CECE: ‘EU is ignoring industry warnings regarding the complexity of machine architecture’

Committee for European Construction Equipment (CECE)

The agreement on the final text was reached in record time in spite of the industry’s warnings on the need to avoid the rushing through of this crucial piece of legislation.

It does not take into account the demands of long-lasting products manufacturers for an adequate implementation timeframe.

As the representative of the European construction equipment industry, CECE strongly criticises the lack of attention given to this matter.

As the first piece of legislation of its kind in the world, once in application, the CRA will introduce a set of security requirements for connected products, ranging from smart toys to industrial machinery.

With its very broad scope, covering all products with digital elements (both hardware and software, with the exception of spare parts) made available on the market and able to connect to either a device or a network, the CRA will impose new obligations on manufacturers throughout the entire products lifecycle, from the design and development phase, and also beyond the placing on the EU market.

Products with digital elements falling within the CRA scope are classified either as default, important or critical categories with a risk-based approach.

Manufacturers will therefore be required to carry out a conformity assessment based upon the assigned risk of security threats.

In other words, different product classifications will necessitate different conformity assessment procedures.

Nonetheless, it is worth noting that the integration of critical products does not in itself render the product which is integrated as subject to the same conformity assessment procedure.

The support period approach

The new cybersecurity law for connected products constitutes a priority file for CECE’s membership due to the expected impact once in application.

As of mid-2027, construction equipment manufacturers will be required to comply with a number of essential security requirements when placing products with digital elements on the market.

Additionally, the obligations linked to the handling of vulnerabilities will follow the ‘support period’ approach, which now refers to the time a product is expected to be in use (expected use time rather than expected lifetime) and will reflect users’ expectations and the nature of the product.

A positive aspect lies in the fact that manufacturers may consider other elements while determining the support period duration, such as support periods of integrated components (core functions) sourced from third parties, in a manner that ensures proportionality.

The minimum timeframe for the support period is 5 years and all security updates made available to the user are to remain available for at least 10 years or for the remainder of the support period, whichever is longer.

What happens next?

The text of the provisional political agreement reached in trilogue has to be formally endorsed by both Parliament and Council.

The text will then be published in the Official Journal of the EU (publication expected in mid-2024) and will enter into force on the 20th day after its publication.

The transition period before the CRA becomes applicable has been extended slightly by only 12 months.

The new cybersecurity rules for connected products will thus apply 36 months, or 3 years, after the entry into force of the new regulation.

This will give construction equipment manufacturers a very limited timeframe (until mid-2027) to comply with the new cybersecurity requirements.

This short timeframe entirely disregards both the warnings of the industry and the complexity of machinery products, which will now require significant changes to the entire machine architecture.