State of the Union: EU Cyber Resilience Act – Questions & Answers@European Union, 2018
What is the new EU Cyber Resilience Act?
The Cyber Resilience Act is a first ever EU-wide legislation of its kind: it introduces common cybersecurity rules for manufacturers and developers of products with digital elements, covering both hardware and software. It will ensure that wired and wireless products that are connected to the internet and software placed on the EU market are more secure and that manufacturers remain responsible for cybersecurity throughout a product’s life cycle. It will also allow the customers of these products to be properly informed about the cybersecurity of the products they buy and use.
What kind of risks does the proposal aim to address?
Cyber-attacks can spread across borders of the internal market within minutes. The regulation therefore tackles two issues: one is the low level of cybersecurity of many of these products and more importantly the fact that many manufacturers do not provide updates to address vulnerabilities. While manufacturers of products with digital elements sometimes face reputational damage when their products lack security, the cost of vulnerabilities is predominantly borne by professional users and consumers. This limits the incentives of manufacturers to invest in secure design and development and to provide security updates.
The second is that businesses and consumers often do not have sufficient and accurate information when it comes to choosing products that are secure and often lack knowledge of how to make sure that the products they buy are set up in a way that is secure. The new rules tackle these two aspects by addressing the issue of updates and also of providing up to date information to customers.
How does the Cyber Resilience Act address these problems?
The Cyber Resilience Act mandates that products with digital elements will only be made available on the market if they meet specific essential cybersecurity requirements. It requires manufacturers to factor cybersecurity in the design and development of the products with digital elements.
Regarding the information and instructions provided to the end user, the Cyber Resilience Act requires manufacturers to be transparent on cybersecurity aspects that need to be made known to customers. A key element of the proposal is the coverage of the whole life cycle of the products, and in particular the provision of obligations for manufacturers and developers to provide information about the end-of-life of the products and the security support provided, as well as obligations to provide security updates and support for a reasonable period of time.
Such obligations would be established for economic operators, starting from manufacturers, up to distributors and importers, in relation to the placing on the market of products with digital elements, as adequate for their role and responsibilities on the supply chain. Based on the New Legislative Framework for product legislation in the EU, manufacturers would undergo a process of conformity assessment to demonstrate whether the specified requirements relating to a product have been fulfilled. This could be done via self-assessment or a third-party conformity assessment, depending on the criticality of the product in question. Where compliance of the product with the applicable requirements has been demonstrated, manufacturers and developers would draw up an EU declaration of conformity and will be able to affix the CE marking. The CE marking will indicate the conformity of products with digital elements with the CRA, so that they can move freely within the internal market.
Who will benefit from the Cyber Resilience Act?
The Cyber Resilience Act will bring significant benefits to the various stakeholders. Businesses will have to comply with one single set of cybersecurity rules across the European Union. The Act will reduce the number of cybersecurity incidents and with this, the cost of incident handling and reputational damage for companies. As such, it would increase trust by consumers and business customers, and thus demand for products with digital elements, both within and outside the EU.
At the same time, consumers and users will enjoy more information when choosing a product with digital elements and clearer instructions about its use. As a result of fewer security risks and incidents, consumers and citizens will benefit from better protection of fundamental rights, such as data and privacy protection.
The Cyber Resilience Act also has the potential to become an international point of reference, beyond the EU’s internal market. EU standards based on the Act will facilitate its implementation and will be an asset for the EU cybersecurity industry in global markets.
What will happen to non-compliant products?
Member States will appoint market surveillance authorities, which would be responsible for the enforcement of the Cyber Resilience Act obligations.
In case of non-compliance, market surveillance authorities could require operators to bring the non-compliance to an end and eliminate the risk, to prohibit or restrict the making available of a product on the market, or to order that the product is withdrawn or recalled. Each of these authorities will be able to fine companies that don’t adhere to the rules. The Cyber Resilience Act establishes maximum levels for administrative fines that should be provided in national laws for non-compliance.
Will software, when provided as a service and not as a product, be covered under the CRA?
Software provided as part of a service is not covered by the proposed Cyber Resilience Act, as it covers only products with digital elements that are sold within the European single market, and sets out concrete cybersecurity requirements and obligations for the manufacturers of these products. However, the Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive), and other sectorial legislation, ensure that systems provided as a service or developed in-house, as could be the case e.g. for electronic health record (EHR) systems, meet equivalent technical requirements for cybersecurity and provide the same level of protection against cyber threats as products with digital elements covered by the CRA. Under the NIS 2 Directive, Member States are requested to ensure that essential and important entities, such as healthcare or cloud providers and public administration entities, take appropriate and proportionate technical, operational and organisational cybersecurity measures. This includes, among others, a requirement to ensure security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure. In addition, technical and methodological requirements for certain types of entities, such as cloud computing service providers as well as sectoral requirements, if needed, will be defined through implementing decisions.
How will it interplay with the existing rules?
The Cyber Resilience Act would harmonise the EU regulatory landscape by introducing cybersecurity requirements for products with digital elements and avoid overlapping requirements stemming from different pieces of legislation. This would create greater legal certainty for operators and users across the Union, as well as a better harmonisation of the European single market, creating more viable conditions for operators aiming to enter the EU market.
In particular, the Cyber Resilience Act will complement the NIS 2 Directive, which was recently agreed by the European Parliament and the Council. The NIS2 Directive puts in place cybersecurity requirements, including supply chain security measures, and incident reporting obligations for essential and important entities, with a view to increasing the resilience of the services they provide. Therefore, the enhanced level of cybersecurity of products with digital elements would facilitate compliance by the entities in the scope of NIS2 Directive and would strengthen the security of the entire supply chain.
The Cyber Resilience Act applies to radio equipment in scope of the Delegated Regulation adopted under the Radio Equipment Directive 2014/53/EU (RED Delegated Regulation). The Cyber Resilience Act is aligned with the requirements of the RED Delegated Regulation, including the specific requested standards under the RED Delegated Regulation. The Cyber Resilience Act would thus constitute the next important all-encompassing step, which would build on these standards to be developed until the Cyber Resilience Act becomes applicable. For the sake of simplicity and legal clarity, the RED Delegated Regulation would then be repealed.
What are the next steps?
It is now for the European Parliament and the Council to examine the proposed Cyber Resilience Act. Once the proposal is adopted and enters into force, economic operators and Member States will have two years to adapt to the new requirements. An exception to this rule is the reporting obligation on manufacturers for actively exploited vulnerabilities and incidents, which would apply one year from the entry into force, since they require fewer organisational adjustments than the other new obligations.
The Commission will periodically review the Cyber Resilience Act and report on its functioning.