The EU Cyber Resilience Act is a new piece of legislation designed to improve the resilience of EU institutions and critical infrastructure against cyber threats, by placing cybersecurity requirements on all products with digital elements such as IoT products. It will have a significant impact on businesses operating within the European Union, as a measure to secure safer and more secure digital products, and it implies requirements and duties placed upon both manufacturers and users of digital products, which business need to prepare for.
The European Commission published its proposal on 15 September 2022 as part of its entire EU cybersecurity framework. It will now be processed by the European Parliament and the Council. Once adopted, economic operators and Member States will have two years to adapt to the new requirements.
Hardware and software products are increasingly subject to successful cyberattacks, resulting in an estimated global annual cost of cybercrime of €5.5 trillion by 2021, with expected increase. According to the European Commission, such products suffer from two key issues:
- a low level of cybersecurity, reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them, and
- an insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or using them in a secure manner.
Most of hardware and software products are currently not covered by any EU legislation addressing the products’ cybersecurity. In particular, the current EU legal framework does not address the cybersecurity of non-embedded software, even if cybersecurity attacks increasingly target vulnerabilities in these products, causing significant societal and economic costs.
The 4 main objectives of the regulations according to the European Commission were:
- ensure that manufacturers improve the security of products with digital elements from their design and development phase and throughout the whole lifecycle;
- ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers;
- enhance the transparency of security properties of products with digital elements, and
- enable businesses and consumers to use products with digital elements securely.
The EU Cyber Resilience Act introduces mandatory cybersecurity requirements for products throughout their lifecycle and will require businesses operating within the EU to implement a number of measures. Requirements include:
- Security by design: Cybersecurity shall be taken into account in planning, design, development, production, delivery and maintenance phase of products
- Documentation: All cybersecurity risks for a product shall be documented
- Handling of vulnerabilities: Once sold, manufacturers must ensure that for the entire expected product lifetime or for a period of five years (whichever is the shorter), vulnerabilities are handled effectively
- Use instructions: Provision of clear and understandable instructions for secure use of products with digital elements
- Security updates: Such are to be made available for at least five years
- Incident reporting: Businesses will be required to report actively exploited vulnerabilities and incidents to the relevant authorities. This includes incidents that have a significant impact on the business, such as data breaches or ransomware attacks.
The EU Cyber Resilience Act will also establish a European Cybersecurity Competence Centre to provide support and expertise to businesses. EU standards based on the Cyber Resilience Act is intended to facilitate its implementation.
It is important for businesses manufacturing products with digital elements to start preparing for the implementation of the EU Cyber Resilience Act now. This includes reviewing their current cybersecurity measures and identifying any areas that need to be improved.
If you have any questions or concerns about the EU Cyber Resilience Act and how it will affect your business, please do not hesitate to contact us.