Consultation Response Regarding the European Commission's proposal for a regulation of comprehensive cybersecurity requirements for products with digital elements and for the amendment of Regulation (EU) 2019/1020

One of the goals of CRA is to create competitive advantages for companies in Europe. To achieve that goal, unnecessary bureaucracy and burden must be avoided. The proposal needs to be combined with strengthened cybersecurity risk management, adequate competence and secure and robust infrastructure. The new laws adopted under the EU's cybersecurity strategy will deliver results, but will also have an impact on the capacity of both companies and regulators.

In order to attain legislation that reduces cybersecurity incidents with an impact on the security of a product, it must be applicable in different contexts. For example, vulnerabilities differ significantly depending on whether it concerns telecom networks, companies, or consumers' management of IoT products. The Confederation of Swedish Enterprise therefore wants to emphasize the need for proportionate legislation with a risk-based method. Security efforts must focus on addressing critical and serious vulnerabilities. The focus should therefore be on minimising cyber incidents and not on minimising the occurrence of all forms of vulnerability.

Furthermore, Europe should make maximum use of international standards and market-driven initiatives to strengthen competitiveness. Therefore, future harmonised standards should, as far as possible, be based on existing international standardisation work and agreements on mutual recognition should be sought with third countries. Cybersecurity is a global challenge, a continuous process and not a solid state in a product.

The Confederation of Swedish Enterprise agrees that cybersecurity needs to be strengthened in society and companies will contribute to a large extent. Not least with the NIS2 directive, where the requirements are increasing significantly for many companies. Authorities working with Cybersecurity need to support the work of companies through information sharing and transfer of knowledge. The National Cyber Security Centre should urgently strengthen collaboration with the business community by the development of routines for communicating situational awareness and information on the management of cyber-attacks.