EU’s Cyber Resilience Act would require a ONE day breach notice

A group of leading tech companies and security researchers have written an open letter about how the vulnerability disclosure requirements proposed for the EU’s Cyber Resilience Act don’t make sense and are flat out dangerous.

Basically, the requirements would ask vendors to disclose that they know about a vulnerability in ONE day. The industry argues that’s not enough time and would open the doors to hackers to jump on the vulnerabilities without giving everyone enough time to actually do the patches.  “Article 11 of the CRA requires software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of exploitation.”

George McGregor, VP, Approov Mobile Security had this comment:

“These vulnerability requirements, if enforced, will be of critical importance to US companies which operate in the EU.  The EU Cyber Resilience Act makes no distinction about where vulnerabilities are discovered so the obligation will be worldwide in scope.

“This is clearly understood by the number of US based individuals who have signed the request to modify the CRA in order to remove the requirement to report unpatched vulnerabilities within 24 hours.

“The letter also requests that vulnerabilities uncovered during testing should not be included in the reporting requirement.

“With this level of industry reaction, the CRA requirements should certainly be relaxed.”

I am completely in favour of this as it makes vendors completely accountable for the quality of their products. But it has to be done in a way that make sense and is sustainable. This doesn’t meet that standard. A rethink is absolutely in order.

Leave a Reply