The European Commission recently proposed the EU Cyber Resilience Act, a regulation on cybersecurity requirements for products with digital elements. The proposal introduces wide-ranging technical and governance measures that need to be implemented by the manufacturers of such products in the design and development phase and throughout their lifecycle, and carries potentially hefty fines for non-compliance. It forms one of several EU cybersecurity laws and initiatives that are currently being negotiated and finalised as part of broader efforts to shape the EU’s digital strategy. This particularly includes the broader cybersecurity governance requirements proposed under the NIS 2 Directive, which is intended to apply to critical industries, the DORA regulation for the financial services industry and the EU Cybersecurity Act.
Rules for products with digital elements
What constitutes a ’product’ that falls within the scope of the Act is very broadly defined and includes any form of software or hardware that is intended or will reasonably foreseeably be connected to a network or another device.
Certain products are however excluded from the scope of the proposal, such as medical devices subject to the Medical Devices Regulation, or products developed exclusively for national security or military purposes.
Security requirements for EU market access of software and hardware
The proposal’s core purpose is to set a minimum cybersecurity standard for the development of software and hardware products, with specific obligations for different actors within the supply chain. Manufacturers (including developers) of relevant products are subject to the most significant obligations and they will be expected to ensure that their products meet essential cybersecurity requirements. These requirements primarily comprise a set of technical standards which sit alongside other organisational and governance requirements. A focus on risk assessment and management principles is central to the proposal’s approach, along with careful attention to vulnerability management and disclosure. Specifically, under the proposal products must be:
Subject to an assessment of the cybersecurity risks associated with that product.
Taking into account the risks identified, designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks, including through, where applicable, the implementation of certain essential technical measures.
Delivered without any known exploitable vulnerabilities and be subject to appropriate policies and procedures in order to detect and remediate potential vulnerabilities.
Accompanied with security information and instructions to provide transparency to the user of the product.
Manufacturers must also carry out a conformity assessment procedure. Depending on the type of product (i.e., whether it is considered "regular" or "critical" in nature) and whether or not harmonized standards, common specifications or European cybersecurity certification schemes are followed, different procedures for conformity demonstration are applicable. Manufacturers must ensure that their product has a CE marking, and conduct vendor due diligence if they use parts from third parties and document their actions. To ensure security throughout the life cycle of the product, manufacturers must have in place processes for vulnerability handling, including addressing and remediating vulnerabilities, and reporting detected exploited vulnerabilities or security incidents, to both ENISA (the European Union Agency for Cybersecurity) and the user.
Importers can only import products that comply with the minimum requirements. Importers are required to verify that the manufacturer has conducted the conformity assessments, has the correct technical documentation, and the product has the correct certification.
Distributers are to ‘act with due care’ to the requirements under the proposal. They have an obligation to verify that the product bears the CE marking and that the manufacturer and importer have complied with their obligations.
Non-compliance with the essential cybersecurity requirements shall be subject to administrative fines of up to 15,000,000 EUR or up to 2.5 percent of an economic operator's total worldwide annual turnover for the preceding financial year, whichever is higher.
Supervision and enforcement of the standards set out within the Act is in the hands of market surveillance authorities that are expected to be appointed by each EU Member State. Such authorities may in the event of non-compliance require the relevant operator to take all appropriate corrective actions to bring the product into compliance with the requirements of the Cyber Resilience Act, to withdraw it from the market, or to recall it within a reasonable period.
The EU Parliament and Council will now review the proposal and discuss possible amendments. Once agreed and adopted by the EU legislator, the Cyber Resilience Act is intended to apply after two years. An exception is foreseen for the vulnerability notification obligation, which will apply one year after adoption. Transitional rules are foreseen for certain products, such as those that already obtained a certificate or approval decision for cybersecurity requirements and that are subject to other EU legislation, or that have been placed on the market before entry into application of the Cyber Resilience Act.