The Commission on Thursday (15 September) proposed its proposal for a Cyber Resilience Act, legislation aiming to address vulnerabilities in connected devices through a security-by-design approach.
Following the New Legislative Framework (NLF), the Cyber Resilience Act (CRA) will introduce cybersecurity requirements for “products with digital elements” to be put on the EU internal market. Both hardware and software are included under the rationale that when everything is connected, everything is vulnerable.
Next to requirements for properties of the product and vulnerabilities and handling, there are also transparency and user information specifications, as the CRA is intended to enhance consumer trust and confidence in the products.
“This is a major deliverable in our security union agenda. Because it closes a real, important gap in our legal framework, ”Commission Vice-President Margaritis Schinas said at a press conference.
This legislation shall transit from the security of services to products “to protect both consumers and businesses from products that have inadequate security features,” Schinas added, as manufacturers will have to ensure that they put digitally secure products on the market.
Data from the EU Agency for Cybersecurity (ENISA) shows that in 2021, global ransomware reached approximately € 20 billion worth of damages. The urgency of the problem is also demonstrated by the fact that in 2021, a corporate ransomware attack occurred about every 11 seconds.
The goal of this legislative file is not only to regulate the internal market but to become an “international point of reference”, Schinas pointed out.
A complementary file
The CRA is not the first EU legislative file to address cybersecurity, rather, it aims to complement preceding texts such as the AI Act, the Cybersecurity Act and the Network Information Security 2 (NIS2) Directive.
Software-as-a-Service (SaaS), as covered by the NIS2 Directive, will not be targeted, nor will free and open-source software if not developed or supplied for commercial use.
A non-paper by Denmark, Germany and the Netherlands, seen by EURACTIV, proposed that SaaS should also be included and that it should not matter whether products are offered for consumer or business purposes.
The non-paper, dated 13 September, pushes for stricter cybersecurity requirements for all digital products, processes and services based on different levels of assurance, regardless if they are meant for consumers or industrial use.
Other products that will be excluded from the scope are medical devices or motor vehicles because sector-specific legislation is already in place. For the three countries at hand, the new cybersecurity law would be horizontal legislation on which sector-specific legislation would build as lex specialis.
Lifecycle and implementation
Manufacturers must ensure for the expected product lifetime or for five years after being placed on the market, whichever is shorter, that vulnerabilities are handled effectively.
According to Iva Tasheva, a cybersecurity expert at CyEn consultancy, it might be difficult to set a one-period-fits-all in stone, considering the regulation’s wide scope. A possible solution could be choosing a risk-based approach for support period commitment, Tasheva suggested.
Once adopted, economic operators and member states will have two years to adapt to the new requirements. The obligation to report actively exploited vulnerabilities and incidents will already apply after 12 months.
Reporting period
Manufacturers must notify the EU Agency for Cybersecurity (ENISA) within 24 hours if becoming aware of any actively exploited vulnerability in the product or any incident with security impacts.
This might sound familiar, as the NIS2 Directive also requires incident reporting within 24 hours. However, earlier this year, the head of ENISA said that the reporting system was too bureaucratic and “does not work”.
“This remains challenging, especially with the broad CRA scope, where any product that is actively exploited, even with no major risk linked to it, would have to be notified, ”Tasheva said.
The reporting could open the door for over-notification and create a non-compliance risk for manufacturers, especially because the incident reporting requirement would be effective after 12 months already, Tasheva added.
Too much too soon?
While the proposal is a significant step forward for DIGITALEUROPE, a Brussels-based digital technology industry association, they fear it might include too much too soon.
“It is tangible products that suffer from most legislative overlap and incoherence, and this is where most protection gaps can be remedied. Including all software, on the other hand, would be premature and risks not achieving the expected benefits, Cecilia Bonefeld-Dahl, Director-General of DIGITALEUROPE, told EURACTIV.
The focus should be on achieving practical results in times when both industry and governments are “struggling with stretched cyber resources”, Bonefeld-Dahl added.
Two classes
The Federation of German Industries (BDI) welcomed that the Commission distinguishes between product categories and their security requirements. Iris Plöger, a BDI’s Executive Board member, said that critical infrastructure and everyday products, such as a smart TV, should not be put into the same category.
While all products with digital elements under the CRA shall bear the CE marking, the difference between critical products’ different levels of assurance lies in the conformity assessment procedure.
For critical class I products, such as network management systems, the manufacturer may carry out the conformity assessment under its own responsibility. For products classified as critical class II, such as public key infrastructure and digital certificate issuers, a third party should be involved in the conformity assessment.
Luca Bertuzzi contributed to the reporting.
[Edited by Luca Bertuzzi/Nathalie Weatherald]
