The German Association for IT Security (TeleTrusT) has commented on the draft bill prepared by the Federal Ministry of the Interior and Homeland Affairs for national implementing legislation for the EU Cyber Resilience Act (CRA) and sees a clear need for improvements.

Whilst the draft does, in principle, address the necessary national regulations, it falls short of practical and legal requirements on key points. TeleTrusT is particularly critical of the planned consolidation of responsibilities at the Federal Office for Information Security (BSI). This would only be viable if reliable personnel, technical and organisational resources were guaranteed – such commitments have so far been lacking.

Further criticism is directed at the overly broad exemptions regarding the notification of conformity assessment bodies without accreditation. There is a risk here that established quality standards could be undermined. The support services envisaged for businesses are also, as things stand, too vague and do not meet practical requirements.

Furthermore, the specific design of a planned “real-world laboratory for cyber resilience” remains unclear. Without transparent and comprehensible framework conditions, this instrument risks falling short of its potential.

TeleTrusT therefore calls for a significant tightening of the draft bill. The focus is on secure funding and resources for the BSI and the German Accreditation Body (DAkkS), clearly defined criteria for exemptions, a practical support concept for businesses, and binding regulations for the real-world laboratory. Only in this way can the effectiveness of the national implementation of the CRA be guaranteed in the long term.