The EU has just unveiled its proposal on Cyber Resiliency which will also capture IOT. As set out in the Communication ‘Shaping Europe’s digital future’, it is crucial for the EU to reap all the benefits of the digital age and to strengthen its industry and innovation capacity, within safe and ethical boundaries. The EU in turn sets four pillars: data protection, fundamental rights, safety and cybersecurity, as essential pre-requisites for a society empowered by the use of data.
Following the New Legislative Framework, the new proposal on a regulation on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 will introduce cybersecurity requirements for ‘products with digital elements’ to be put on the EU internal market. Both hardware and software are included under the rationale that when everything is connected, everything is vulnerable. This new proposed regulation will be called the Cyber Security Resilience Act.
This proposed regulation lays down (a) rules for the placing on the market of products with digital elements to ensure the cybersecurity of such products; (b) essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products with respect to cybersecurity; (c) essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes; (d) rules on market surveillance and enforcement of the above-mentioned rules and requirements.
This proposed regulation is coherent with the current product-related and risk based approach in the recent EU regulatory framework, including the recent legislative proposals for a regulation on Artificial Intelligence. The same elements of conformity assessments, notifying bodies and notifying authority as well as market surveillance authority also find their place in this proposed regulation. A dedicated administrative cooperation group (ADCO) is also being suggested for the uniform application of the Regulation.
The proposed regulation in turn will apply to all products with digital elements whose intended and reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. The proposed regulation addresses risks in a targeted manner similar to what we find in the proposed AI Act. Critical products with digital elements shall be subject to specific conformity assessment procedures and shall be divided into class I and class II as set out in Annex III of the regulation, reflecting their cybersecurity risk level, with class II representing a greater risk. A product with digital elements is considered critical and therefore included in Annex III taking into account the impact of potential cybersecurity vulnerabilities included in the product with digital elements.
Let’s now touch briefly on some non applicability of the said proposed regulation. The proposed regulation does not regulate services, such as Software-as-a-Service (SaaS), except for remote data processing solutions relating to a product with digital elements understood as any data processing at a distance for which the software is designed and developed by the manufacturer of the product concerned or under the responsibility of that manufacturer, and the absence of which would prevent such a product with digital elements from performing one of its functions. The proposed regulation will not apply to products with digital elements within the scope of Regulation (EU) 2017/745 (medical devices for human use and accessories for such devices) and Regulation (EU) 2017/746 (in vitro diagnostic medical devices for human use and accessories for such devices). It will also not apply to products with digital elements that have been certified in accordance with Regulation 2018/1139 (high uniform level of civil aviationsafety), nor to products to which Regulation (EU) 2019/2144 applies (on type-approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles). It will likewise not apply to products with digital elements developed exclusively for national security or military purposes or to products specifically designed to process classified information.
Products with digital elements under the proposed regulation should bear the CE marking to indicate their conformity with this Regulation so that they can move freely within the internal market. Under the proposed regulation there is also a strong emphasis to avoid overlapping. As a matter of fact we find specific provisions as well to dovetail with the proposed AI Act as well as with the Cybersecurity Act which establishes a voluntary European cybersecuritycertification framework for ICT products, processes and services. There are also some transitionary measures which are being proposed.
So what are the next steps ? It is now up to the European Parliament and the Council to examine the proposed Cyber Resilience Act. Once the proposal is adopted and enters into force, as the current draft stands, economic operators and Member States will have two years to adapt to the new requirements. An exception to this rule is the reporting obligation on manufacturers for actively exploited vulnerabilities and incidents, which would apply one year from the entry into force, since they require fewer organisational adjustments than the other new obligations.