On 15 April 2025, ENCS submitted feedback to the Commission on the Cyber Resilience Act technical description of the categories of important and critical products with digital elements. Various activities, including webinars and online consultations were hosted to get feedback and comments from members experts.
As a member organization representing 29 distribution and transmission system operators in Europe, ENCS is concerned about the possible impact of two of the definitions of critical products on the electricity sector. For smart meter gateway, the current definition does properly reflect the implicit definitions used in the sector. Our only concern is that the definition is complex and hence may be read in different ways. In our comments, we propose a rephrasing to remove the ambiguity. For the hardware devices with security boxes, we are concerned that the current definition is too broad. Most products that include countermeasures against physical attacks seem to fall under the proposed definition. This includes many products that are not currently covered under certification schemes such as EUCC, and that do not pose a critical risk to essential entities under NIS 2 if they are compromised through a physical attack. We think the proposed definition needs to be refined to incorporate these properties that critical products should have according to point (46) in the CRA recitals.
The ENCS public consultation feedback is available at: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14449-Technical-description-of-important-and-critical-products-with-digital-elements/F3535505_en
