On 15 September 2022, the European Commission published its proposal for a regulation on horizontal cybersecurity requirements for products with digital elements. This draft of the Cyber Resilience Act (CRA), available here, introduces non-sector specific mandatory cybersecurity requirements for products with digital elements, throughout the entire lifecycle of a product.

The draft CRA’s main objective is to reduce the increasing threat of cybercrime, which currently holds an estimated global annual cost of EUR 5.5 trillion. The potential spill over effect of cybercrimes across borders in the European single market demands harmonised rules and obligations on product safety, monitoring and enforcement procedures.

Products with digital elements

The wide scope of the draft CRA covers all products with digital elements, and specifically “any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately … whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network”. This includes both products that can be connected physically via hardware interfaces and products that are connected logically, such as via network sockets, pipes, files, application programming interfaces and any other type of software interface.

Products and services subject to sectoral legislation fall outside of the CRA's scope. These include Software-as-a-Service (SaaS), medical devices, in vitro diagnostic medical devices, motor vehicles, products used exclusively for national security or military purposes or designed specifically to process classified information.

According to the draft CRA, the category of critical products with digital elements are products that require an overall higher level of security and scrutiny. These are defined in Annex III of the CRA as products with digital elements such as password managers, antivirus software, VPNs, remote access/sharing software, mobile device management software, operating systems, firewalls, microprocessors, routers, crypto processors, smartcards and smart meters.

Obligations of the manufacturers

Manufacturers that place products with digital elements on the EU market must ensure compliance with essential security requirements, undertake an assessment of cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account for the planning, design, development, production, delivery and maintenance phases of the product (i.e. “security by design”). Essential security requirements include:

  • a secure by default configuration, including the possibility to reset the product to its original state;

  • protecting the integrity and confidentiality of stored, transmitted or otherwise processed data (personal or other) by encrypting while at rest and in the transit of data;

  • processing only data (personal or other) that are adequate, relevant and limited to what is necessary in relation to the intended use of the product (i.e. minimisation of data);

  • a limitation of attack surfaces, including external interfaces;

  • ensuring that vulnerabilities can be addressed through security updates without delay.

Manufacturers must also put in place processes to:

  • identify and document vulnerabilities and components contained in the product;

  • address and remediate vulnerabilities without delay, including by providing security updates;

  • apply effective and regular tests and reviews of the security of the product;

  • publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, the impacts of the vulnerabilities and their severity.

Manufacturers can conform with these essential requirements by using the internal control procedure established in the CRA. In case of critical products with digital elements, conformity can be assessed by using the EU-type examination procedure or the conformity assessment based on full quality assurance, specified by the CRA.

Manufacturers must also provide basic instructions about the cybersecurity of the product in a clear, understandable, intelligible and legible manner, in electronic or physical form and in a language easily understood by users. Instructions must include:

  • basic identification and contact information of the manufacturer;

  • the intended use of the product, including the security environment provided by the manufacturer;

  • any known or foreseeable circumstance, which may lead to significant cybersecurity risks;

  • the type of technical security support offered by the manufacturer and until when it will be provided;

  • detailed instructions on how security-relevant updates can be installed and the secure decommissioning of the product, including information on how user data can be securely removed.

Manufacturers must notify ENISA of any actively exploited vulnerability of the product with digital elements and any incident having impact on the security of the product within 24 hours of becoming aware of it.

Obligations of other economic operators

If importers and distributors place a product with digital elements on the market under their own name or trademark or carry out a substantial modification of the product with digital elements already placed on the market, they have the same obligations as manufacturers. (Substantial modification is a change in the product, which affects compliance with the essential requirements set out in Section 1 of Annex I or results in a modification of the intended use for which the product has been assessed.

Monitoring and enforcement

Member states must designate one or more market surveillance authorities to ensure the implementation of the CRA. Market surveillance authorities are empowered to conduct simultaneous coordinated control actions (i.e. “sweeps”) of particular products with digital elements or categories, as coordinated by the Commission.

For non-compliance with essential cybersecurity requirements, market surveillance authorities may impose administrative fines of up to EUR 15 million or, if the offender is an undertaking, up to 2.5% of its total worldwide annual turnover for the preceding financial year, whichever is higher.

Application

It is now up to the European Parliament and the Council to examine and pass the draft CRA. Once adopted, the CRA will be applicable in the market two years after its entry into force, except for the reporting obligation of manufacturers for actively exploited vulnerabilities and incidents, which will apply one year from the date of entry into force.

Article co-authored by Anna Horvath and Janos Balint.