Cyber Resilience Act
The Cyber Resilience Act proposal of the European Commission can bring welcome clarity for consumers and users of cybersecurity systems. To meet the needs of the workers, it should take specifically into account the needs of the workers, confidentiality factors in the workplaces and the modern ways of working.
Eurocadres, the representative of Europe’s Professionals and Managers, is one of three recognised European cross-sectoral social partners, and represents over six million employees. We welcome the Cyber Resilience Act, which can help to bring technical certainty to Professionals and Managers, while addressing important security aspects that impact workplaces in general. Despite this, we call on policymakers to strengthen aspects of the text relevant to these areas.
Our key recommendations for the initiative are the following:
Regulation that protects workers, consumers, clients and citizens
All companies hold confidential and/or personal information regarding their workers, clients and consumers, and citizens in general. However, these groups are not homogenous and hence need specific mechanisms to address the cybersecurity risks they may face. For this reason, a one-size-fits all approach to the protection of these groups may have weaknesses in addressing various risks.
This aspect of the text should specifically consider the use of digital products by companies, but also in workplaces. Software that is used to handle sensitive data and/or sensitive tasks in these contexts need to have tailored information, so the operators tasked with selecting those systems can reliably trust the level of security they provide. Their needs may differ from i.e. consumers selecting their systems, which should be kept in mind when tailoring the list of information in Annex II requires. These needs may include information that specifically addresses work processes or worker information, which must be reflected in the revised text.
Supporting those who work in issues related to cybersecurity
The workers who end up relying on cybersecurity systems often lack the digital understanding necessary to ensure the level of protection the selected system has. Their needs are not similar to consumers, as they often deal with complex processes and datasets, which also puts potential stress on their liability. This should also be the case with AI systems which are not included in the high-risk systems list (Article 8), as any AI system may require specific measures to address their cybersecurity risks.
As AI systems are capable of learning and developing, their changing nature should be addressed by the legislation. Due to this, the users of AI systems should be informed of the potential risks they may face also when dealing with products that may not fall in the category of high-risk AI systems. This aspect should be also included on the technical expertise required by the notified bodies (article 29).
Securing systems that are designed for confidentiality
While general security systems address external threats to cybersecurity, technical solutions also have internal security measures that need to be addressed by the legislation. Secure channels are necessary, especially for GDPR-related information or otherwise sensitive data that organisations handle in relation to their employees, clients, or similar. The level of security products have should be communicated in an understandable and transparent manner, which is accessible to all users and also potentially affected persons inside the companies where the systems are implemented. This is particularly the case with systems relating to personal information, but also for regulation-specific requirements, such as the internal reporting channels set by the Whistleblower Directive.
Consideration of remote, cloud-based or otherwise physically divided systems
As digital technologies allow distribution of tasks and processes around the world, digital systems can also be spread across a variety of different locations. While certain levels of security can be achieved regardless of the location, aspects such as remotely working teams may introduce new vulnerabilities that need to be properly addressed by the measures proposed by this legislation. These territoriality aspects should take into account in the Annexes, following the spirit of NIS2 Directive (draft Article 26).