On September 15, 2022, the E.U. Commission published the Cyber Resilience Act (CRA) draft setting out cybersecurity requirements for products with digital elements placed on the internal market and amending Regulation (EU) 2019/1020 on Market Surveillance and Compliance of Products.
To date, software has not been a central part of the E.U. product safety legislation, which traditionally covered placement on the market of physical goods. Also, product safety legislation typically applies to finished products. Components, spare parts, or sub-assemblies is only rarely regarded as finished products.
The CRA would be the first law to cover safety for any software regardless of intended purpose and execution environment. The CRA proposal incorporates all software and hardware components directly into the definition of product with digital elements.
This transpires from the memorandum proposal which explains that the “current E.U. legal framework does not address the cybersecurity of non-embedded software.” Therefore, the CRA is intended to “ensure the setting out of specific horizontal cybersecurity requirements for all products with digital elements being placed or made available on the internal market and would be the only option covering the entire digital supply chain. Non-embedded software, often exposed to vulnerabilities, would also be covered by such regulatory intervention, thus ensuring a coherent approach towards all products with digital elements, with a clear share of responsibilities of various economic operators.”
Exclusions:
Recital 9 of the Proposal specifies that the CRA would not cover Software- as-a-Service (SaaS), “except for remote data processing solutions relating to a product […] for which the software is designed and developed by the manufacturer of the product concerned or under the responsibility of that manufacturer, and the absence of which would prevent such a product with digital elements from performing one of its functions”.
Free-of-charge and open-source software is also excluded from the scope of the Proposal, in order not to stifle innovation and research.
As regards other exceptions, the CRA would not apply to products with digital elements which already fall within the scope of Medical devices Regulation, Regulation on in vitro diagnostic medical devices and Regulation on the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles.
Equally, the CRA would not apply to products with digital elements that have been certified in accordance with Regulation regarding common rules in civil aviation.
Also excluded from the scope of the CRA are those products with digital elements exclusively developed for national security, military purposes or specifically designed to process classified information.
The CRA is a risk-based approach type of legislation reason why it divides products with digital elements into two main categories, based on their level of risk.
The first category constitutes of non-critical products, e.g., hard drives, smart home assistants or connected toys. The second category constitutes of critical products (listed under Annex III), which are further divided into two sub-categories:
- class I lower risk (e.g., virtual private networks and routers, ID-management systems, VPNs, browsers, various network systems, mobile device management software, and update/patch management;) and
- class II higher risk (e.g., operating systems for desktops and mobile phones or smart meters, servers, desktops, and mobile devices; smartcards, smartcard readers and tokens; microprocessors; and IoT devices intended for the use by essential entities under the draft NIS2 Directive (e.g., energy, transport, banking, health, digital infrastructure, public administration, and space sectors).
The difference between non-critical, critical, and highly critical products with digital elements lie in the different conformity assessment procedure they must undergo.
Whereas critical products must be subject to conformity assessment procedures referred to in Art. 24(2) and (3), manufacturers of highly critical products are required to obtain an E.U. cybersecurity certificate under a European cybersecurity certification scheme to demonstrate conformity with the essential requirements set out in Annex I.
Supply-chain obligations (manufacturers, importers, distributors, other stakeholders)
The relationships between market operators in the supply chain and due diligence have primarily been contractual, whereas now manufacturers shall exercise due diligence when integrating components sourced from third parties in products with digital elements.
Section 2 of Annex I provide for essential requirements in terms of the processes put in place by manufactures. They include: the identification and documentation of vulnerabilities and components contained in the product, including by drawing up a software bill of materials (SBOM) in a commonly used and machine-readable format covering at the very least the top-level dependencies of the product; the mitigation of vulnerabilities without delay, including by providing security updates; the application of effective and regular tests and reviews of the security of the product; the public disclosure of information about fixed vulnerabilities, once a security update has been made available, etc.
For non-critical products, which represent 90 % of digital products placed on the market, manufacturers would have to declare under their own responsibility that the products with digital elements comply with all the security requirements defined in the draft CRA (self-assessment).
For critical products, the process to demonstrate compliance differs based on the sub-category taken into consideration.
- Existing harmonised cybersecurity standards (e.g., developed by European standardisation organisations) or
- Existing cybersecurity certification schemes under the EU Cybersecurity Act.
Manufacturers also have several documentation obligations with regards to the handling vulnerabilities and information provided by third parties. Art. 23 specifies the content of the technical documentation to be drawn up by the manufacturer before the product is placed on the market and to be kept at the disposal of the market surveillance authorities for ten years after the product has been placed on the market.
Moreover, manufacturers shall ensure that products with digital elements are accompanied by the information and instructions set out in Annex II, in an electronic or physical form, in a clear, understandable, intelligible, and legible language. The instructions and information may include the E.U. declaration of conformity.
Articles 12, 13 and 14 place obligations on stakeholders other than the manufacturer, such as, authorised representatives, importers, and distributors, respectively.
Importers must place on the market only digital products that comply with essential cybersecurity requirements bearing the CE marking.
Distributors must verify that the digital products bear the CE marking. They also have a duty of care to ensure that manufacturers and importers have complied with their obligations under the act.
If the importer or distributor places a product on the market under its name or trademark or carries out a substantial modification of the product, then the importer or the distributor shall be considered a manufacturer and therefore, shall be subject to the obligations of the manufacturer. Yet, the same applies to any natural or legal person who carries out a substantial modification.
Substantial modification is defined as a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential requirements or results in a modification to the intended use for which the product with digital elements has been assessed.
Interplay between the CRA, NIS Directive and Cybersecurity Act
The CRA would complement NIS2 Directive and the EU Cybersecurity Act.
The NIS2 Directive puts in place cybersecurity requirements and incident reporting obligations for essential and important entities i.e., obligation to demonstrate how those entities have assessed the security level of the ICT products and services.
Therefore, the enhanced and certified level of cybersecurity to be reached through the CRA would facilitate compliance by the entities within the scope of the NIS2 Directive and would strengthen the security of the entire supply chain.
The Cybersecurity Act allows the development of voluntary certification schemes. Each scheme includes references to relevant standards, technical specifications and other cybersecurity requirements defined in the scheme. Digital products respecting such voluntary cybersecurity certification schemes would be presumed to be compliant with the conformity assessment of the proposed CRA.
Enforcement
Noncompliance with the essential cybersecurity requirements of Annex I and the obligations set out in Articles 10 and 11 is subject to administrative fines of up to 15M EUR or, if the offender is an undertaking, up to 2.5% of its total worldwide annual turnover for the preceding financial year, whichever is higher.
As the European Union Institute for Security Studies presents in its Yearbook of European Security the Union continues to be subject to cyber incidents throughout 202 facing the growing challenge of ransomware, malware, crypto jacking, e-mail related threats, threats against data, disinformation, and others. In 2021 and 2022 ENISA pointed to the rise of highly sophisticated supply chain compromises and cyber espionage which exacerbated during the Covid-19 pandemic.
The market failure in providing optimal cybersecurity standards has two main problem drivers. Firstly, consumers are generally unable to assess the overall level of cybersecurity of digital products and may not be willing to pay for more secure options. Secondly, several models analysing the optimal investment level in cybersecurity concluded that the cybersecurity market is characterized by a suboptimal investment level. See Giorgio Chiara’s paper The Cyber Resilience Act: the EU Commission’s proposal for a horizontal regulation on cybersecurity for products with digital elements.
In this context, the EU Commission’s President Von der Leyen announced in the State of the Union address of 2021 the Cyber Resilience Act to ensure a coherent cybersecurity framework with mandatory requirements for manufacturers of products with digital elements, building on the EU’s 2020 Cybersecurity Strategy for the Digital Decade, the Council Conclusions of 2 December 2020 and the Resolution of the European Parliament of 10 June 2021. Eventually, the Commission presented the proposal for a regulation on horizontal cybersecurity requirements for products with digital elements on 15 September 2022.
It is also noteworthy that, the Council of the E.U. established a European Cybersecurity, Industrial, Technology and Research Competence Centre in Bucharest, Romania to pool investment in cybersecurity research, technology, and industrial development and to channel cybersecurity-related funding from Horizon Europe and the Digital Europe Pragramme.
Cybersecurity has thus developed into a social, economic, and multidisciplinary challenge with serious repercussions on individuals’ fundamental rights, including their right to privacy, physical safety, critical infrastructure, entire communities, institutions, and businesses.
It is in this climate that the CRA, among other E.U. digital laws, would contribute to the on-going process of shaping an EU concept of cybersecurity.
Author Petruta Pirvan, Founder and Legal Counsel Data Privacy and Digital Law @EU Digital Partners
