Articles

Cybersecurity in focus – Jochen Friedrich on the cyber resilience act and digital innovation

Jochen Friedrich is Technical Relations Executive at IBM and a key figure in European standardisation. With extensive experience from organisations such as ETSI, ECMA International and the German DIN, he has long been at the table where the framework for the digital future is shaped.

In this interview, he shares his views on how the new EU regulation, the Cyber Resilience Act (CRA), will impact the industry, why standardisation and innovation do not have to be at odds – and the role open source will play in the new security landscape.

Article in summary:

  • Jochen Friedrich, IBM, on the EU Cyber Resilience Act (CRA)
  • CRA’s impact on cybersecurity, digital innovation and open source
  • The importance of lifecycle responsibility in software
  • Europe’s role in shaping digital regulation
  • CRA as an opportunity to build global digital trust

Standardisation as a driver for digital innovation?

Many see regulation as pushing the brakes on technological development. But there are good reasons to challenge that view, says Jochen.

– Just look at the internet and the web. The entire ecosystem was built on open, common standards such as:

  • HTTP (for communication between client and server)
  • HTML and CSS (for structuring and styling web pages)
  • URLs (for identifying and locating resources).

These standards were developed by W3C (World Wide Web Consortium) and other open forums, and most importantly: they were free to use and openly documented.

– But timing is critical. If you standardise too early, before there is a market need or the technology is mature enough, you risk locking in innovation and preventing better solutions from emerging, he adds.

When it comes to the CRA, there is some concern, particularly among the open-source community. Many volunteer-driven open-source projects simply lack the resources or structures to meet the CRA’s requirements.

However, Jochen points out that most of the CRA requirements are already best practice in serious software projects – for example within the OpenSSF, under the Linux Foundation, where secure development, vulnerability handling and proper licensing are already core priorities.

– Personally, I’m not too worried that CRA will stifle innovation. It might take some adjustment, but the community is engaging and learning how the system works, he says.

– If we do this right, CRA can even help build trust. Imagine a CE mark for software that signals that key cybersecurity aspects have been addressed. That could make a real difference, especially for small and medium-sized enterprises.

Open-source in light of CRA – responsibility and trust

– There is an exemption for non-commercial open-source projects in CRA, and that is good. But as soon as that code is used in commercial products, the company has to take responsibility, says Jochen.

– You can no longer just take code from GitHub and hope for the best. If you use it in your product, you own it and you are responsible for it.

Jochen sees a mindset shift coming, where CRA formalises and sharpens the focus on responsible open-source use.

– I believe we will see a growing demand for ‘trusted’ open source – projects with clear licensing, active maintenance and structured governance. In the long run, he argues, this will strengthen the entire ecosystem.

Cyber Resilience Act from an international perspective

When the CRA is discussed in a global context, questions arise about how European rules influence the rest of the world.

– Some wonder why Europe is even regulating this area, but we have had similar systems in the manufacturing sector for decades. It has never been a problem there. What’s different now is that Europe is not leading in IT – the hyperscalers are elsewhere. But we are still a major market, says Jochen.

He points to the so-called Brussels Effect – a concept describing how EU regulations achieve global reach without being formally mandatory. Companies that want to sell into Europe often choose to align with EU requirements globally. In this way, European legislation, such as the CRA, can have a significant international impact even though it formally applies only within the EU.

At the same time, Jochen warns that Europe cannot afford to be complacent. With the leading players in digital development based outside the EU, Europe must remain vigilant. Otherwise, there is a risk that the pace of innovation will be set elsewhere – despite Europe’s strong role in shaping standards and regulations.

CRA 2027 – from challenge to opportunity

December 2027 marks a milestone for European cybersecurity. That is when the Cyber Resilience Act will be fully applied, reshaping how digital products are developed, sold, and maintained on the EU market.

According to Jochen Friedrich, the main challenge is not implementing individual security features, but understanding the big picture and embedding security throughout the entire product lifecycle.

– Many companies have not yet fully grasped what CRA requires. It’s not just about adding security features. You need solid processes in place – for vulnerability handling, SBOM (Software Bill of Materials), incident reporting and full lifecycle responsibility, he says.

For global companies, CRA also raises a strategic question: should they adapt to different regulatory frameworks in different regions – or choose the strictest standard globally?

Many large players are opting for the latter. But for small and medium-sized companies, the demands could be much more challenging – both in terms of resources and ways of working.

– It’s not just developers who are needed. You need legal experts, compliance officers, product managers – the whole organisation has to start thinking differently, says Jochen.

In the long term, however, he sees great potential. If CRA is implemented properly, it could become a recognised mark of quality – similar to what the CE marking represents for physical products.

– You might not read all the technical documentation, but you know there’s a process behind it. That creates trust, he says.

If CRA succeeds, it could not only raise cybersecurity standards, but also help strengthen Europe’s digital internal market – and, as Jochen puts it, “this helps Europe strengthen its digital sovereignty through control and choice.

Engagement as the key

Jochen Friedrich looks forward to continuing to strengthen cooperation between industry, authorities, the open-source community and academia, through ongoing involvement in organisations such as ETSI. And he encourages more people to get involved.

Standardisation may not always be in the spotlight – but it fundamentally shapes our digital lives. As cybersecurity, interoperability and sustainable technology become ever more important, so does the need to engage where the direction is set.

– You don’t have to be a lawyer or an engineer. We need many different skills! Translators, coordinators, communicators – if you’re curious and willing to help shape the future of ICT, you can make a real difference, Jochen concludes.

Want to contribute to the future of digital infrastructure? Learn more about ITS working groups and how you can get involved.

Relaterat innehåll

Gå till kunskap
Gå till kunskap

Newsfeed from ETSI

Membership

Be part of shaping the communication of the future

Become a member of our network that brings together Swedish industry experts in IT and telecommunications to influence the development of standards.

Become a member