The EU Cyber Resilience Act proposal – What You Need to Know

On 30 November 2023 the European Parliament and the Council reached a political agreement on the EU Cyber Resilience Act¹ (known as the CRA), proposed by the European Commission in September 2022.

The CRA is one of the first legislative proposals of its kind in the world that aims to enhance the cyber security of products or software with a digital component that are omnipresent in our daily lives (ranging from baby monitors, smart watches, and computer games to firewalls and routers) as well as to enable consumers to make better informed choices when selecting and using IoT devices. Once the CRA applies, all products in-scope of this regulation put on the EU market, whether provided by an EU business or one outside, will need to be cyber secure.

How the CRA proposal is intended to raise the level of cybersecurity

The CRA will apply to all products with digital elements (PDEs), including IoT devices, whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network, except for specified exclusions such as medical devices, aviation, and cars, which are already covered by existing rules. PDEs are defined broadly in the CRA proposal to include any hardware and software products, including its remote data processing solutions, and software or hardware components to be placed on the market separately.

The CRA will introduce mandatory cybersecurity standards of such products through:

• harmonised rules when making PDEs available on the market;
• essential requirements for the design, development, and production of PDEs, and obligations for economic operators in relation to these products with respect to cybersecurity;
• an obligation to provide duty of care for the entire lifecycle of such products imposed on economic operators.

The provisional agreement maintains the European Commission's risk-based approach and classifies PDEs into the categories below, depending on the level of risk associated with the product, and introduces differentiated levels of security assessments:

(a) Default category – i.e., products without critical cybersecurity vulnerabilities (probably most products). These products will be subject to a “self-assessment” by the manufacturer.

(b) Critical category – with two sub-categories:

(i) Class I – products that either: (i) primarily perform functions critical to the cybersecurity of other products, networks or services, or (ii) perform a function which carries a significant risk of adverse effects in terms of its intensity and ability to disrupt, control or cause damage to a large number of other products or to the health and safety of a large number of individuals through direct manipulation, such as a central system function, including network management, configuration control, virtualisation, processing of personal data. These products require the application of a standard form or third party-assessment to show conformity with regulatory obligations. Examples: software that searches for, removes, or quarantines malicious software; public key infrastructure and digital certificate issuance software; general purpose operating systems; physical and virtual network interfaces; routers, modems intended for connections to the internet, and switches; microprocessors and microcontrollers.

(ii) Class II – products that meet (i) and (ii) criteria listed above. These products must complete a third-party conformity assessment. Examples: products with digital elements that support virtual private network (VPN) functions such as VPN server and clients.

In addition, products that function as hardware devices with security boxes, smart meter gateways within smart metering systems and other devices for advanced security purposes, and smartcards or similar devices will be required to obtain a European cybersecurity certificate at a specified assurance under a European cybersecurity certification scheme.

What are the essential security requirements?

The CRA sets out crucial security criteria that PDEs have to comply with, including:

• Security by design and default – appropriate level of cybersecurity based on the risks must be embedded in a PDE from the beginning. A PDE must be placed on the market with a secure-by-default configuration, including the possibility to reset the product to its original state, including a default setting that security updates be installed automatically, with a clear and easy-to-use opt-out mechanism;
• Unauthorised access prevention by appropriate control mechanisms, such as authentication, identity or access management systems;
• Protection of the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state-of-the-art mechanisms;
• Protection of the integrity of stored, transmitted or otherwise processed data, commands, programs and configuration against any manipulation or modification;
• Minimization of data – process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of a PDE;
• Protection of the availability of essential functions, including the resilience against and mitigation of denial-of-service attacks;
• Resilience against service attacks and attack surface limitation to minimise the potential entry points for cyberattacks;
• Vulnerability management – a PDE must be placed on the market without any known exploitable vulnerabilities. Post market-launched vulnerabilities can be addressed through security updates;
• Data portability – users must be provided with the option to securely and easily remove all data and settings and, where such data can be transferred to other products or systems in a secure manner.

What new legal obligations will economic operators face?

The CRA proposal is directed to the economic operators of PDEs, i.e., the manufacturer, the authorised representative, the importer or the distributor of such products.

New obligations of economic operators are different. The most important for the manufacturers (i.e., entities who develop or manufacture PDEs or have these products designed, developed or manufactured, and market them under their name or trademark, whether for payment or free of charge) are as follows:

• Risk assessment – the manufacturer must ensure that a PDE has been designed, developed, and produced in accordance with the essential requirements. To do this, the manufacturer must assess the risks associated with a PDE and take the outcomes of such assessment into account at every stage of the product's lifecycle, so as to reduce cybersecurity risk from the outset.
• Continuous monitoring and free updates to software – the manufacturers must monitor their products throughout their expected lifecycle and document relevant cybersecurity aspects. If any vulnerabilities occur, the manufacturer will be obliged to release free update. The support period cannot be shorter than 5 years, except for products which are expected to be in use for a shorter period of time.
• Reporting – any actively exploited vulnerabilities and incidents must be reported by the manufacturer to the competent national authorities via the incident reporting platform supervised by the EU agency for cybersecurity (ENISA) within tight deadlines, i.e., not later than 24 hours of becoming aware of vulnerability or incident for early warning and 72 hours of becoming aware for the complete notification.
• Transparency – the manufacturer will be required to complete certain technical documentation and produce user instructions in a clear and intelligible form as set out in the CRA. Such instructions must be provided in a language which can be easily understood by users and market surveillance authorities.

On the other hand, importers (i.e., entities established in the EU who places on the market a PDE that bears the name or trademark of persons established outside the EU) and distributors (i.e., entities that makes a PDE available on the EU market without affecting its properties) will be obliged to check whether the manufacturer complies with the requirements laid down in the CRA, including regarding a CE marking carried out by the manufacturer.

Next Steps

The agreement reached is not yet final and will have to be formally approved by both the European Parliament and the Council. Once adopted, the CRA will enter into force on the 20th day following its publication in the Official Journal of the European Union. However, economic operators will have 36 months to adjust to the new rules, except for the reporting obligation, which will apply after 21 months. The CRA is expected to be adopted in Q2/2024. Thus, the new requirements will start to apply between April-June 2027, and obligations to report incidents and vulnerabilities between January-April 2026.

What the CRA proposal means for the IoT sector?

The CRA proposal is a major step towards strengthening the EU's digital sovereignty and resilience in the face of growing cyber threats and challenges. It will also create a level playing field and a competitive advantage for EU businesses that offer secure and trustworthy products and services to their customers.

However, the CRA will also entail significant compliance costs and challenges for economic operators. They will have to adapt to the new requirements and standards, monitor and report any incidents or vulnerabilities, and face potential sanctions or liability in cases of non-compliance or breach. Non-compliance with the essential security requirements and obligations laid down in the CRA may result in a fine between EUR 5-15m or 1-2.5% of the worldwide turnover in the preceding financial year, whichever is higher, depending on the type of violation. In addition to fines, the relevant authorities can require the withdrawal of products from the EU market.

The CRA proposal does not specify how manufacturers should prove their compliance with essential cybersecurity requirements. The CRA will be implemented through harmonised standards developed by European standards organisations and endorsed by the European Commission, which will detail the requirements in technical specifications. It is hoped that harmonised standards for PDEs covered together with guidance from the relevant authorities will be available with sufficient time before the CRA applies.

Footnote:

¹Since the text of provisional agreement reached by the EU Parliament and Council has not been published yet, this text is based on the original proposal of the European Commission and the amendments suggested by the Council.