, especially in sectors characterised by long product life cycles,  such as rail products, construction machinery and machine tools designed to last over 30 years, poses significant challenges.

First, there is an inherent difficulty in accurately quantifying and estimating the efforts required to ensure the cyber resilience of complex products over such extended durations which raises doubts about the practicality of these obligations. Yet, what is certain is that this will represent a huge economic burden.

Secondly a fundamental reality for our sectors remains that once a product is delivered, its future evolution, potential upgrades, and modernisation depend on the B2B end user. Users will modify the product configuration after the warranty period without the involvement of the manufacturer, hindering meaningful vulnerability monitoring.

The cyber resilience of digital products in B2B sectors will be achieved only through a balanced allocation of responsibilities between manufacturers and users .

As a result, we advocate for a nuanced approach, aligning the final text with or even going further than the Parliament compromise text that emphasis es differentiation between business to business (B2B) and business to consumer (B2C) context.