The Cyber Resilience Act must align with railway realities
This statement was submitted in response to the European Commission’s Call for Evidence under the Digital Omnibus initiative.
Swedtrain urges the EU to recognize the specific challenges the railway industry faces in implementing the Cyber Resilience Act (CRA). While the regulation aims to strengthen cybersecurity for products with digital elements – a goal we fully support – it risks creating significant obstacles for our sector if not adapted to our operational realities.
Key characteristics of the railway industry include:
– Extremely long development cycles. The design, production, and approval of new systems and products can take 10–15 years. Many products scheduled for rollout in the coming years were designed before the CRA existed and therefore do not include its requirements.
– High complexity and safety demands. Railway systems are part of critical infrastructure and must meet strict safety standards – both physical and digital. Retrofitting cybersecurity requirements can lead to major redesigns, delays, and increased costs.
– Long product lifespans. Railway vehicles and systems are often in use for 30–40 years. Ensuring cybersecurity throughout the entire lifecycle requires a different approach than for consumer products with shorter lifespans.
We call on the EU to
1) Clarify that obligations of the Cyber-Resilience Act apply only to projects whose contracts have been signed after its entry into force (11th of December 2024). Legacy contracts, due to their complexity, long duration, and multi-tiered structure, should be excluded from retroactive application.
2) Ensure that extensions to existing major infrastructure systems, such as rail or grid systems, are exempted from the scope of the CRA. That includes even expanding a fleet or line since interoperability or compatibility between old and new deliveries must be guaranteed.
3) Clarify that vulnerability disclosure requirements only mandate disclosure to the customer/user. Separate the support period from the lifecycle of the product with digital elements (PDE). The support period of PDEs (e.g. trains or signaling systems) should not be based on their 30-year lifecycle. Instead, it should be aligned with the shorter duration of the availability and support of their operating environment and essential third-party components, that deliver essential functionalities.
In summary, Swedtrain supports the objectives of the CRA but we see a need for flexibility and sector-specific adaptation.