The European Network for Cyber Security (ENCS), representing 29 European energy operators, has raised crucial concerns about the EU Cyber Resilience Act (CRA) in its recent consultation feedback.
ENCS consultation feedback on EU Cyber Resilience Act
On 15 April 2025, ENCS submitted feedback to the Commission on the Cyber Resilience Act’s (CRA) technical description of the categories of important and critical products with digital elements. Various activities, including webinars and online consultations were hosted to get feedback and comments from members experts.
As a member organization representing 29 distribution and transmission system operators in Europe, ENCS is concerned about the possible impact of two of the definitions of critical products on the electricity sector.
For ‘smart meter gateway’, the current definition does properly reflect the implicit definitions used in the sector. Our only concern is that the definition is complex and hence may be read in different ways. In our comments, we propose a rephrasing to remove the ambiguity.
For the ‘hardware devices with security boxes’, we are concerned that the current definition is too broad. Most products that include countermeasures against physical attacks seem to fall under the proposed definition. This includes many products that are not currently covered under certification schemes such as EUCC, and that do not pose a critical risk to essential entities under NIS2 if they are compromised through a physical attack. We think the proposed definition needs to be refined to incorporate these properties that critical products should have according to point (46) in the CRA recitals.