Following Europe’s Digital Decade strategy to improve the security and resilience of the European digital space, the EU has launched a new proposal to “address market needs and protect consumers from insecure products by introducing common cybersecurity rules for manufacturers and vendors of tangible and intangible digital products and ancillary services1”, called Cyber Resilience Act (CRA).
To ensure manufacturers improve the cybersecurity of covered products throughout the whole life cycle, creating a single coherent framework for cybersecurity compliance in the EU, increasing the transparency of cybersecurity practices and properties of products and their manufacturers, and providing consumers and businesses with secure products ready for use.
SCOPE & TREND?
The CRA splits covered products into two categories: Class I and Class II. Class I must adhere to the application of a standard or complete a third-party assessment to demonstrate conformity, while Class II must complete a third-party conformity assessment. Annex III of the CRA proposal currently splits critical products with digital elements into two categories. Class I products have a lower cybersecurity risk level than Class II products but a higher level of risk. Adding to the IoT devices identified in the Class II list, we believe the future trend will be to extend the scope of applicability to all new software development to be applied by default inside Software Development Life Cycle.
The CRA exempts connected devices that already have sectoral legislation, such as digital products regulated by the Medical Devices Regulation (Regulation (EU) 2017/745), In Vitro Diagnostic Medical Devices Regulation (Regulation (EU) 2017/746), Vehicle General Safety Regulation (Regulation (EU) 2019/2144), and Common Rules in Civil Aviation Regulation (Regulation (EU) 2018/1139). The Cyber Resilience Act also does not apply to Software-as-a-Service unless it is part of integral remote data processing solutions for a product with digital elements.
The CRA requires companies to address information security and other cybersecurity vulnerabilities during the initial design and development of products — a process commonly referred to as security-by-design. Non-compliance with Annex I’s essential requirements and obligations in Articles 10 and 11 subjects offending businesses to the highest fine of either administrative penalties of up to €15 million or 2.5 per cent of their global annual turnover for the previous fiscal year, whichever is greater.
Non-compliance with other obligations within the CRA will lead to administrative fines of up to €10 million or 2 per cent of global annual turnover for the previous fiscal year, whichever is higher.
Misleading market surveillance authorities with incorrect, incomplete, or manipulated information will lead to a fine of €5 million or 1 per cent of global annual turnover for the previous fiscal year, whichever is greater.
Manufacturers and developers must design, develop, and produce covered devices per the essential requirements in Annex I of the CRA. Importers must only place products on the market that comply with the requirements in Annex I and that have manufacturers compliant with the essential vulnerability requirements.
To show compliance, the manufacturers of these products must undertake a cybersecurity risk assessment, which they will then include in technical documentation and mark where specific essential requirements are not applicable.
The CRA generates reporting obligations for manufacturers to notify the EU Agency for Cybersecurity ENISA in 24 hours after becoming aware of “any actively exploited vulnerability contained in the product with digital elements” or “any incident having an impact on the security of the product with digital elements.”. In addition, the manufacturers must also inform the users of the product of the incident as well as corrective measures that can mitigate the consumer impact.
To comply with the essential security requirements, connected devices and/or the manufacturers of connected devices must be designed, developed, and produced with an appropriate level of cybersecurity and delivered without known exploitable vulnerabilities:
- Provide security-by-default configuration;
- Protect against unauthorised access through tools like authentication and identity management;
- Protect the confidentiality of data by processing and potentially encrypting relevant data;
- Protect the integrity of stored, transmitted, or processed data;
- Minimise data collection to only process what is adequate and relevant for the intended use;
- Mitigate denial of essential functions or services;
- Reduce the lack of availability of services provided by other devices;
- Limit attack surfaces;
- Reduce the exploitative effects and impact of a cybersecurity incident;
- Record or monitor relevant security-related information;
- Address future vulnerabilities through security updates, preferably automatic ones that notify users.
Manufacturers must do the following to comply with the essential vulnerability requirements: Document vulnerabilities and components of a product. Address and remediate vulnerabilities without delay. Have regular tests and reviews of their products’ security. Publicly disclose information about what vulnerabilities they fix. Create and enforce coordinated vulnerability disclosure policies. Facilitate information sharing about the vulnerabilities and provide a contact for said reporting. Provide mechanisms to distribute updates that minimise exploitable vulnerabilities securely. Disseminate security patches without delay and free of charge while providing users with a digestible explanation of what the patch is for:
- Document vulnerabilities and components of a product;
- Address and remediate vulnerabilities without delay;
- Have regular tests and reviews of their products’ security;
- Publicly disclose information about what vulnerabilities they fix;
- Create and enforce coordinated vulnerability disclosure policies;
- Facilitate information sharing about the vulnerabilities and provide a contact for said reporting;
- Provide mechanisms to distribute updates that minimise exploitable vulnerabilities securely;
- Disseminate security patches without delay and free of charge while providing users with a digestible explanation of what the patch is for.
The CRA has particular provisions regarding high-risk artificial intelligence (AI) systems in Article 8 of the legislation. These provisions will only apply to high-risk AI systems defined by the draft AI Act. Connected devices that fall within the scope of the Cyber Resilience Act and fulfil the security-by-design essential requirements will be considered in compliance with the draft AI Act and will be deemed to have the level of protection required by the declaration of conformity. For most of these products, the conformity assessment procedure of the AI Act applies, and it is up to regulatory bodies notified to control the conformity and notification procedures. Critical products, such as Class I and Class II products described in Annex III.
National market surveillance authorities—chosen by the member states—will ensure the implementation of the Cyber Resilience Act. These institutions will cooperate with authorities designated under NIS2 or 2019 regulation on the European Union Agency for Cybersecurity and information and communications technology cybersecurity certification. The market surveillance authorities for the CRA can coordinate with others from other member states, cooperate with ENISA, conduct sweeps to enhance product cybersecurity further, and report to the Commission annually.
CRA is still open for feedback by UE Commission until the 02 of January of 2023 and should be adopted in the following months.