Reports of high-profile security incidents make headlines daily. Many of these attacks were possible due to vulnerable, poorly-secured software that represents an easy target for threat actors.
The European Commission’s proposed Cyber Resilience Act, published on Thursday, aims to change this by imposing new rules on the people manufacturing, importing and distributing hardware and software products across the EU.
Software developers and digital hardware manufacturers take note: the new rules include obligations to implement “security-by-design”, conduct and document risk assessments, and report vulnerabilities to the EU’s cybersecurity regulator.
And, of course, there are big fines involved, too.
Here’s an overview of the draft EU Cyber Resilience Act.
What problem is the act trying to solve?
Something must be done to improve cybersecurity, says the Commission in the introduction to the draft law, quoting the annual global cost of cybercrime at €5.5 trillion “by 2021” (note that the draft was published on 15 September 2022, so these figures may be out of date).
There are two main problems that the Cyber Resilience Act seeks to address:
-
A low level of cybersecurity across digital products
-
Insufficient understanding of cyber risks among users
The Commission asserts that most hardware and software products “are currently not covered by any EU legislation tackling their cybersecurity”, citing the usual line-up of high-profile security incidents, including Kaseya and WannaCry, as evidence of widespread software vulnerabilities.
The solution depends on the act’s four key objectives:
-
Ensuring manufacturers improve the security of “products with digital elements” (digital products), starting with design and development and throughout the entire product lifecycle
-
Ensuring a coherent cybersecurity framework to facilitate compliance for hardware and software manufacturers
-
Enhancing transparency of security across digital products
-
Enabling businesses and consumers to use digital products securely
How will the act work?
The Cyber Resilience Act will:
-
Set rules cybersecurity rules for digital products
-
Provide essential requirements for the design, development and production of digital products and cybersecurity obligations for “economic operators”
-
Provide essential requirements for manufacturers’ “vulnerability handling processes”
-
Set rules on market surveillance and enforcement
What is in scope?
The scope of the Cyber Resilience Act is “products with digital elements” (we’re using “digital products” as a short-hand), which the act defines as:
“…any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately.”
The scope of the act, however, is limited to digital products “whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network”.
This means that digital products that are not connected to a network are out of scope.
Some other sorts of digital products are also out of scope, namely those already covered by:
-
The Medical Devices Regulation (Regulation (EU) 2017/745)
-
The In Vitro Devices Regulation (Regulation (EU) 2017/746)
-
The General Safety Regulation (Regulation (EU) 2019/2144
Devices certified under the Civil Aviation Regulation (Regulation (EU) 2018/1139) are also out-of-scope.
The act would also exclude digital products designed “exclusively for national security or military purposes” or “designed to process classified information”.
High-risk AI systems that comply with the EU’s planned AI Act would be deemed to comply with the Cyber Resilience Act.
Essential requirements for digital products
A large part compliance with the Cyber Resilience Act will involve conforming with the “essential requirements” set out in Section 1 Annex 1 of the law.
Here’s an overview of the Cyber Resilience Act’s essential requirements:
-
Products with digital elements must be designed, developed and produced to ensure a risk-approrpriate level of cybersecurity
-
Products with digital elements must be delivered without any known vulnerabilities
-
On the basis of a risk assessment, products with digital elements must:
-
Be “secure by default”
-
Protect against unauthorised access, including via authentication, identity or access management systems
-
Protect the confidentiality of stored data
-
Protect the integrity of data, commands, programmes and configuration
-
Comply with the “data minimisation” principle
-
Protect the availability of essential functions
-
Minimise negative impact on the availability of other services
-
Be designed to limit attack surfaces
-
Include appropriate exploitation mitigation mechanisms
-
Monitor and report on internal activity and access to data
-
Ensure vulnerabilities can be addressed via security updates
-
These requirements would amount to a “security-by-design” requirement for all digital products.
Critical products with digital elements
Much like the draft AI Act’s concept of “high-risk AI systems”, the Cyber Resilience Act distinguishes a particular subset of digital products as “critical products with digital elements”.
The act has a list of products that are “critical” by default, set out at Annex III, separated into “class I” and “class II” products
Some of the noteworthy types of “class I” critical digital products on the list include:
-
Identity and access management (IAM) software
-
Browsers
-
Password managers
-
Antivirus software
-
VPNs
-
Network traffic monitoring software
-
Mobile device management software
And here’s a selection of noteworthy “class II” critical digital products:
-
Operating systems
-
Public key infrastructure
-
Firewalls
-
Smartcards and readers
-
Smart meters
There are many more—the list is too long to reproduce here in its entirety.
The Commission can add more items to the list if they meet certain criteria set out in the act.
What are the legal obligations under the act?
The Cyber Resilience Act applies to “economic operators”, which includes manufacturers, authorised representatives, distributors, importers or “any other natural or legal person” subject to the act.
The act places different obligations on different types of economic operators.
Manufacturers take the lion’s share of Cyber Resilience Act obligations. Here is a selection of some of the key requirements for manufacturers:
-
Ensuring digital products meet the act’s “essential requirements”
-
Undertaking a risk assessment and taking it into account at all stages of the product lifecycle
-
Including a copy of the risk assessment in the product’s documentation
-
Exercising due diligence when including third-party components
-
Documenting vulnerabilities
-
Drawing up technical documentation per the act’s specifications
-
Drawing up an EU declaration of conformity
-
Cooperating with market surveillance authorities
-
Reporting exploited vulnerabilities to the European Union Agency for Cybersecurity (ENISA) within 24 hours
-
Reporting incidents to users as soon as possible
Importers and distributors of digital products also have obligations, but these mostly relate to conducting due diligence to ensure they are putting compliant digital products on the market.
What are the penalties for non-compliance?
The Cyber Resilience Act would require EU member states to designate a “market surveillance authority” empowered with enforcement of the cyber resilience act.
Penalties for non-compliance with the act vary depending on which provisions have been violated, but here’s the range:
-
1% of annual global revenues or €5 million
-
2% of annual global revenues or €10 million
-
2.5% of annual global revenues or €15 million
As always, it’s “whichever is greater” in each case.
A new age of security compliance
The Cyber Resilience Act makes some common-sense security measures mandatory and should help address long-standing issues with vulnerable software and hardware products.
The “product safety” approach, drawing heavily from the AI Act and overlapping in many places, is not likely to have as broad an impact as the Data Protection Directive or GDPR.
But the many thousands of software developers that find themselves “manufacturers of digital products with critical elements” may find that they are held to a much higher standard once the law takes effect.
No comments yet