Proposal EU Regulation on Cyber Resilience Act

POSITION PAPER: Card Payment Sweden Statement on the Proposal for an EU Regulation on Cyber Resilience Act – (horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020)

Read the statement as PDF

CPS acknowledges the European Commission proposal for a regulation on Cybersecurity requirements  for products with digital elements published on 15 September 2022.

While CPS supports the Commission’s efforts to enhance cyber security and target vulnerabilities, we strongly believe the requirements should be better aligned with global established security standards and processes applied to payments infrastructure.

All current card payment infrastructures have common security and interoperability requirements. These requirements are vast and already cover the systems used by payment service providers (PSPs) offering card payments, since these systems are connected to payment accounts and banking channels. Adding another layer of requirements to achieve the same level of security would double the administrative burden for most PSPs, incurring costs.

The EU Cyber Resilience Act sets out baseline cybersecurity standards for products with digital elements (both hardware and software which ‘includes a direct or indirect logical or physical data connection to a device or network’). Stricter requirements are introduced for certain critical products, divided into two groups

• Class I: identity management systems, browsers, password managers, antiviruses, firewalls, virtual private networks (VPNs), network management, systems, physical network interfaces, routers, chips used for essential entities.
• Class II: operating systems for desktop and mobile devices, virtualized operating systems, digital certificate issuers, general purpose microprocessors, smartcard and smartcard readers, robotic sensors, smart meters and all IoT, routers and firewalls for industrial use.

As stated, smartcard and smartcard readers are classified as Class II and therefore subject to stricter requirements, including conformity assessments to be made by third parties which would entail additional costs for these card payment based products.

Cyber security is a major concern for Card Payment Sweden, and we are very active in the work of enhancing and complying to ‘best in class’ solutions.

The application of the Cyber Resilience Act to products with digital elements used for payments should be carefully considered. Their inclusion may instead stiffen and complicate the use of ‘best in class’ solutions being implemented by the industry. Card Payment Sweden sees no need for additional comprehensive regulation given the existence of global standards in this area provided by industry bodies, including:

• PCI (Payment Card Industry), providing data security rules and security rules for payment hardware (terminals)
• EMVCo, providing inter alia specifications on card-based data and the use thereof at a terminal

Both of these organisations work globally, and we see no need for a specific European solution – card payments are by nature global and specific rules for the EU would hamper the speed of development in this field by adding one more set of rules to comply with.

Overlapping regulation would add extra development costs for card payment service users, initially for merchants, and would eventually end up in a potential increase in retail prices for consumers.

We therefore urge regulators to reconsider whether new and costly cyber security requirements are needed in the payments sphere. Card payments in particular are already covered by several international standards ensuring a high level of cyber security. In addition, given the global nature of the payment environment, it is vital that there are uniform global standards.

Europe is not an island; we need global standards.

Michael Hoffmann

MANAGING DIRECTOR / CEO / VD

Card Payment Sweden