More and more successful cyberattacks are targeting hardware and software products, leading to an estimated global annual cost of cybercrime of EUR 5.5 trillion by 2021 according to the EU commission. This is due mainly, on one side, to the lack of appropriate security in such products who often go to market including inherent vulnerabilities and on the other side, to the lack of awareness of the consumers or enterprises adopting those products due to an insufficient transparency of the manufacturers when it comes expressing their level of security.
This is why, on September 15, 2022, the European Commission published the EU Cyber Resilience Act (CRA) regulation proposal necessary to increase the level of trust among users and the attractiveness of EU products with digital elements while providing legal certainty.
The regulation is very exhaustive, and we would recommend you to go through it in details. In the meantime, here are the top 8 things you should know about the EU Cyber Resilience Act that we just picked for you…
1- Am I concerned?
Yes, if you are a manufacturer, importer or distributor of connected products (Hardware/Software) with digital elements (e.g. smart sensors, smart cameras, mobile devices, network devices, etc.). All market sectors are concerned in a horizontal way except sectors where some other EU regulations already applies such as in the medical, civil aviation, motor vehicles domains. Note that this can consist also of non-embedded software (software that can be made available without hardware). For instance services such as SaaS applications are not
within the scope of this regulation unless these are used to remote processing the product at a distance which is under the responsibility of the product manufacturer and the absence of which would prevent such product from performing one of its functions. Finally, Free and
open-source software supplied outside of a commercial activity should not be covered by this regulation.
2- What are my obligations?
One of the main goals of the CRA is to cover the entire lifecycle of digital products. So your first obligation would be to insure that a list of essential cybersecurity requirements and harmonized rules have been considered at all stages including the design phase, delivery,
actual product use, maintenance decommission, and disposal. Security by design, security by default, the security of the supply chain and vulnerability handling will be the main domains to be addressed. Secondly you need to conduct and document a security risk assessment and
provide user guidance. You must report actively exploited vulnerabilities and provide security updates for at least five years. If you know or have reason to believe that the product or the processes put in place by the manufacturer are not in conformity with the CRA essential requirements, you shall immediately take the corrective measures necessary, to withdraw or to recall the product as appropriate and notify ENISA within 24 hours.
3- How should I demonstrate conformity?
Most common families of digital products belong to non-critical risk category requiring a conformity self-assessment that should be carried out under your responsibility. Some other products considered belonging to higher risk categories will be qualified critical (Class I) and might require additional assurance requirements to be satisfied by applying harmonised standards or the EU cybersecurity certification schemes such as the EUCC or the EUCS and that could be under your responsibility or through a third-party CAB. Some other highly critical (Class II) products should always involve a third-party CAB. Finally, certified products according to the EU cybersecurity certification schemes such as the EUCC developed under the CSA are supposed to satisfy by default the EU Cyber Resilience Act requirements and can provide a presumption of conformity.
4- How does it relate to other EU policies?
The CRA complements the existing Directive on the security of Network and Information Systems (NIS2) and the existing EU Cybersecurity Act (EU CSA). It is also based on the New Legislative Framework (NLF) for industrial products, which aims to improve market surveillance and the quality of conformity assessments. It is expected to satisfy the Radio Equipment Directive (RED) cybersecurity-related requirements. This means that RED-related harmonised cybersecurity standards (under development) will most probably serve as basis for the EU CRA essential requirements.
5- What are the potential Costs vs Benefits?
It is estimated that any compliance costs for businesses would be outweighed by the benefits brought by a higher level of security of products, by preventing divergent security requirements and an increase of trust of users and market adoption. It also increases positive competitiveness and quality standards by levelling the playing field. It would reduce the number of incidents, incident handling costs and reputational damage. For the EU this means roughly 180 to 290 billion Euros of consequence costs could be avoided. Finally, non-compliance with the CRA essential cybersecurity requirements and all relevant obligations shall be subject to fines of up to 15 000 000 EUR or, if the offender is an undertaking, up to 2.5 % of its total annual turnover for the preceding financial year, whichever is higher.
6- By when it will be applicable?
The proposal will now pass to the European Parliament and Council that will form their own positions before coming together for the trialogue negotiations in Q3/Q4 2023. So in order for all stakeholders (manufacturers, distributors, importers, CABs, Member States, ENISA, etc.) to adapt to the new requirements, the proposed CRA regulation will become applicable 24 months (at the latest by Q1 2026) after its entry into force, except for the reporting obligation on the manufacturer, which would apply from 12 months (most probably by Q1 2025) after the date of entry into force.
7- How could I recognize a conformant product?
I’m sure you’re all familiar with CE marking which you could find on all products circulating in the EU. This same mark will indicate the conformity of all products with digital elements with this regulation. Only beta releases for testing purposes could be issued without that mark as long as these are time limited to testing purposes. Most importantly, importers of products with digital elements must ensure in addition to checking on the CE marking that the appropriate assessment procedures have been carried out by the manufacturer depending on the risk assessment and that the manufacturer has created all required technical documentation.
8- Yes, you could appoint an authorized representative
Indeed, as a manufacturer you could mandate an external authorised representative who could discharge you from the EU declaration of conformity management and for market surveillance purposes.
Finally, it’s not too early to start planning accordingly, adapt your digital product strategy and chose the right specialized partners to avoid missing the EU single market access opportunity.
This guest blog is published with the kind permission of Red Alerts Lab and originally appeared here.
If you want to learn more about the CRA and its impact, join our Roundtable on 17. April, where you can listen to the position of the European Commission, the US NIST, standardization organizations, and industry. For agenda and registration, please go to https://iotac.eu/iot-day-roundtable-2023/!