On 15 September 2022, the European Commission (“Commission” or “EC”) published a draft proposal for a Cyber Resilience Act (“CRA” ). The CRA comes in response to the increasingly common occurrence of cyberattacks, with some predicting that the global cost of cyberattacks for companies will reach $10.5 trillion annually by 2025, up from $3 trillion in 2015. The CRA promises to transform the European cybersecurity landscape by harmonizing and bolstering cybersecurity rules across all technologies with “digital elements.” The Commission is currently inviting public feedback on the CRA through 18 November 2022. The CRA will then pass through the European Parliament for debate and for amendments to be proposed.
What to do about the proposed CRA now?
Businesses that manufacture or distribute products that connect to a device or network should assess whether their products may be subject to the CRA and whether their business will be classified, for the purposes of the CRA, as a ‘manufacturer’; ‘importer’ or ‘distributor’, with the CRA imposing the largest burden on manufacturers (see further below). Furthermore, if firms determine that they may be subject to the CRA they should consider their risk exposure i.e., which category of risk their products would likely fall into under the CRA and what steps they may need to take to comply with the CRA’s requirements. Finally, firms should continue to monitor developments on cybersecurity laws, both in the EU with the CRA, and in other jurisdictions globally.
On 1 March 2022, the Commission called for evidence and a public consultation on cybersecurity requirements in the EU. This exercise resulted in the Commission identifying two key risks with regard to digital products:
- Product security – i.e., products may be vulnerable to cyberattacks because they have insufficient security updates to address vulnerabilities.
- Product transparency – i.e., users may not have enough information and understanding about product security to identify and select “adequate cybersecurity products” or use them “in a secure manner.”
To address these concerns, the EC identified six key aims for the CRA: to (1) create conditions to produce hardware and software with fewer vulnerabilities; (2) create conditions which allow users to take cybersecurity into account when buying products; and more specifically, to (3) improve manufacturer cybersecurity; (4) ensure a coherent cybersecurity framework; (5) enhance transparency of security properties of products with digital elements; and (6) enable the secure use of digital products.
The CRA would incorporate obligations for manufacturers, importers and distributors (collectively named ‘Economic operators’), but would apply primarily to manufacturers. It would apply to all products placed on the internal market of the EU with “digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network” (Article 2). This would be regardless of where the manufacturer is based, so long as the product is sold within the EU or to EU based customers. The CRA sets out that the following products would not be in scope:
Services e.g., Software-as-a-Service (“SaaS”) where a software is provided on demand or via subscription and is centrally hosted (Recital 9).
Free and open-source software developed outside the course of commercial activity (Recital 10).
Certain products which are already covered by existing EU legislation, for example, some digital medical devices which are already covered by e.g., Regulation (EU) 2017/745 on the clinical investigation and sale of medical devices for human use.
Like the EU’s Artificial Intelligence Act (“AI Act”), the CRA would increase regulatory obligations based on the level of risk associated with the product. The categorization of products is as follows:
- Default – the vast majority of products i.e., products without critical cybersecurity vulnerabilities. Such products require manufacturers to conduct a “self-assessment” of vulnerabilities for improvement, certain technical documentation to be completed, affixation of a “conformity mark” and a written EU declaration of conformity with the CRA’s requirements.
- Critical – divided into two categories:
a. Class Ⅰ – these products include identity and access management software, password managers browsers, malicious software detection and mobile device management software. Class I products also require the application of a standard form or third party-assessment to show conformity with Class I specific regulatory obligations.
b. Class II – these products include operating systems for servers, desktops and mobile devices; public key infrastructure and digital certificate issuers; general purpose microprocessors; and smart meters. Class II products must complete a third-party conformity assessment to demonstrate compliance with their higher regulatory obligations (as set out in Annex VI of the CRA).
General obligations for manufacturers
Manufacturers would be required to design products (including default and critical products) in line with “essential cybersecurity requirements” (Section 1 of Annex 1). Such “essential” requirements would include secure-by-default configurations, maintenance of confidentiality, and data integrity mechanisms. Article 10(12) of the CRA also includes product recall obligations if certain vulnerabilities are detected. In addition, manufacturers would be required to undertake a cybersecurity risk assessment throughout the lifecycle of the product to minimize cybersecurity risks and mitigate against incidents (Article 10(2)). Manufacturers further must handle vulnerabilities including through “coordinated vulnerability disclosure policies” (Section 2 of Annex I). Finally, manufacturers would be required to complete a conformity assessment procedure to show their products are meeting their regulatory obligations along with a “declaration of conformity.”
Chapter II would require manufacturers to complete certain technical documentation and produce user instructions in a clear and intelligible form as set out in Annex II of the CRA.
If there is a security event, manufacturers would be required to notify to ENISA (The European Union Agency for Cybersecurity) without undue delay and in any event within 24 hours of becoming aware of: (1) any actively exploited vulnerability contained in the in-scope product; and (2) any incident having impact on the security of the in-scope product. These reporting obligations would extend to informing users where “necessary” of the incident as well as corrective measures to mitigate impact.
New national authorities
Member States would have a responsibility to create “national market surveillance authorities” to ensure the effective implementation of the CRA (Article 41). Further, Member States would be required to create “notifying authorities” for cybersecurity incidents (Article 26 – 27) and “conformity assessment bodies” which would carry out all conformity assessment tasks referred to in Annex VI.
The CRA would set a maximum fine of up to €15 million or up to 2.5% of the total worldwide annual turnover for the preceding financial year, whichever is higher, for non-compliance with any essential cybersecurity requirements. Breaches of other obligations could result in fines of up to €10 million or 2% of global turnover in the last financial year. Providing misleading information to market surveillance authorities could also attract fines of up to €5 million or 1% of global turnover generated in the last financial year.
Penalties for infringing the regulations would be left to Member States to determine, but guidance suggests that consideration should be given to the “nature, gravity and duration of the infringement and of its consequences” and “the size and market share” of the relevant operator.
Interplay with other EU legislation
It remains to be seen how the CRA will interact with other pieces of forthcoming EU legislation, including the AI Act (high risk systems under the AI Act which are subject to the CRA and meet essential requirements under the CRA will be deemed in compliance with cybersecurity requirements under the AI Act), the Data Act (which aims to ensure fairness in the data environment, increase data accessibility, and create a harmonized framework for industrial data sharing) and the Cybersecurity Act (which strengthens the role of ENISA and establishes a European cybersecurity certification framework which focuses on ICT products).
The European Parliament and the Council will now examine the CRA and suggest any amendments as part of the next stage in the legislative process. Once adopted, the current draft CRA provides that there would be a 24 month implementation period, although manufacturers would be subject to reporting obligations one year after the CRA comes into force.