Top

Siemens, Ericsson warn EU cybersecurity rules may disrupt supply chains

By Foo Yun Chee

BRUSSELS (Reuters) – Electronics makers Siemens, Ericsson and Schneider Electric, along with industry group DigitalEurope warned on Monday that onerous proposed EU rules targeting cybersecurity risks of smart devices could disrupt supply chains on a scale similar to during the pandemic.

Proposed by the European Commission last year, the Cyber Resilience Act requires manufacturers to assess the cybersecurity risks of their products and take measures to fix problems for a period of five years or through the expected lifetime of the products.

The proposed rules would also apply to importers and distributors of internet-connected devices. Cybersecurity worries have spiked following a series of high-profile incidents of hackers damaging businesses and demanding huge ransoms.

“The law as it stands risks creating bottlenecks that will disrupt the single market,” the chief executives of the companies wrote in a joint letter to European Union industry chief Thierry Breton and EU digital chief Vera Jourova.

They said disruptions could hit millions of products, ranging from washing machines to toys, cybersecurity products, as well as vital components for heat pumps, cooling machines and high-tech manufacturing. Delays may be due to a shortage of independent experts to conduct the assessments and red tape, the companies said.

“We risk creating a COVID-style blockage in European supply chains, disrupting the single market and harming our competitiveness,” the companies said.

Siemens, Ericsson warn EU cybersecurity rules may disrupt supply chains
The logo of German industrial group Siemens is seen at an office building in Zug, Switzerland December 1, 2021. REUTERS/Arnd Wiegmann

Other signatories to the letter include the CEOs of Nokia, Robert Bosch GmbH and Slovakian software company ESET.

The companies said the list of higher-risk products subject to the rule should be significantly scaled back and that manufacturers should be allowed to fix known vulnerability risks rather than first conducting assessments.

They also want more flexibility to self-assess cybersecurity risks.

The letter comes ahead of Nov. 8 negotiations between EU countries and EU lawmakers to thrash out the details of the draft law before it can be adopted.