Английская Википедия:Cyber Resilience Act

Шаблон:Short description Шаблон:Infobox EU legislation The Cyber Resilience Act (CRA) is a cyber-security regulation for the EU proposed on 15 September 2022 by the European Commission for improving cybersecurity and cyber resilience in the EU through common cybersecurity standards for products with digital elements in the EU.^[1][2] The draft legislation is available.^[3][4] The European Commission reached political agreement of the CRA as of 1 December 2023.^[5] The CRA agreement must now receive formal approval by European Parliament and the Council prior to being enforced.^[6]

Multiple open source organizations have criticized CRA for creating a "chilling effect on open source software development".^[7] Products with digital elements mainly refer to hardware and software, including products whose "intended and foreseeable use includes direct or indirect data connection to a device or network".^[8]

Purposes and motivations

The background, purposes and motivations for the proposed policy include:^[9]

• Consumers increasingly become victims to security flaws of digital products (e.g. vulnerabilities), including of Internet of Things devices^[8][10][11] or smart devices.^[12][13]
• Ensuring that digital products in the supply chain are secure is important for businesses,^[8] and cybersecurity often is a "full company risk issue".^[14]
• Potential impacts of hacking include "severe disruption of economic and social activities across the internal market, undermining security or even becoming life-threatening".^[15]
• Cybersecurity-by-design and by-default principles would impose a duty of care for the lifecycle of products, instead of e.g. relying on consumers and volunteers to establish a basic level of security.^[8][16] The new rules would "rebalance responsibility towards manufacturers".^[15]
• Cyberattacks have led "to an estimated global annual cost of cybercrime of €5.5 trillion by 2021".^[1]
• The rapid spread of digital technologies means rogue states or non-state groups could more easily disrupt critical infrastructures such as public administration and hospitals.^[17]

According to The Washington Post, the CRA could make the EU a leader on cybersecurity and "change the rules of the game globally".^[16]

Implementation and mechanisms

Шаблон:Update section The policy requires software that are "reasonably expected" to have automatic updates should roll out security updates automatically by default while allowing users to opt out.^[18] Companies need to conduct cyber risk assessments before a product is put on the market and throughout 5 years or its expected lifecycle.^[19] Products assessed as 'critical' will need to undergo external audits.^[18][16] Companies would have to notify EU cybersecurity agency ENISA of any incidents within 24 hours of becoming aware of them, and take measures to resolve them.^[13] Products are categorized via two classes of risks.^[20] Products carrying the CE certifications would "meet a minimum level of cybersecurity checks".^[10]

Once the law has passed, manufacturers would have two years to adapt to the new requirements and one year to implement vulnerability and incident reporting. Failure to comply could result in fines of up to €15 million or 2.5 percent of the offender's total worldwide annual turnover for the preceding financial year.^[15][12][13]

Euractiv has reported on novel drafts or draft-changes that includes changes like the "removal of time obligations for products' lifetime and limiting the scope of reporting to significant incidents".^[21][18] The first compromise amendment will be discussed on 22 May 2023 until which groups reportedly could submit written comments. Euractiv has provided a summary overview of the proposed changes.^[22]

The main political groups in the European Parliament are expected to agree on the Cyber Resilience Act at a meeting on 5 July 2023. Lawmakers will discuss open source considerations, support periods, reporting obligations, and the implementation timeline. The committee vote is scheduled for 19 July 2023.^[23][24]

The Spanish presidency of the EU Council has released a revised draft that simplifies the regulatory requirements for connected devices. It would reduce the number of product categories that must comply with specific regulations, mandate reporting of cybersecurity incidents to national CSIRTs, and include provisions for determining product lifetime and easing administrative burdens for small companies. The law also clarifies that spare parts with digital elements supplied by the original manufacturer are exempt from the new requirements.^[25][26]

The Council text further stipulates that prior to seeking compulsory certification, the European Union executives must undertake an impact assessment to evaluate both the supply and demand aspects of the internal market, as well as the member states' capacity and preparedness for implementing the proposed schemes.^[27][28]

European institutions have successfully concluded negotiations on the Cyber Resilience Act (CRA), paving the way for its anticipated completion in early 2024. The finalized text, yet to be released, will be followed by a detailed summary.^[26]

Reception

Initially, the proposed act was heavily criticized by open-source advocates.^[29]

• Multiple open source organizations like the Eclipse Foundation, the Open Source Initiative (OSI), and The Document Foundation have signed the open letter "Open Letter to the European Commission on the Cyber Resilience Act",^[30] asking policy-makers to change the under-representation of the open source community. It finds that with the policy "more than 70% of the software in Europe [open source/FOSS] is about to be regulated without an in-depth consultation" and if implemented as written (as of April) would have a "chilling effect on open source software development as a global endeavour, with the net effect of undermining the EU's own expressed goals for innovation, digital sovereignty, and future prosperity".^[7][29][30] The Apache Software Foundation published a similar statement,^[31] and the OSI submitted this information to the European Commission's request for input.^[32]
• Although Mozilla "welcome[s] and support[s] the overarching goals of the CRA", it also criticised the proposal for unclear references to "commercial activity", misalignment with other EU rules, and requirements for the disclosure of unmitigated vulnerabilities.^[33]
• Steven J. Vaughan-Nichols of The Register argued the CRA's "underlying assumption is that you can just add security to software" while "[m]any open source developers have neither the revenue nor resources to secure their programs to a government standard".^[29] Another tech journalist noted that "there's some problematic language with how the CRA draws a line between commercial and non-commercial [open source software] use, which could hurt the future of open source".^[34]
• CCIA Europe warned that "the resulting red tape from the approval process could hamper the roll-out of new technologies and services in Europe".^[13]
• Debian's statement warned that many small businesses and solo developers would be put out of business by the act.^[35]

Amendments were released on 1 December 2023, as part of political agreement between co-legislators,^[36] to the acclaim of open-source advocates.^[37] As Mike Milinkovich, executive director of the Eclipse foundation,^[38] wrote:^[36] Шаблон:Blockquote

See also

• Artificial Intelligence Act
• Consumer protection
• Cyber self-defense
• List of data breaches
• [[List of security hacking incidents#Шаблон:PREVIOUSYEAR]]
• Sustainable design
• Standardization

References

Шаблон:Reflist

External links

• Шаблон:Cite web
• Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements on EUR-Lex
• Procedure 2022/0272/COD on EUR-Lex
• Procedure 2022/0272(COD) on ŒIL
• ISO/IEC and European standards from CEN and CENELEC covering cybersecurity [1] on Genorma.com

Партнерские ресурсы
Криптовалюты	Обмен криптовалют - www.bestchange.ru Криптовалютная биржа CoinEx Криптовалютная биржа Binance HIVE OS - операционная система для майнинга e4pool - Мультивалютный пул для майнинга.
Магазины	AliExpress — глобальная виртуальная (в Интернете) торговая площадка, предоставляющая возможность покупать товары производителей из КНР; computeruniverse.net - Интернет-магазин компьютеров(Промо код 5 Евро на первую покупку:FWWC3ZKQ);
Хостинг	DigitalOcean - американский провайдер облачных инфраструктур, с главным офисом в Нью-Йорке и с центрами обработки данных по всему миру;
Разное	Викиум - Онлайн-тренажер для мозга Like Центр - Центр поддержки и развития предпринимательства. Gamersbay - лучший магазин по бустингу для World of Warcraft. Ноотропы OmniMind N°1 - Усиливает мозговую активность. Повышает мотивацию. Улучшает память. Санкт-Петербургская школа телевидения - это федеральная сеть образовательных центров, которая имеет филиалы в 37 городах России. Lingualeo.com — интерактивный онлайн-сервис для изучения и практики английского языка в увлекательной игровой форме. Junyschool (Джунискул) – международная школа программирования и дизайна для детей и подростков от 5 до 17 лет, где ученики осваивают компьютерную грамотность, развивают алгоритмическое и креативное мышление, изучают основы программирования и компьютерной графики, создают собственные проекты: игры, сайты, программы, приложения, анимации, 3D-модели, монтируют видео. Умназия - Интерактивные онлайн-курсы и тренажеры для развития мышления детей 6-13 лет SkillBox - это один из лидеров российского рынка онлайн-образования. Среди партнеров Skillbox ведущий разработчик сервисного дизайна AIC, медиа-компания Yoola, первое и самое крупное русскоязычное аналитическое агентство Tagline, онлайн-школа дизайна и иллюстрации Bang! Bang! Education, оператор PR-рынка PACO, студия рисования Draw&Go, агентство performance-маркетинга Ingate, scrum-студия Sibirix, имидж-лаборатория Персона. «Нетология» — это университет по подготовке и дополнительному обучению специалистов в области интернет-маркетинга, управления проектами и продуктами, дизайна, Data Science и разработки. В рамках Нетологии студенты получают ценные теоретические знания от лучших экспертов Рунета, выполняют практические задания на отработку полученных навыков, общаются с экспертами и единомышленниками. Познакомиться со всеми продуктами подробнее можно на сайте https://netology.ru, линейка курсов и профессий постоянно обновляется. StudyBay Brazil – это онлайн биржа для португалоговорящих студентов и авторов! Студент получает уникальную работу любого уровня сложности и больше свободного времени, в то время как у автора появляется дополнительный заработок и бесценный опыт. Автор24 — самая большая в России площадка по написанию учебных работ: контрольные и курсовые работы, дипломы, рефераты, решение задач, отчеты по практике, а так же любой другой вид работы. Сервис сотрудничает с более 70 000 авторов. Более 1 000 000 работ уже выполнено. StudyBay – это онлайн биржа для англоязычных студентов и авторов! Студент получает уникальную работу любого уровня сложности и больше свободного времени, в то время как у автора появляется дополнительный заработок и бесценный опыт.