top of page

EU Cyber Resilience Act Proposal- the new regulation is coming

Dr.Suha Futaci- CISSP

MD Foureyeson Ltd

In our attendances to Embedded World 2023 in Nurnberg, and AutoISAC Europe 2023 we had a chance to check the awareness of the community about the new proposed regulation by European Community, namely “Cyber resilience Act (CRA)”. We are glad to see that it has already been heard by the management of almost all vendors we got in touch with.  While it is still in the proposal phase, we expect that it will enter into force after EU Parliament Elections in 2024 .

 

What is it all about then?

 

In 2021 EC President von der Leyen announced Cyber Resilience Act [1] planned to be added to the existing baseline cybersecurity framework of the “Directive on the security of Network and Information Systems” [2] and the Cybersecurity Act [3]. The Cyber Resilience Act will complement the Delegated Regulation of 29 October 2021 under the Radio Equipment Directive.[4]

MOTIVATION

As put forward on the EU web site [5]; it is “The proposal for a regulation on cybersecurity requirements for products with digital elements, known as the Cyber Resilience Act, bolsters cybersecurity rules to ensure more secure hardware and software products”.  The motivation is addressing the problem of high cost of cybercrime on hardware and software products at estimated €5.5 trillion levels. The reasons are listed as,

-Low level cybersecurity and widespread vulnerabilities in the products,

-insufficient and inconsistent provision of security updates,

-insufficient information provided to end users for them to select the right products with adequate cybersecurity properties and securely use the products” [5].

EU legal framework so far is not covering all the general class of “products with digital elements” like non-embedded software, while there are legislation applying to specific products.  For example, existing framework does not cover all digital products, such as the products not falling under Radio Equipment Directive or the Medical Devices Regulation. Also, the current regulatory framework falls short in cybersecurity requirements covering the whole life cycle of a product.[6]

OBJECTIVES

In moving forward, two main objectives were identified aiming to ensure the proper functioning of the internal (EU) market as follows: [5]

  1. Create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and ensure that manufacturers take security seriously throughout a product’s life cycle; and

  2. Create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.

 

Also, four specific objectives were set out as:[5]

  1. Ensure that manufacturers improve the security of products with digital elements since the design and development phase and throughout the whole life cycle.

  2. Ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers.

  3. Enhance the transparency of security properties of products with digital elements, and

  4. Enable businesses and consumers to use products with digital elements securely.

 

PROPOSED REGULATION

At this point we should remind the reader that the regulation is in the proposal phase for the time being (5 December 22) and the final version need to be checked for the changes after regulation is published in official journal of the European Union.

The proposal document (downloadable from the web [5]) covers all products with digital elements including the clouds excluding the ones to which following EU acts apply:

-EU 2017/745 (Medical devices) [7]

-EU 2017/746 (In Vitro diagnostic medical devices) [8]

-EU 2019/2144 (Type-approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles, as regards their general safety and the protection of vehicle occupants and vulnerable road users) [9]

-The products certified under EU 2018/1139 (common rules in the field of civil aviation...) [10]

-The products developed exclusively for national security or military purposes, or the products specifically designed to process classified information.

 

The Annexes of the proposal are, “Essential cybersecurity requirements for the products”, “The minimum information and instructions that should be provided to the users”, “The list of critical product types”, “EU declaration of conformity details”, “Technical documentation requirements” and “Conformity assessment procedures” (Downloadable from the web [5])

WHO ARE OBLIGATED TO COMPLY

The proposed regulation [5] assigns obligations to the below economic operators of the “products with digital elements”:

-Manufacturers

-Authorized representatives

-Importers

-Distributors.

You can see the details of the obligations of each class of economic operators in the proposal between Article 10 to Article 17.  It is worth to emphasize that the manufacturers are responsible from designing, developing, and producing the products in accordance with the essential cybersecurity requirements so; the security features integration should start from the design phase.

PENALTIES:

Penalties in the case of non-compliance are listed as.

-The non-compliance with the essential cybersecurity requirements and the obligations set out in Articles 10 and 11 shall be subject to administrative fines of up to 15 000 000 EUR or, if the offender is an undertaking, up to 2.5 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.

-The non-compliance with any other obligations under this Regulation shall be subject to administrative fines of up to 10 000 000 EUR or, if the offender is an undertaking, up to 2 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.

-The supply of incorrect, incomplete, or misleading information to notified bodies and market surveillance authorities in reply to a request shall be subject to administrative fines of up to 5 000 000 EUR or, if the offender is an undertaking, up to 1 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.

WHEN WILL THIS REGULATION ENTER INTO FORCE?

As it appears in the proposal:

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

It shall apply from 24 months after the date of entry into force of this Regulation. However, Article 11 (reporting obligations of manufacturers) shall apply from 12 months after the date of entry into force of the Regulation.

CONCLUSION:

In this summary, we covered the key subjects taken from the proposal documents published by EC about the coming “Cyber Resilience Act”. This reflects our understanding so far giving some heads-up information and we carefully avoided from the interpretations. (*)

We think that this regulation will lead to better cybersecurity postures in the products with digital elements sold in EU market. This will have positive effects globally as well.

The reader is encouraged to read the reference [5] including downloadable proposal document and its annexes.

 

(*) The information contained in this document provided for informational purposes only as summary and should not be construed as legal and business advice. The links in the document references to the other publicly accessible web sites where security and privacy practices are carried out by respective web site owners.

 

REFERENCES:

[1] https://ec.europa.eu/commission/presscorner/detail/en/SPEECH_21_4701

[2] DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union

[3]REGULATION (EU) 2019/881 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act)

[4] https://single-market-economy.ec.europa.eu/news/commission-strengthens-cybersecurity-wireless-devices-and-products-2021-10-29_en

[5] https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act

[6] https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services_en

[7] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32017R0745

[8] https://eur-lex.europa.eu/eli/reg/2017/746/oj

[9] https://eur-lex.europa.eu/eli/reg/2019/2144/oj

[10] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32018R1139

bottom of page