On 15 September 2022, the European Commission published its proposal for a new Regulation which sets out cybersecurity related requirements for products with “digital elements”, known as the proposed Cyber Resilience Act (the CRA).
The CRA introduces common cybersecurity rules for manufacturers, developers and distributors of products with digital elements, covering both hardware and software. The rules seek to ensure that: (i) connected products and software placed on the EU market are more secure; (ii) manufacturers remain responsible for cybersecurity throughout a product’s life cycle; and (iii) consumers are properly informed about the cybersecurity around the products that they buy and use.
The CRA complements the “NIS2 Directive” which is also going through the EU legislative process. The NIS2 Directive will repeal the current directive on security of network and information systems (the NIS Directive) and will amend the rules on the security of network and information systems. In particular, the NIS2 Directive will expand the scope of entities required to comply with its rules, specify minimum technical, operational and organisational measures and streamline incident reporting obligations in order to avoid over-reporting.
- Essential cybersecurity requirements
Products with digital elements (products) will only be allowed on the market where they meet the “essential cybersecurity requirements” which are set out in section 1 of Annex I of the CRA. These security requirements are high level and drafted broadly. They are not novel but rather codify existing good practice. For example: “products must protect the availability of essential functions, including the resilience against and mitigation of denial of service attacks”.
- Vulnerability handling requirements
Manufacturers of products must also comply with various requirements relating to the handling of vulnerabilities which are set out in section 2 of Annex I of the CRA. Manufacturers must have appropriate policies and procedures in place to ensure that vulnerabilities are appropriately addressed. For example, “once a security update has been made available, manufacturers must publically disclose information about fixed vulnerabilities and have a policy in place on coordinated vulnerability disclosure”.
- Extra requirements for “critical” products
Whilst all products in scope of the CRA must undergo a self-certification conformity assessment procedure (i.e. the process of assessing whether the product complies with the relevant standards – in this case the essential cybersecurity requirements described above), “critical products” must undergo a more formal assessment with the involvement of a central EU body selected by the Member States’ national authorities. Annex III divides critical products into two “classes”. Class I products include identity management systems software and privileged access management software, password managements, network traffic management systems, while Class II products cover operating systems for servers, desktops and mobile devices. Both classes require an assessment of the technical design and development of the product by a central EU body (including performance of tests) followed by self-assessment of conformity by the manufacturer or a full quality assurance assessment by the central EU body. The list of such notified bodies will be available centrally on a new electronic notification tool which will be managed by the Commission.
Products which do not fall within the definition of “critical products” may alternatively be assessed based on the manufacturer’s own internal control without direct assessment by the notified body.
- Conformity of products and information and instructions to users
Chapter III of the CRA provides various conformity requirements that manufacturers of products in scope of the CRA must comply with. An EU declaration of conformity must be provided with the product (in the format set out in Annex IV of the CRA) and the CE mark must be affixed to the product itself or, where not possible, to the product label. The declaration of conformity will include the name and number of the approved notified body which performed a conformity assessment procedure.
“Technical documentation” must also be drawn up before the product is placed on the market. The technical documentation must also be continuously updated, where appropriate, during the expected product lifetime or for five years after the product has been placed on the market (whichever is the shorter). Annex V to the CRA sets the precise details of what the technical documentation must contain. This includes a cybersecurity risk assessment and reports of tests relating to the vulnerability handling processes.
Annex II sets out what must be contained in the “information and instructions to the user”. This information must be provided by the manufacturer in clear and understandable language. It includes, amongst other things, the requirement to provide a point of contact where information about cybersecurity vulnerabilities of the product can be reported and received, any known or foreseeable circumstance which may lead to significant cybersecurity risks and the type of technical support offered by the manufacturer and when / how users can expect to receive security updates.
- Reporting obligations
Manufacturers must notify ENISA, without undue delay and in any event within 24 hours of becoming aware of any actively exploited vulnerability contained in the product or any incident having impact on the security of the product. Users must also be notified without undue delay and, where necessary, the manufacturer must provide information about corrective measures that the user can deploy to mitigate the impact of the incident.
- Obligations on the rest of the supply chain
Distributors and importers also have obligations under the CRA. Their obligations aim to ensure that non-compliant products from overseas do not make their way on to the EU marketplace. For example, importers are required to ensure before placing a product on the market that (i) the appropriate conformity assessment procedures have been carried out by the manufacturer, (ii) the manufacturer has drawn up the technical documentation and (iii) the product bears the CE making and accompanies by the relevant information and instructions. They must also inform the manufacturer if they identify a vulnerability in the product. And if the product presents a significant cybersecurity risk they must also inform the relevant authorities.
Enforcement and sanctions for non-compliance
The European Union Agency for Cybersecurity (ENISA) will have oversight of the CRA at an EU-wide level. It will receive notifications from manufacturers of actively exploited vulnerabilities and prepare biennial technical reports on emerging trends regarding cybersecurity risks in products.
On a national level, the CRA will be enforced by “market surveillance authorities”. These authorities will be designated by national governments and could be a newly created body or an existing one, such as data protection authorities. Market surveillance authorities will have the power to order the withdrawal or recall of a product from the market and impose monetary penalties up to the greater of EUR 15 million or 2.5% of total worldwide annual turnover.
Entry into force
The CRA will now go through the usual Ordinary Legislative Procedure. Once it has been adopted, organisations and EU member states will have two years to comply with the new requirements. However, the exception to this rule is the reporting obligation on manufacturers which will apply one year from the entry into force.
What about the UK?
As the UK is no longer a member of the EU, it will not be bound by the new rules. However, the UK is in the process of passing a similar piece of legislation called the Product Security and Telecommunications Infrastructure Bill (PSTIB). The PSTIB is currently at the report stage in the House of Lords meaning that the Bill has almost completed its legislative passage. The PSTIB includes a power for the Secretary of State to specify security requirements relating to relevant connectable products and places obligations on manufacturers, importers and distributors in relation to those security requirements. Sanctions for non-compliance with the PSTIB are similarly high, up to the greater of £10 million or 4 per cent of worldwide revenue over the most recent complete accounting period.
Many of the essential cybersecurity requirements simply mirror good practice and therefore many companies will not have significant work to do in this regard. The complex piece is around working out which type of conformity assessment products may require and producing / updating a raft of policies, procedures and other documentation required by the CRA. The reporting obligations under the CRA will add burden to companies already facing reporting requirements under data protection law, the NIS Directive and other sector-specific legislation. Reporting obligations placed on distributors and importers may also create tension in the supply chain and during contract negotiations as manufacturers will undoubtedly be nervous about distributors and importers reporting products’ potential vulnerabilities to market surveillance authorities.