On September 15th 2022, the European Commission published the proposal for the Cyber Resilience Act, which will regulate the cybersecurity of all connected devices and software. It will significantly change the European cybersecurity landscape and impact many organizations. This article is an executive summary of the act and related regulations.
What is it about?
The cost of cyberattacks on hardware and software products globally was approximately 5.5 trillion euros in 2021. In the European Commission’s view, such products suffer from two major problems: 1) a low level of cybersecurity and 2) insufficient understanding and access to information by their users.
While other European Union regulation contains provisions for cybersecurity, the cybersecurity of most hardware and software products is currently not regulated. Especially, the cybersecurity of non-embedded software is not addressed. Hence, the Commission proposes the Cyber Resilience Act (CRA) as a horizontal framework for essential cybersecurity requirements for placing products on the market.
The CRA has two objectives: 1) to ensure that products are placed on the market with fewer vulnerabilities and that manufacturers consider cybersecurity throughout a product’s lifecycle and 2) to allow users to take cybersecurity into account when selecting and using the products.
What is the economic impact?
The European Commission estimates that affected companies will see an annual aggregate cost reduction of between 180 to 290 billion euros. The cost reduction is driven by the reduced impact of cybersecurity incidents.
Furthermore, the Commission expects additional compliance costs of up to 29 billion euros for the affected companies. The corresponding turnover is approximately 1485 billion euros, implying a 2% compliance spend.
- Any software or hardware Product connected to a network or another device, whether directly, indirectly (e.g., as part of a system), logically (e.g., through a software interface), or physically (e.g., through a wired or wireless connection).
- Any remote data processing solution that is required for one or more functions of the Product to work.
- Any software or hardware component of the Product that is sold separately.
- Products that are placed on the market before CRA entry into force if their design or intended purpose is substantially modified afterward.
- Effectively, this means every connected software and device.
Out of Scope:
- Medical Devices and In-Vitro Medical Devices. (See Regulation (EU) 2017/745(“MDR”) and Regulation (EU) 2017/746 (“IVDR”).)
- Passenger Vehicles, Trailers, and their components. (See Regulation (EU) 2019/2144 and 2018/858.)
- Aircraft and their components. (See Regulation (EU) 2018/1139.)
- Software as a Service (SaaS), except those that are a “remote data processing solution” or that are within the scope of the NIS2 directive.
- Open-Source Software (OSS), when not part of a commercial product.
- Products exclusively developed for national security and military purposes.
- Products placed on the market before CRA entry into force. (Note: Vulnerability reporting obligations apply to these products too!)
Note: The European Commission may later issue delegated acts to change the scope. These acts may be sector- or product-specific.
How is it related to other European Union regulations?
Regulation (EU) 2019/881 (“Cybersecurity Act”) concerns the cybersecurity of ICT products, services, and processes. It also establishes the European Union Agency for Cybersecurity (“ENISA”). ENISA’s responsibilities are extended by the CRA. Additionally, the Cybersecurity Act establishes the cybersecurity certification scheme, which applies to products classified as “highly critical” under the CRA.
Regulation (EU) 2016/1148 (“NIS”) and the proposed 202/0359(COD) (“NIS2”) concern the cybersecurity of services provided by essential and critical entities (“critical infrastructure”). If used by an entity within the NIS2 scope, a product may be classified as “critical” or “highly critical” under the CRA, which implies more stringent cybersecurity requirements.
The proposed Regulation (EU) 2021/0106(COD) (“AI Regulation”) concerns artificial intelligence systems. Compliance with the CRA is considered to fulfill the cybersecurity requirement for high-risk AI systems in the AI Regulation.
The proposed Regulation (EU) 2021/0171(COD) (“GPSR”) concerns the general safety of products. The relationship between cybersecurity (governed by the CRA) and product safety (governed by the GPSR) is established. Manufacturers may be liable for product safety issues attributable to cybersecurity.
The proposed Regulation (EU) 2022/0140(COD) (“EHDS”) concerns the use of electronic health data. The EHDS provides more specific cybersecurity requirements than the CRA for products within its scope, notably Electronic Health Record (“EHR”) systems.
Some Products may be considered critical or highly critical based on their cybersecurity risk as determined by the European Commission. For example, the following are seen to increase the cybersecurity risk of a Product:
- requirement for privileged access
- control of operational technology (“OT”, digital systems that directly or indirectly interact with the physical environment)
- provision of a security function (e.g., a firewall)
- use in essential entities (as defined in NIS, NIS2)
- use in the protection of personal data and
- previous incidents.
Critical Products are split into Class I and Class II. Examples of Products in these classes are:
- Password managers
- Firewalls for non-industrial use
- Intrusion Detection and/or Prevention Systems (IDPS) for non-industrial use
- Microprocessors and microcontrollers
- Industrial Internet of Things (“IIoT”) devices for use by non-essential entities (as defined in NIS, NIS2)
- And others…
- Public Key Infrastructure (“PKI”)
- Firewalls for industrial use
- IDPS for industrial use
- Secure elements, crypto processors, and Hardware Security Modules (“HSM”)
- Smart cards, smart card readers, and tokens
- Industrial Automation & Control Systems (“IACS”) for use by essential entities
- IIoT devices for use by essential entities
- And others…
The classification defines, which conformity assessment routes are accepted for the Product. See below for more discussion on the different routes. Roughly, the following guidelines apply:
- Internal Control Procedure.
- No third parties are involved.
Critical Class I
- Presumption of Conformity based on another conformity assessment having the same requirements, EU Type Examination Procedure, or Conformity Assessment based on Full Quality Assurance.
- Notified Body involved.
Critical Class II
- EU Type Examination Procedure or Conformity Assessment based on Full Quality Assurance.
- Cannot leverage an existing conformity assessment.
- Notified Body involved.
- Cybersecurity certification as defined in Article 56 of the Regulation (EU) 2019/881 (“Cybersecurity Act”).
- Depending on the required assurance level, either a conformity assessment body, a national cybersecurity certification authority, or another public body is involved.
Note: The European Commission may later issue delegated acts to change the classification.
What is required of Manufacturers?
Before placing on the market:
- Perform a Cybersecurity Risk Assessment.
- Perform due diligence on any third-party components used.
- Ensure that the Essential Cybersecurity Requirements are met.
- Draft the Technical Documentation, which may include elements that are not found in the outputs of a typical, agile development process.
- Perform a Conformity Assessment.
- Draft a Declaration of Conformity.
After placing on the market, throughout the Product’s expected lifetime:
- Ensure continued conformity (or withdraw/recall the Products).
- Manage vulnerabilities.
- Report any actively exploited vulnerability to ENISA within 24 hours of becoming aware of it.
- Notify users of the Product about incidents without undue delay.
- Maintain the Technical Documentation.
Note: Products placed on the market by Importers or Distributors have the same requirements. In these cases, the Manufacturer’s obligations are borne by the Importer, Distributor, or Authorized Representative in the EU.
What are the Essential Cybersecurity Requirements?
- Security by design.
- No known exploitable vulnerabilities are allowed.
Based on the Cybersecurity Risk Assessment, where applicable:
- Secure by default configuration.
- Protection from unauthorized access (e.g., access control).
- Protection of data at rest and in transit (e.g., encryption).
- Minimization of data.
- Availability protection for essential functions (e.g., DDoS prevention).
- Minimization of negative impact on networks and other devices.
- Attack surface limitation.
- Incident impact reduction using appropriate exploitation mitigations.
- Security-related information recording and/or monitoring (e.g., logging, auditing).
- Security updates.
- Identify and document vulnerabilities and components of the Product, including a software bill of material (SBOM) in a common, machine-readable format.
- Regular tests and reviews of the Product.
- Address and remediate vulnerabilities without delay by security updates, but in relation to the risks posed.
- Secure distribution of security updates and patches, including relevant information, to ensure that exploitable vulnerabilities are fixed or mitigated in a timely manner, free of charge.
- Public disclosure of information about fixed vulnerabilities after a security update addressing them has been made available.
- Policy on coordinated vulnerability disclosure.
- Share information about vulnerabilities in the Product as well as any third-party components.
Conformity Assessment, Declaration of Conformity & CE Marking
The Conformity Assessment leading to a Declaration of Conformity and the CE Marking of the Product is required of all Products. There are five routes to perform the Conformity Assessment:
Presumption of Conformity
- Compliance is assumed based on compliance with Harmonized Standards, Common Specifications and/or a cybersecurity certification scheme according to the Cybersecurity Act.
- Caveat: said standards/specifications/schemes must cover all the CRA requirements.
- Not allowed for Class II or highly critical products.
Internal Control Procedure
- The Manufacturer’s own assurance that the Essential Cybersecurity Requirements are met.
- Not allowed for Class II or highly critical Products.
- The procedure results in a Declaration of Conformity by the Manufacturer.
EU Type Examination Procedure
- A Notified Body examines the product, and the vulnerability handling processes put in place by the manufacturer and attests that the Essential Cybersecurity Requirements are met.
- Not allowed for highly critical Products.
- The procedure results in a Type Examination Certificate by the Notified Body and a Declaration of Conformity by the Manufacturer.
Conformity Assessment based on Full Quality Assurance
- The Manufacturer operates an approved Quality Management System to ensure the compliance of the Products with the Essential Cybersecurity Requirements.
- A Notified Body assesses the Quality Management System to determine if the requirements are met.
- Not allowed for highly critical Products.
- The procedure results in a (successful) Quality Management System Assessment result by the Notified Body and a Declaration of Conformity by the Manufacturer.
European Cybersecurity Certification
- According to a European cybersecurity certification scheme (“CCS”), as defined in Article 56 of the Regulation (EU) 2019/881 (“Cybersecurity Act”).
- Only for highly critical Products.
- Depending on the assurance level required by the CCS, one of the following performs the certification: a Conformity Assessment Body, a National Cybersecurity Authority, or another Public Body accredit as a Conformity Assessment Body
- The procedure results in a European Cybersecurity Certificate.
Note: When a Notified Body is involved, the Manufacturer is obliged to notify and get approval from the Notified Body of any intended change to the Product and/or the Quality Management System.
Non-Conformance & Penalties
Each EU Member State shall designate one or more Market Surveillance Authorities to ensure the effective implementation of the CRA. The Market Surveillance Authorities in different Member States shall cooperate and are required to exchange information.
The Market Surveillance Authorities may conduct sweeps to find non-conforming Products. Additionally, they are required to investigate non-conformities that they become aware of (e.g., through vulnerability disclosure).
The Market Surveillance Authorities may limit the availability of, prevent the sale of, or order the recall or withdrawal of non-conforming products from the market. Additionally, the manufacturer may receive fines for
- non-conformance with the Essential Cybersecurity Requirements up to 15 MEUR (or 2.5% of worldwide annual turnover)
- non-conformance with any other obligations under the CRA up to 10 MEUR (or 2% of worldwide annual turnover) or
- the supply of incorrect, incomplete, or misleading information to Notified Bodies or Market Surveillance Authorities up to 5 MEUR (or 1% of worldwide annual turnover).
Furthermore, the Manufacturer is liable for damages caused by a lack of safety in their product irrespective of fault (‘strict liability’). Where such a lack of safety consists in a lack of security updates after placing the Product on the market, and this causes damage, the liability of the manufacturer could be triggered according to the CRA.
Additionally, further penalties may apply under other EU regulations.