EU-U.S. Cybersecurity Mutual Recognition: A Goal for 2024

In December, I had the opportunity to participate in the ninth annual EU-U.S. Cyber Dialogue hosted by the EU Commission and the European External Action Service in Brussels. This was the second year in a row that I have participated in the Dialogue, and the four-hour-long discussion could be summarized in a single term: mutual recognition. 

The previous year's discussion was what I would describe as exploratory, meaning that both sides were in the process of figuring out their respective approaches to overseeing the cybersecurity of connected devices.  However, a lot has changed in just 12 months. Today, we have a final political agreement on the EU Cyber Resilience Act and a proposed U.S. Cyber Trust Mark that will serve as rulebooks for how to secure connected devices within the two economies, respectively. Many in the industry have noted the importance of finding common ground between the two programs so that manufacturers can continue to leverage their economies of scale and certify a connected product once with the ability to then sell that certified product in either jurisdiction.

In order for such a cooperative approach to exist, the EU and the U.S. would need to agree on a number of important factors, such as the scope of impacted devices, the relevant protections needed, the appropriate standards for demonstrating conformance to relevant protections, testing methodologies, and approved conformity assessment bodies to independently test conformance to requirements. In short, agreeing on the commonalities of these factors is what’s known as “mutual recognition” and the resulting agreement is known as a “mutual recognition agreement”. 

Fortunately, the EU and the U.S. have a number of existing mutual recognition agreements in important areas such as telecommunications and marine equipment testing, but no such agreement exists within the cybersecurity realm. The good news is that there appears to be broad agreement on both sides of the Atlantic to identify the commonalities between the Cyber Resilience Act and the Cyber Trust Mark.  Given the significant cost to manufacturers to build in appropriate cybersecurity protections, align those protections with relevant standards, and then have such alignment independently tested by an approved third party, both the EU and the U.S. should make this an urgent priority. This would allow manufacturers to focus on the cybersecurity of their products and not on the bureaucratic steps needed to prove that such devices are, in fact, cyber secure. 

Establishing mutual recognition between the two economies in cybersecurity will not be easy, though.  Important questions around scope and standards are key hurdles that will need to be overcome. For example, the Cyber Resilience Act covers any digitally-enabled device sold in the EU single market. The scope is immense, and the requirements are mandatory. By contrast, the Cyber Trust Mark, at least initially, is envisioned to cover consumer IoT products and is voluntary. Over the next three years, the Cyber Resilience Act will be translated into detailed harmonized standards that will spell out how manufacturers are to build relevant security protections into their products. The details of these standards, the extent to which they will leverage existing international standards (e.g., IEC 62443, ISO/IEC 27001, ISO 27402), and align with NIST’s 8259 series on the cybersecurity of IoT, remains to be seen. 

In 2024, the job of the industry will be to support both economies in answering these key questions and outlining the key aspects of a mutual recognition program that allows the EU and the U.S. to achieve their cybersecurity goals while preserving manufacturers’ economies of scale.

About the authors

Trevor H. Rudolph