On 15 September 2022, the European Commission published its proposal for a new Regulation that sets out cyber security related requirements for products with “digital elements”, known as the proposed Cyber Resilience Act (the CRA).
Hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of €5.5 trillion by 2021. The CRA introduces common cyber security rules for manufacturers, developers and distributors of products with digital elements, covering both hardware and software. The rules seek to ensure that: (i) connected products and software placed on the EU market are more secure; (ii) manufacturers remain responsible for cyber security throughout a product’s life cycle; and (iii) consumers are properly informed about the cyber security around the products that they buy and use.
Such products suffer from two major problems adding costs for users and society:
While existing internal market legislation applies to certain products with digital elements, most of the hardware and software products are currently not covered by any EU legislation tackling their cyber security. In particular, the current EU legal framework does not address the cyber security of non-embedded software, even if cyber security attacks increasingly target vulnerabilities in these products, causing significant societal and economic costs.
Two main objectives were identified aiming to ensure the proper functioning of the internal market:
To combat these growing cyber security costs and address vulnerabilities, the Commission notes four specific goals for the Cyber Resilience Act:
Torquil Macleod, Director and Founder of Via Resource states, “many of the essential cyber security requirements simply mirror good practice and therefore many companies will not have significant work to do in this regard. The only two complex pieces are:
As the UK is no longer a member of the EU, it will not be bound by the new rules. However, the UK is in the process of passing a similar piece of legislation called the Product Security and Telecommunications Infrastructure Bill (PSTIB). The PSTIB is currently at the report stage in the House of Lords meaning that the Bill has almost completed its legislative passage. The PSTIB includes a power for the Secretary of State to specify security requirements relating to relevant connectable products and places obligations on manufacturers, importers and distributors about those security requirements. Sanctions for non-compliance with the PSTIB are similarly high, up to the greater of £10 million or 4% of worldwide revenue over the most recent complete accounting period.
The Regulation will impact a broad range of parties in the technology supply chain, who should consider how the additional cyber security requirements will impact their manufacturing and distribution processes. Whilst most of the obligations will come into effect 24 months after entry into force, manufacturers will only have twelve months to comply with the CTA’s reporting obligations.