| Abstrakt: |
European cybersecurity legislation is comprised of various pieces of legislation. How does the newly proposed Cyber Resilience Act (CRA) fit into this system? In this article we briefly illustrate how the CRA proposal interacts with other pieces of EU cybersecurity legislation. We go on to highlight the interaction between the CRA proposal and the Network and Information Security 2 Directive (NIS 2) and, in particular, reveal the interaction with regard to risk management measures, coordinated security risk assessments, notification requirements, and market surveillance provisions. Furthermore, we take a closer look at the relationship between the CRA proposal and the NIS 2 Directive regarding the classification of critical products with digital elements and point out the Commission’s understanding of “criticality”. We outline how the CRA proposal is designed to facilitate the compliance of essential and important entities with the complex due diligence requirements set forth in the NIS 2 Directive, and to contribute towards the comparability of information on products with digital elements. The CRA proposal will bring additional value for essential and important entities as it will facilitate the process of searching for trustworthy products. However, we also identify some avoidable shortcomings of the CRA proposal. |
Full text from SpringerLink