The recent updates to Article 11 of the EU’s Cyber Resilience Act (CRA) have sparked controversy amongst global cybersecurity experts who warn that they could potentially lead to unnecessary risks for consumers and businesses. The new alterations to the CRA aim to detail cybersecurity necessities for digital products, thus fortifying cybersecurity rules for software and hardware in an effort to shield businesses and consumers from inadequate security features.

The changes, however, have generated myriad concerns. In an open letter, senior figures from more than 50 organisations including Google, the Electronic Frontier Foundation, and the CyberPeace Institute expressed their apprehensions, stating that aspects of the article are “counterproductive and will create new threats that undermine the security of digital products and the individuals who use them”. They suggest that this can lead to a prompt to a trend of “rushing the disclosure process”, thereby causing more stress on security teams and software providers, which could ultimately end in botched patches.

The new mandate in Article 11 demands that software publishers disclose any unpatched vulnerabilities to the EU Agency for Cybersecurity (ENISA) within just 24 hours of exploitation. Information about these vulnerabilities would then be disseminated to various government agencies responsible for member state security. The information would be fed into a 'real-time database' containing data on unpatched flaws. These changes are hailed by EU lawmakers as a way to ensure more transparency and accountability, expedite vulnerability disclosures, and, most importantly, to protect consumers.

Achi Lewis, Area VP EMEA for Absolute Software, shares the view that the reporting of vulnerabilities in a timely and accurate manner is vital for organisations. He explained, “not only to protect their own organisation, but others along the supply chain, as well as alerting software providers to potential issues". According to Lewis, the current patching landscape is a chaos. “Our Resilience Index research found that there are 14 different versions of Windows 10, for example, being used by enterprise businesses, with over 800 different patches. This is made worse by one in six devices working on an old patch, increasing the cybersecurity risks to the device, and subsequently the organisation.” Lewis sees the new vulnerability reporting rules as part of the Cyber Resilience Act as supporting organisations to prevent vulnerabilities from spreading.

Lewis continued, “IT managers already have a difficult job managing a work-from-anywhere device fleet so ensuring patching is up to date is an important step to bolstering security, and new vulnerability reporting rules as part of the Cyber Resilience Act will support organisations to stop vulnerabilities spreading. These actions will better prepare organisations to prevent cyber incidents, as well as improve response protocols when attacks occur.”

The letter from critics underlines the risk that the repository of unmitigated vulnerabilities could be targeted by threat actors, heightening the risk for organisations. They recommend that mandatory reporting requirements should be altered to within 72 hours of “effective mitigation” to avert the risk of exploitation.