Ensuring cyber resilience for connected products
The European Commission’s proposed new Cyber Resilience Act (“CRA”) sets out cybersecurity requirements for products with digital elements, such as IoT products, operating systems and mobile apps.
With the European Commission estimating that the annual global cost of cybercrime now amounts to an eye-watering €5.5 trillion, the CRA is part of a growing framework of legislation designed to help combat cybercrime and will complement other key cyber legislative developments (e.g. NIS 2 which we discussed in another recent briefing).
New Cyber Resilience Act
In order to address widespread vulnerabilities and the insufficient security updates in smart devices and similar technology, the European Commission released their proposal for a regulation on horizontal cybersecurity requirements for products with digital elements on 15 September 2022. The CRA will be the first EU-wide legislation which introduces cybersecurity requirements for products with digital elements throughout their whole lifecycle, that is to say, from product design phase through to obsolescence. The CRA will also enshrine in legislation a security by design approach, create a vulnerability handling framework and include market surveillance rules.
What products and what entities are affected?
The CRA is focussed on products with digital elements which includes software or hardware products with an ability to remotely process digital data. In other words, certain software and hardware products that can connect to the internet will be covered by the CRA. Such products will include IoT products like connected appliances and toys as well as software products like browsers, password managers and apps that meet the criticality threshold discussed below. It does not cover SaaS services except where a SaaS service performs a function as part of a connected product in which case that product and the data processing provided by the SaaS service would be covered.
Hardware manufacturers and software developers will be the parties subject to the most extensive obligations under the CRA but distributors and importers will also be subject to certain obligations.
What are the main obligations?
- Cyber security by design: Manufacturers must improve the security of products with digital elements from the design and development phase throughout the whole lifecycle to obsolescence including by releasing timely security updates. The CRA also clarifies that where a lack of safety results from a lack of security updates after placing the product on the market, and this causes damage, the liability of the manufacturer could be triggered under the EU Product Liability Directive which is currently being revised.
- Vulnerability management: Manufacturers must ensure that all of their products are delivered without any known exploitable vulnerabilities and they must put in place coordinated vulnerability disclosure procedures or “bug bounty” programmes. In terms of notification, the manufacturer has a 24 hour period to notify ENISA (the EU’s Cybersecurity Agency) of any actively exploited vulnerability contained in the product with digital elements or security incident affecting the product. Importers and distributers should also notify known vulnerabilities to the manufacturer.
- Market surveillance: Manufacturers will be required to provide information on compliance with the CRA to a market surveillance authority (at present, it is not clear which entity will fulfil this role in Ireland). It is also suggested that manufacturers disclose fixed vulnerabilities to the European vulnerability database to be established under the NIS 2 Directive and managed by ENISA.
Will these obligations apply to all products?
No. The majority of products with a digital element are unlikely to reach the appropriate risk threshold to be labelled as a “critical” product with digital elements including everyday software applications, speakers, and hard drives.
The obligations in the CRA mainly apply to these “critical” products with digital elements which are divided into:
- Class I products which represent a lower risk in the event of a security incident, such as password managers, firewalls, network traffic management systems; and
- Class II products which represent a greater risk, such as server operating systems and central processing units or CPUs.
Both classes require a technical assessment. Class I products may be self-assessed by the manufacturer or a third party to ensure they meet certain essential security requirements, including ensuring the products are delivered with ‘a secure by default’ configuration and are protected from unauthorised access by appropriate control mechanisms. Class II products must undergo an authorised third party conformity assessment focussing more so on the technical design and development of the product and the vulnerability handling processes put in place by the manufacturer.
The European Commission are welcoming feedback on the CRA until mid-January 2023. The current draft of the CRA provides that upon its enactment, organisations will have 24 months to comply except for vulnerability reporting requirements which will begin 12 months after the CRA comes into force. This means that organisations are unlikely to have to comply with the CRA in the short term but it will certainly be sensible for relevant organisations to stay apprised of the proposed requirements of the CRA and start considering in 2023 how their products may need to align with the CRA as it progresses towards a final text.
Focus on cyber
The CRA is only one aspect of the European Commission’s legislative agenda to enhance cyber security and operational resilience across the EU and other important parts of this agenda are NIS II and the Digital Operational Resilience Act (“DORA”). For the latest insight into NIS II and DORA, you can listen to our podcast here:
The authors would like to thank Aidan McDonnell for his contribution to this article.