On September 15, 2022, the European Commission presented a proposal for a Regulation on cybersecurity requirements for products with digital elements, known as Cyber Resilience Act (CRA). Introducing common cybersecurity rules for manufacturers and developers, the Act aims at ensuring the security of connected products and software throughout their entire lifecycle.
As the number of smart products grows incessantly, so does the number of cyberattacks and their associated costs – which reached €5.5 trillion in 2021. Nonetheless, to this date, most of the hardware and software placed on the EU market are not subjected to any cybersecurity requirements. The CRA is the latest effort put in by the EU to build a Cybersecurity ecosystem – currently comprising the NIS Directive, NIS 2 Directive and EU Cybersecurity Act – capable of addressing such problematics by providing clear rules on critical infrastructure, cybersecurity preparedness and response, and the certification of cybersecurity products.
Moreover, besides being a means to ensure security within the internal market, the Cyber Resilience Act is envisaged by the European Commission to become a point of reference for other jurisdictions across the world. Together with the recent proposal for a Regulation on Artificial Intelligence, the CRA exemplifies the willingness of the EU – embodied in the EU Digital Strategy – to become a global role model for the digital economy.
The Proposal in a nutshell
What products are affected?
The requirements set out in the proposed Regulation apply to products with digital elements that are intended to – or can be reasonably expected to – be directly or indirectly connected to another device or network.
According to Article 3(1) of the proposed text, products with digital elements shall be understood as “any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately” (EUR-Lex, 2019).
Not all connected products will fall under the scope of the new Regulation. Exceptions are provided with regard to devices for which cybersecurity requirements are already set out in existing EU legislation – e.g., medical devices, military products, or cars.
What is required?
Falling within the New Legislative Framework for product legislation in the EU, the proposed Regulation sets out the essential cybersecurity requirements for the design, development and production of products with digital elements and requires the manufacturer to follow a conformity assessment process to demonstrate compliance with the requirements applicable to their products. Depending on the type of device, manufacturers will have to:
- Self-declare compliance – issuing a Declaration of Conformity – or,
- Request the intervention of a Notified Body to certify the conformity of the devices.
At the end of the conformity process, the CE marking is affixed to the devices.
The obligations of manufacturers are not limited to the pre-market phase. To ensure the compliance and security of products throughout their entire lifecycle, the proposed Regulation sets out specific requirements for:
- Handling vulnerabilities of products already on the market (e.g., implementation of security updates).
- Reporting actively exploited vulnerabilities and incidents
Manufacturers may be assisted in fulfilling some of their obligations (e.g., availability of technical documentation for Competent Authorities and communication with said Authorities) by an Authorized Representative appointed through a written mandate.
Other Economic Operators involved in the placing on the market of the products – i.e., distributors and importers – will also have to comply with specific obligations proportionate to their role and involvement within the supply chain.
What’s next?
The EU Parliament and the Council are now examining the proposed text to present amendments. Once consensus by the two co-legislators is reached and the Regulation is published in the EU Official Journal, manufacturers will have two years to adapt to the new requirements (one year, regarding the dispositions on reporting).
Are you an economic operator involved in the manufacture or distribution of connected products? Don’t forget to regularly visit Obelis s.a. website to keep up to date with the latest regulatory updates on the Cyber Resilience Act!
Tommaso Poles
R&D Department
10/11/2022
References:
- EUR-Lex. (2019). Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020. Retrieved on 15/11/2022.
- EUR-Lex. (17 April, 2019). Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act). Retrieved on 15/11/2022.
- European Commission. (2022). State of the Union: New EU cybersecurity rules ensure more secure hardware and software products. Retrieved on 10/11/2022
- European Commission. (2022). New legislative framework. Retrieved on 15/11/2022.
- European Commission. (2022). NIS Directive. Retrieved on 15/11/2022.
- European Commission. (2022). Commission welcomes political agreement on new rules on cybersecurity of network and information systems. Retrieved on 15/11/2022.
- Obelis.net. (18 February, 2021). New EU Cybersecurity Strategy and new rules to make physical and digital critical entities more resilient. Retrieved on 15/11/2022