Europe has not been idle in recent years in terms of legislative initiatives regarding cybersecurity. Both existing and future legislation should make the European market safer in all areas. As a result, in the future, every organization will be increasingly obliged to juggle instruments such as the GDPR, NIS(2), Data Act, Data Governance Act, AI Act, Cyber Security Act, Product Liability Directive, … and last but not least the Cyber Resilience Act (CRA).
A Proposal for this Regulation (CRA) was already published on September 15, 2022, and aims basically that:
- products with digital elements marketed in the EU are secure.
- manufacturers remain responsible for cybersecurity throughout the life cycle of a product. The manufacturer has a legal duty to ensure security by design, to provide an appropriate level of security, a mandatory risk assessment, and a conformity assessment.
- importers and distributors, in turn, must verify that the products meet the aforementioned essential requirements, which creates a tiered responsibility.
- and that consumers enjoy the necessary protection through the manufacturer’s obligation of transparency regarding technical security and any updates based on detailed and understandable information.
New kids on the block
This Proposal of the CRA is currently in full swing. The last version was published with changes on August 31, 2023. We list in a nutshell some latest additions that are relevant for every CISO:
- Remote processing or storage
The definition of products with digital elements also includes remote data processing solutions to ensure that such products are adequately secured in their entirety by their manufacturers, irrespective of whether data is processed or stored locally on the user’s device or remotely by the manufacturer. The processing or storage at a distance is covered only in so far as necessary for a product with digital elements to perform its functions. This could for instance be the case where a hardware device requires access to an application programming interface or a database developed by the manufacturer. The requirements concerning the remote data processing solutions under the scope of this Regulation do not therefore entail technical, operational, and organisational measures aimed at managing the risks posed to the security of their network and information systems as a whole.
- No stricter security requirements
In line with the objective of this Regulation to remove obstacles to the free movement of products with digital elements, Member States cannot impose further cybersecurity requirements for the making available on the market of products with digital elements.
- Commercial activity
This Regulation applies only to products with digital elements in the course of a commercial activity. The supply might be characterized not only by charging a price for a product, but also by charging a price for technical support services when this does not serve only the recuperation of actual costs or pursues a profit or the intention to monetize, by providing a software platform through which the manufacturer monetizes other services, or by requiring as a condition for use, the processing of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software. The circumstances under which the product has been developed, or how the development has been financed should not be taken into account when determining the commercial or non-commercial nature of that activity.
- Newly available security updates
One of the most important measures for users to take in order to protect their products with digital elements from cyberattacks is to install the latest available security updates as soon as possible. Manufacturers should therefore design their products and create processes to ensure that products with digital elements include functions that enable the notification, distribution, download, and installation of security updates automatically. They should also provide the possibility to approve the download and installation of the security updates as a final step, as well as clear instructions on how users can opt out of automatic updates.
- Integration of third-party components
When integrating components sourced from third parties in products with digital elements during the design and development phase, manufacturers should exercise due diligence. The appropriate level of due diligence measures should be informed by the nature and level of the cybersecurity risk associated with the component and, for this purpose, take into account specific factors, such as the way in which the component contributes to the functionality of the product and the extent to which it has access to data processed by the product with digital elements.
- Essential requirements applicable to each individual product
Essential requirements, including vulnerability management handling requirements, apply to each individual product with digital elements when placed on the market, irrespective of whether the product with digital elements is manufactured as an individual unit or in series.
- Justification in the risk assessment
Where certain essential requirements are not applicable to a product with digital elements, the manufacturer should include a clear justification in the cybersecurity risk assessment included in the technical documentation. This could be the case where an essential requirement would be incompatible with the nature of a product with digital elements. For example, specific interoperability requirements.
- The concept of expected lifespan
Manufacturers should determine the expected product lifetime. To that end, they should take into account the time users reasonably expect to be able to use the product with digital elements given its functionality and intended purpose and therefore can expect to receive security updates. In addition, they should also be able to take into account other elements, such as:
- relevant Union law determining the lifetime of products with digital elements
- the nature of the product with digital elements, including the licensing terms under which it is made available.
- the expected availability of the operating environment the product with digital elements is intended for; the lifetime of products with digital elements offering a similar functionality placed on the market by other manufacturers, including, where available, relevant guidance provided by market surveillance authorities.
- as well as the lifetime of integrated components that provide core functions and are sourced from third parties.
Get your sheep on dry land
We just discussed some new topics, but clearly, this legislation will raise a lot of new questions in practice. For any company wishing to commercialize a product with digital elements on the European market, the CRA will be a challenge to implement this set of new legal security obligations in a timely manner. This requires an organization to deploy quite a lot of resources within a limited time. Each organization only has a period of 24 months from the time the CRA becomes final.
In addition, the CRA is only one part of a full legislative framework with an overlap of different legislative instruments (see, for example, the references at the top of this article) that make all security obligations a complex legal tangle.
So be sure to get the assistance of a cybersecurity lawyer and start preparing early so that costs can be spread over a longer period of time. You can convince your organization’s board in advance because every cybersecurity law provides for liabilities that can also affect each board member personally.
Questions about cybersecurity or the Cyber Resilience Act?
Please feel free to schedule a video call with us through the booking link on this page or send us an e-mail (firstname.lastname@example.org) and we’ll be happy to get in touch with you.