The European Cyber Resilience Act
On 15 September 2022, the European Commission published its proposal for a new Regulation that sets out cyber security related requirements for products with “digital elements”, known as the proposed Cyber Resilience Act (the CRA).
Hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of €5.5 trillion by 2021. The CRA introduces common cyber security rules for manufacturers, developers and distributors of products with digital elements, covering both hardware and software. The rules seek to ensure that: (i) connected products and software placed on the EU market are more secure; (ii) manufacturers remain responsible for cyber security throughout a product’s life cycle; and (iii) consumers are properly informed about the cyber security around the products that they buy and use.
Such products suffer from two major problems adding costs for users and society:
- A low level of cyber security, reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them.
- An insufficient understanding and access to information by users, preventing them from choosing products with adequate cyber security properties or securely using them.
While existing internal market legislation applies to certain products with digital elements, most of the hardware and software products are currently not covered by any EU legislation tackling their cyber security. In particular, the current EU legal framework does not address the cyber security of non-embedded software, even if cyber security attacks increasingly target vulnerabilities in these products, causing significant societal and economic costs.
Two main objectives were identified aiming to ensure the proper functioning of the internal market:
- Create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and ensure that manufacturers take security seriously throughout a product’s life cycle.
- Create conditions allowing users to take cyber security into account when selecting and using products with digital elements.
To combat these growing cyber security costs and address vulnerabilities, the Commission notes four specific goals for the Cyber Resilience Act:
- To ensure manufacturers improve the cyber security of covered products throughout the whole life cycle.
- To create a single, coherent framework for cyber security compliance in the EU.
- To increase the transparency of cyber security practices and properties of products and their manufacturers.
- To provide consumers and businesses with secure products ready for use.
Torquil Macleod, Director and Founder of Via Resource states, “many of the essential cyber security requirements simply mirror good practice and therefore many companies will not have significant work to do in this regard. The only two complex pieces are:
- Working out which type of conformity assessment products may require and producing/updating a raft of policies, procedures and other documentation required by the CRA.
- Reporting obligations under the CRA will add burden to companies already facing reporting requirements under data protection law, the NIS Directive and other sector-specific legislation. Reporting obligations placed on distributors and importers may also create tension in the supply chain and during contract negotiations as manufacturers will undoubtedly be nervous about distributors and importers reporting products’ potential vulnerabilities to market surveillance authorities.”
Subscribe To Our Newsletter
What about the UK?
As the UK is no longer a member of the EU, it will not be bound by the new rules. However, the UK is in the process of passing a similar piece of legislation called the Product Security and Telecommunications Infrastructure Bill (PSTIB). The PSTIB is currently at the report stage in the House of Lords meaning that the Bill has almost completed its legislative passage. The PSTIB includes a power for the Secretary of State to specify security requirements relating to relevant connectable products and places obligations on manufacturers, importers and distributors about those security requirements. Sanctions for non-compliance with the PSTIB are similarly high, up to the greater of £10 million or 4% of worldwide revenue over the most recent complete accounting period.
The Regulation will impact a broad range of parties in the technology supply chain, who should consider how the additional cyber security requirements will impact their manufacturing and distribution processes. Whilst most of the obligations will come into effect 24 months after entry into force, manufacturers will only have twelve months to comply with the CTA’s reporting obligations.