Cybersecurity experts from Google, Trend Micro, i2Coalition and other companies, nonprofits and academic institutions around the world have published an open letter calling on policymakers from the European Commission to reconsider a portion of the Cyber Resilience Act.
In 2022, the EC proposed the CRA to require technology manufacturers to take responsibility for a product’s security throughout its life cycle. The CRA also tasks organizations to report unpatched software vulnerabilities to relevant government agencies within 24 hours of exploitation.
Such disclosures may lead to more cybersecurity risks, according to the open letter published on the Center for Cybersecurity Policy and Law website.
The signatories wrote that Article 11 of the CRA provides government agencies with access to a real-time database of software vulnerabilities that can be misused for the purpose of surveillance. Cybersecurity experts posit that vulnerability disclosure, combined with “the absence of transparent oversight mechanism in almost all European Union member states,” creates opportunities for misuse.
The letter also warned that the provision could lead to further exploitation of vulnerabilities. Although Article 11 does not require a full technical assessment, a hacker could reconstruct the security flaw.
The letter urges policymakers to either revise Article 11, Paragraph 1 or remove it entirely.