Following the release of the proposed Cyber Resilience Act, we share our thoughts, concerns and recommendations outlined in our position paper, addressing issues that impact smart energy solution providers.
Global and European organisations, regardless of whether they are part of the governmental sector, critical infrastructure or private businesses, are subjected to an increasing number of cybersecurity risks. With this in mind, ESMIG recognises that both technical implementation and implementation of horizontal regulatory acts are needed to address rising and ever-evolving cybersecurity risks.
As such, based on emerging cybersecurity threats, smart energy solution providers and smart metering product manufacturers, aware that their products are used as part of mission critical infrastructure, have developed a robust and a highly secure advanced metering infrastructure, assuring a high level of confidentiality, integrity, availability and trust between all critical components.
Legislators have also recognised the need to address evolving issues and have in recent years adopted high security requirements for several types of products, devices or software. Namely, for smart energy solutions, there are several legislative and regulatory acts, with which smart metering products, solutions and industry must and will have to comply including the Measurement Instrument Directive, the Cybersecurity Act, the Radio Equipment Directive’s new Delegated Act, the Network Code on Cybersecurity and the Cyber Resilience Act.
As a result, we would like to emphasise that it is crucial that obligatory acts, their security requirements and related obligatory product assessments, do not overlap or compete with one another, causing confusion, misinterpretation and unnecessary high implementation costs for smart energy solution providers and manufacturers.
As stated by Anže Zlatel, Chair of ESMIG Cybersecurity Task Force and Information Security Officer at Iskraemeco, ‘’While we welcome any action to improve the cyber resilience in products and address the cybersecurity risks, it is key that the legislation does not become a burden for manufacturers, and continues to enable innovation. While we recognise the many benefits that the Cyber Resilience Act brings, there are areas that must be further clarified and addressed in order to support the smart metering industry.’’
Main recommendations and considerations, proposed by the ESMIG are:
- Recommendation I: involve the smart meters industry sector in the introduction of a transparent cybersecurity risk assessment methodology and framework with the aim to classify products according to risk level.
- Recommendation II: involve relevant stakeholders in any risk assessment and they can support the European Commission in defining which Class the specific IT systems or products will belong to.
- Recommendation III: enable the use of EUCC based cybersecurity certification to be used as proof for conformity with security requirements in product-oriented legislation such as the MID and RED.
- Recommendation IV: introduce a clear definition of “users” in Article 11, point 4.
- Recommendation V: Article 11 obligations and requirements must be addressed through the cybersecurity risk-based approach