Siemens, Ericsson, and Schneider Electric Warn of Potential Supply Chain Disruption Due to Proposed EU Cybersecurity Rules

Global electronics manufacturers Siemens, Ericsson, and Schneider Electric, in conjunction with industry group DigitalEurope, have raised concerns that the stringent European Union (EU) rules aimed at addressing cybersecurity risks associated with smart devices may disrupt supply chains on a scale reminiscent of the disruptions experienced during the pandemic. The companies have emphasized the potential challenges posed by the EU's proposed Cyber Resilience Act, which could have far-reaching implications for various industries.

The Cyber Resilience Act, proposed by the European Commission in the previous year, seeks to hold manufacturers accountable for assessing the cybersecurity risks of their products. Manufacturers are then required to take remedial actions over a five-year period or through the anticipated lifetime of their products to rectify any identified cybersecurity issues. The proposed rules also extend to importers and distributors of internet-connected devices, marking a significant expansion of cybersecurity regulations in the EU.

The urgency behind these rules has been amplified by an increasing number of high-profile cybersecurity incidents that have targeted businesses, often leading to substantial ransom demands. The proposed measures are intended to bolster cybersecurity in a rapidly evolving digital landscape.

However, the chief executives of Siemens, Ericsson, Schneider Electric, and other major companies have expressed their apprehensions in a joint letter addressed to European Union industry chief Thierry Breton and EU digital chief Vera Jourova. They warned that the existing draft of the law could potentially result in bottlenecks that disrupt the single market, a scenario reminiscent of the pandemic-induced supply chain disruptions.

The concerns raised by the companies encompass a wide range of products, including everyday items like washing machines and toys, as well as critical components for heat pumps, cooling systems, and high-tech manufacturing. They noted that potential delays in the supply chain may arise from a shortage of independent experts to conduct cybersecurity assessments and the bureaucratic hurdles associated with compliance.

The joint letter stated, "We risk creating a COVID-style blockage in European supply chains, disrupting the single market and harming our competitiveness." The letter was also signed by the CEOs of Nokia, Robert Bosch GmbH, and Slovakian software company ESET.

The companies proposed a more measured approach to the rules, advocating for a significant reduction in the list of higher-risk products subject to the regulations. They also called for manufacturers to be allowed to address known vulnerability risks without requiring comprehensive assessments and sought greater flexibility in self-assessing cybersecurity risks.

The letter's release precedes critical negotiations scheduled for November 8, during which EU member states and EU lawmakers will convene to iron out the specifics of the proposed law before it can be officially adopted. The concerns expressed by major industry players highlight the importance of balancing robust cybersecurity measures with the need to maintain efficient and agile supply chains in the ever-evolving digital landscape.

The GRC Report is the first word in governance, risk, and compliance news. As your trusted source for comprehensive coverage, the GRC Report keeps you informed and equipped to navigate the evolving landscape of governance, risk, and compliance. And remember, the GRC Report isn't just a news source; it's a community of professionals who share your passion for GRC excellence. Don't miss out on our insightful articles and breaking news – join the conversation and empower your GRC journey.