The impending EU cyber resilience rules will become relevant for importers, manufacturers, and distributors of products with digital elements or so-called connected products. This follows the EU reaching an agreed position on the EU Cyber Resilience Act which is set to apply from mid-2025 for products placed on the EU market.
The aim is to ensure that products with digital elements placed, sold, or used in the EU have fewer security vulnerabilities and that cybersecurity issues are considered in the design for the product’s lifecycle.
To achieve this, there will be an impact on all levels of the supply chain. It also seeks to support products that currently do not have sector specific rules (for example, motor vehicles and medical devices already do). It will be relevant for items such as home cameras, smart TVs, smart fridges and nanny cams or new products with non-embedded or integrated data elements such as software or hardware.
The need to know
In the National Cyber Security Centre (NCSC) Annual Review, the Director of Operations warned, “in the coming years, the NCSC anticipates that the proliferation and commercial availability of cyber capabilities will expand the cybersecurity threat to the UK.” The UK Government estimates that across all UK businesses, there were approximately 2.39m instances of cyber crime and approximately 49,000 instances of fraud as a result of cyber crime in the last 12 months.
Which part of the supply chain does it impact? Manufacturers will face the greatest number of requirements, but there are also controls placed on importers and distributors such as due diligence. It has the potential to impact on UK businesses to the extent products they manufacture or export are to be sold or supplied to the EU.
For manufacturers, this will involve ensuring that the products fulfil essential, basic cybersecurity requirements. Further details are set out in Appendix 1 to the legislation. Examples include design, development delivery and production which:
- Ensures an appropriate level of cybersecurity based on the risks
- Creates products without any known exploitable vulnerabilities
- Involves undertaking risk assessments
- Is delivered with a secure by default configuration, including the ability to reset the product to its original state
- Takes account of protection from unauthorised access by appropriate control mechanisms, such as authentication, identity, or access management system
- Protects the confidentiality of stored, transmitted such as by encrypting relevant data at rest or in transit by state of the art mechanisms
- Considers the integrity of stored, transmitted or processed data, (personal or other) and has safeguards against any manipulation or modification not authorised by the user, as well as reporting on corruptions
- Processes only data that is adequate, relevant and limited to what is necessary in relation to the intended use of the product (minimisation of data), and
- Protects the availability of essential functions, including the resilience against and mitigation of denial of service attacks.
Vulnerability handling requirements
For manufacturers this will mean ensuring that vulnerabilities can be addressed through security updates, including automatic updates and the notification of available updates to users. Other requirements include:
- Documentation of vulnerabilities and components contained in the product
- Addressing and remediating vulnerabilities without delay, including by providing security updates
- Applying effective and regular tests and reviews of the security of the product with digital elements
- Once a security update has been made available, publicly disclose information about fixed vulnerabilities
- Implementing a coordinated vulnerability disclosure policy and mechanisms to securely distribute updates to ensure that exploitable vulnerabilities are fixed or mitigated in a timely manner
- Ensuring that, where security patches or updates are available to address identified security issues, they are disseminated without delay and free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken
Due diligence regime
For distributors and importers, the due diligence regime will come into play meaning that prior to placing on the market they will be required to undertake a conformity assessment, CE marking and specific ancillary documentation and usage instructions.
Fines and oversight
Compliance will be overseen at both the member state level and EU level. Penalties for non-compliance include fines and corrective or restrictive measures, such as recall or withdrawal of products from the relevant market. For manufacturers, the potential fines are highest; breaches of essential requirements, conformity assessment and reporting obligations may result in administrative fines of up to €15,000,000 or 2.5% of annual global turnover, whichever is higher. For importers and distributors, there could be administrative fines of up to €10,000,000 or 2% of the annual global turnover, whichever is higher.
The UK cybersecurity horizon
The landscape is changing to take account of the future cybersecurity landscape. For example, the UK has also published the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 which applies to “connectable products”. Businesses with both an EU and UK market will need to understand and comply with both sets of incoming regulations.
This article was first published by Teiss and can be accessed here.