On September 15, 2022, the European Commission presented its proposal for a Regulation on horizontal cybersecurity requirements for products with digital elements (the “Cyber Resilience Act”). According to the European Commission, the Cyber Resilience Act will be the first EU-wide legislation introducing “cybersecurity requirements for products with digital elements, throughout their whole lifecycle.”
New Cybersecurity Requirements for Organizations
If approved, the Cyber Resilience Act will bring mandatory and European-wide cybersecurity requirements to design, develop, produce and place secure products with digital elements on the market, including:
- Designing, developing and producing products in such a way that they ensure an appropriate level of cybersecurity based on the risks;
- Delivering products without any known exploitable vulnerabilities;
- Protecting the confidentiality and integrity of stored, transmitted or otherwise processed data;
- Processing only data that are adequate, relevant and limited to what is necessary in relation to the intended use of the product;
- Ensuring that vulnerabilities can be addressed through security updates, including, where applicable, through automatic updates and the notification of available updates to users; and
- Complying with specific rules for handling vulnerabilities.
The Cyber Resilience Act also includes new reporting obligations for manufacturers. Under the Cyber Resilience Act, any actively exploited vulnerability or any incident having impact on the security of the product must be notified to the European Union Agency for Cybersecurity (“ENISA”) within 24 hours of the manufacturer becoming aware of it. Users should also be notified without undue delay and corrective measures to mitigate the impact of the vulnerability be suggested.
The largest number of obligations under the Cyber Resilience Act fall upon manufacturers. However, authorized representatives, importers and distributors will also have new responsibilities. In particular, new obligations will fall on importers and distributors if they place a product on the market under their name or trademark, or substantially modify the product.
In addition to regular products with digital elements, the Cyber Resilience Act considers certain products to be “critical products with digital elements” including, among others, Internet browsers, antivirus software, operating systems, industrial automation and control systems, and microprocessors. These products are subject to stricter conformity assessment procedures. A further category for “highly critical products with digital elements” also can be established by the European Commission, for which manufacturers may be required to obtain a European cybersecurity certificate under a European cybersecurity certification scheme pursuant to the EU Cybersecurity Act.
Failure to comply with the Cyber Resilience Act may result in strict penalties:
- Infringements of the essential cybersecurity requirements set forth under Annex I and manufacturers’ obligations (including reporting obligations) set forth under Articles 10 and 11 may result in administrative fines of up to €15 million or, in the case of an undertaking, up to 2.5% of its total worldwide annual turnover for the preceding financial year, whichever is higher.
- Supplying incorrect, incomplete or misleading information to notified bodies and market surveillance authorities may result in administrative fines of up to €5 million or, in the case of an undertaking, up to 1% of its total worldwide annual turnover for the preceding financial year, whichever is higher.
- Other infringements to the requirements of the Cyber Resilience Act may result in administrative fines of up to €10 million or, in the case of an undertaking, up to 2% of its total worldwide annual turnover for the preceding financial year, whichever is higher.
Member States also may establish supplementary penalties that must be effective, proportionate and dissuasive.
In addition, Market Surveillance Authorities (and, in exceptional cases, the European Commission) may order non-compliant products to be brought into compliance, withdrawn from the market or recalled. Cooperation between Market Surveillance Authorities is also fostered through a framework for joint activities and simultaneous coordinated control actions (i.e., sweeps).
If approved by the European Parliament and Council in its current wording, organizations will have two years to adapt to the new requirements, with the exception of the rules regarding reporting of vulnerabilities and incidents, which will be effective one year after the Cyber Resilience Act enters into force.