The European Commission recently presented its proposal for the Cyber Resilience Act (CRA). It forces businesses to keep the cybersecurity concerns of citizens, customers and their own business in mind, but also comes with hard to fulfil obligations. They require producers and manufacturers to regularly reduce vulnerabilities throughout a product’s life cycle from start to finish with finish being the eventual end of the product’s use.
Current status of the legislative process
The CRA is a draft and is therefore susceptible to change. National representatives in the EU Council are discussing it in initial rounds and have already deliberated on it at the Horizontal Working Party on Cyber Issues, a preparatory body in the EU Council. Afterwards the text will be given to the Member States to be commented on. However, as of December 2022 the EU Czech Presidency has already criticised the text as too broad and needing amendments in order to properly consider national security, public security or defence interests.
Scope and background of the CRA
Under the Draft CRA all products with digital elements are to meet cybersecurity requirements throughout the product lifecycle, and must meet increased transparency requirements in order to help user groups to regard cybersecurity when selecting and using products. The aim is to protect companies and citizens better against cyberattacks.
Therefore, all products with digital elements whose intended or foreseeable use is to establish a direct and/or indirect link of any kind to a device and/or network are subject to the Draft CRA. The requirements products are subject to are scaled according to the products importance. Products concerning national infrastructure like energy supply systems, rail systems, healthcare systems and alike would fall under more vital products, hence will be subject to stricter requirements. Consequently, products which do not have a national scope will be subject to less requirements.
It is unknown if companies outside the European Union (EU) will need to comply, but the Draft seems to intend so, which will require specification in order to provide legal certainty.
Products that are already the subject of other European legislation, such as medical devices, are explicitly excluded from the scope of the Draft CRA.
Obligations for producers
Producers need to meet certain requirements when the developing, producing and offering products concerned by the CRA. There are certain legal and technical parameters, as well as effective vulnerability handling mechanisms that must meet essential cybersecurity requirements and obligations. These can be found in Annex l of the Draft CRA, e.g., products must
- be delivered with a secure by default configuration, including the possibility to reset the product to its original state; and
- ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity, or access management systems.
The obligations that to be complied with by the producer, manufacturer or distributer are not a once-off but rather fall due over a period of five years. This point in particular is likely to become a challenge for many companies, as security updates must also be made available for those devices that can only theoretically establish an online connection (such as a washing machine with a WIFI module).
Once the Draft CRA is passed there will be a grace period of 24 months for most products, while some products will only have 12 months for the implementation of these requirements. To demonstrate compliance with their obligations, manufacturers are required to conduct a so-called conformity assessment. Based on the risk classification of the product there will be different procedures and methods applied. The procedures range from internal control measures to full quality assurance.
For each of these procedures, the Draft CRA contains checklists with specifications that must all be met in order to successfully pass. The checklists have not been made public, as the lawmakers are still debating on the specifics included in the checklists.
The Draft CRA also includes requirements for public authorities, as they are granted comprehensive market monitoring, investigative and regulatory powers. One such power are so-called sweeps. They are unannounced and coordinated, involving area-wide monitoring and control measures that are intended to provide information as to whether or not the requirements of the Draft CRA are being complied with.
It is unknown how the rights and freedoms of citizens who own products that are the subject of a sweep and are actively using them will be protected in the process.
Fines for non-compliance
Violations of the CRA will be subject to a fine, with the fines reaching a maximum amount of either EUR 15 million or 2.5 % of the total worldwide annual turnover of the preceding fiscal year – whichever is higher. However, the fines are to be issued by the Member States of the EU, which is likely to result in uncertainty and an EU regulatory patchwork for companies with fines varying between Member States.
How can companies prepare for the CRA?
The Cyber Resilience Act has not yet been adopted. However, in view of the short implementation period after the Act comes into force, companies should start adapting their processes now. Overall, here is the list of what producers need to do:
- You need to identify the likely risks for your product.
- You need to design, develop, and produce products in such a way that they ensure a suitable level of cybersecurity based on the risks identified.
- You need to deliver products without any known exploitable vulnerabilities.
- You need to protect the confidentiality and integrity of stored, transmitted or otherwise processed data.
- You need to process only data that are adequate, relevant, and limited to what is necessary in relation to the intended use of the product.
- You need to ensure that vulnerabilities can be addressed through security updates or patches, including, where applicable, through automatic updates and the notification of available updates to users.
- Lastly, you need to follow specific rules for handling vulnerabilities.
It is to be highlighted that the legislation is a draft and will in future be updated and fleshed out. However, the draft already shows that producers, manufacturers, and distributors will be under more pressure in the future and will need to be more vigilant in their entire process, from development through to production to placing the product on the market. The risks of cyber-attacks are ever present and must be taken seriously, a concern the EU Commission is clearly trying to address with this Draft.