Cyber Resilience Act: BSI becomes market supervisory authority

The German government has decided: The Federal Office for Information Security (BSI) is to monitor compliance with the Cyber Resilience Act (CRA). This introduces minimum requirements for IT security for all possible categories of networked devices – including minimum update periods. Those who do not fulfil the respective regulations will gradually no longer be allowed to market their devices in the EU over the coming years. In order for this to work, the BSI will now monitor whether manufacturers and importers are complying with the rules. The German government has now notified the EU Commission, which is responsible for the whole of Europe, that the BSI is to be responsible.

The authority will "fulfil its role very conscientiously and ensure that citizens can use their IT products with a sense of security", announced President Claudia Plattner. According to Plattner, the CRA is a "game changer for the security of digital products", as it will increase the level of cybersecurity across the board. However, complete monitoring of all networked devices is neither practically possible nor legally required. Instead, the BSI wants to check IT products for cybersecurity on a random basis or in targeted campaigns, as is customary in official market surveillance.

Market bans and fines possible

Until now, the BSI has not been a market surveillance authority, even though it already had related competences with the IT security label and the authority to issue product warnings under the BSI Act. Under the CRA, the authority will in future be able to impose fines of up to 15 million Euro or 2.5 per cent of a provider's global turnover, whichever is higher. As with other market surveillance regimes, the BSI will also be able to impose a sales ban on non-compliant products in future. At the same time, the BSI, as a conformity assessment body, will in future be responsible for the criteria according to which third parties award compliance with safety requirements for the various product categories of the CRA. There will also continue to be interfaces with the Federal Network Agency: The latter is responsible for some related market surveillance tasks, such as in the area of the so-called Radio Equipment Directive.

German suppliers satisfied with clarity

It is good news for the electrical and digital industry that responsibility has now been clearly defined, says Lennard Kreißl from ZVEI. He believes that the companies in the association are well positioned in terms of cyber security at product level. "This is precisely why we want strong and comprehensive market surveillance, but it must be equipped with sufficient resources and capacities," says Kreißl when asked by heise online. The ZVEI manager responsible for cybersecurity is calling for the BSI to be expanded in this area.

(mma)