The European Network for Cyber Security (ENCS) submitted earlier this month feedback to the European Commission on the Cyber Resilience Act (CRA) technical description of the categories of important and critical products with digital elements. Various activities, including webinars and online consultations, were hosted to get feedback and comments from members and experts.
Anjos Nijk, managing director of ENCS, wrote in a statement to Industrial Cyber, that the Cyber Resilience Act will be instrumental to strengthening cybersecurity across Europe, but it’s essential that its definitions are precise and aligned with operational realities in critical sectors like energy. “Inaccurate definitions – such as those currently proposed for ‘smart meter gateways’ and ‘hardware devices with security boxes’ – risk misdirecting regulatory efforts and resources.”
“In a time of escalating cyber threats and geopolitical tensions, we must ensure that regulation focuses on the systems and components that truly impact the resilience of our electricity grids,” Nijk added. “If definitions are too expansive or ambiguous, we may dilute attention from the assets that genuinely require the highest level of protection, potentially undermining rather than enhancing energy security.”
The current definition of ‘smart meter gateway’ does not fully align with the implicit definitions commonly used in the sector. The primary concern is that the definition is complex and may be interpreted in multiple ways. A rephrased version has been proposed to reduce ambiguity.
For the ‘hardware devices with security boxes’, the ENCS expressed concern that the current definition is too broad. Most products that include countermeasures against physical attacks seem to fall under the proposed definition. This includes many products that are not currently covered under certification schemes, such as EUCC, and that do not pose a critical risk to essential entities under NIS2 if they are compromised through a physical attack. The proposed definition should be refined to incorporate the properties that critical products are expected to have, as outlined in point (46) of the CRA recitals.
In its feedback submission to the technical description of important and critical products of the Cyber Resilience Act, the ENCS wrote that “as a member organization representing 29 distribution and transmission system operators in Europe, ENCS is concerned about the possible impact of two of the definitions of critical products on the electricity sector.”
“For smart meter gateway, the current definition does properly reflect the implicit definitions used in the sector,” it added. “Our only concern is that the definition is complex and hence may be read in different ways. In our comments, we propose a rephrasing to remove the ambiguity.”
The agency suggested that for the hardware devices with security boxes, “we are concerned that the current definition is too broad. Most products that include countermeasures against physical attacks seem to fall under the proposed definition. This includes many products that are not currently covered under certification schemes, such as EUCC, and that do not pose a critical risk to essential entities under NIS 2 if they are compromised through a physical attack. We think the proposed definition needs to be refined to incorporate these properties that critical products should have according to point (46) in the CRA recitals.”
The Cyber Resilience Act requires the Commission to specify the technical description of the categories of important and critical products with digital elements listed in Annex III and IV to the Regulation. Such products may be subject to more stringent conformity assessment procedures, as set out in Article 32. Stakeholders were encouraged to submit their feedback to this consultation by using the attached template in order to facilitate feedback consolidation.
In its submission, the ENCS recommended that the definition be limited to products where protection against physical risks is essential to counter critical threats. Including any product with tamper resistance in this category could lead to unnecessary costs, as even products with low physical security risks would be required to meet the stringent requirements for critical products. This could have the unintended consequence of manufacturers opting to exclude physical security measures altogether to avoid classification as a critical product, reducing the overall security of some devices.
Regarding the first paragraph of the technical definition, ENCS proposed the following wording: “Hardware products with digital elements that include a physical hardware envelope offering countermeasures against physical attacks, such as tamper evidence, resistance, or response, and that are specifically designed to securely store, process, and manage sensitive data and cryptographic operations. These products, if physically compromised, could pose a critical risk to essential entities as defined in Article 3 of Directive (EU) 2022/2555, or could cause serious disruptions to supply chains within the internal market.”
The agency recommended adding ‘monitoring and control to the capabilities described in the gateway definition within the first paragraph:
“Products with digital elements that manage communication between components in smart metering systems, as defined in Article 2(23) of Directive (EU) 2019/944, and authorised third parties such as utility providers, as well as other devices within the smart grid infrastructure. These products collect, process, and store metering data, perform monitoring and control functions for the electricity system, and protect data and information flows by supporting cryptographic functions such as encryption and decryption, and by acting as a firewall between the wider network and the local network.”
