On 15 September 2022, the European Commission published its proposal for a new Cyber Resilience Act (the Act) that introduces common cybersecurity rules for placing products with digital elements on the EU market.
The Act establishes key requirements for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities, manufactures take security seriously throughout the entire lifecycle of the product and users are able to take cybersecurity into account when selecting such products.
“Product with digital elements”
The proposed Act will apply to all “products with digital elements whose intended and reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network”. This includes products that can be connected physically via hardware interface as well as products that are connected logically (via network sockets, pipes, files, APIs or any other types of software interface). The Act explicitly covers any software or hardware products and their remote data processing solutions, including software or hardware components that are placed on the market separately.
Although stating that the proposal does not intend to regulate Software-as-a-Service (SaaS) or similar services, the Act will apply to certain remote data processing solutions relating to a product with digital elements (i.e. for which the software is designed and developed by the manufacturer or under its responsibility, and the absence of which would prevent such a product from performing one of its functions). However, cloud service providers (including SaaS) that meet the threshold for medium-sized enterprises will fall within the scope of the NIS2 Directive rather than the Act.
Some products with digital elements covered by sector-specific legislation with security requirements are excluded, for instance, medical devices for human use or for diagnostics, motor vehicles and components, systems or technical units intended for such vehicles and certain aviation products. Free and open source software developed or supplied outside the course of a commercial activity will also be out of scope, but the Act will cover open source software in situations where a company charges a price for technical support services in relation to open source software, provides a software platform through which the manufacturer monetises other services, or uses personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
Key provisions
The key aspects of the Act include:
- rules for placing products with digital elements on the market to ensure their cybersecurity. Certain critical products with digital elements (determined on basis of certain criteria, such as criticality of software or intended use in sensitive environments, e.g. as an industrial setting), divided into class I and class II depending on the perceived cybersecurity risk level, will be subject to specific conformity assessment procedures;
- essential cybersecurity requirements for the design, development and production of products with digital elements, as well as obligations on economic operators (from manufacturers up to distributors and importers) in relation to these products. These obligations would mandate manufacturers to factor in cybersecurity in the design, development and production of their products, exercise cybersecurity due diligence in this process, comply with the transparency requirements on cybersecurity aspects of the product towards customers (including providing technical documentation corresponding to minimum requirements) and ensure security updates;
- manufacturers will be required to perform a conformity assessment of the product and the vulnerability handling process to demonstrate conformity with the essential requirements. Self-assessment would suffice for the majority of products, however, critical products will be subject to stricter conformity assessment procedures, with class II products requiring a third-party assessment. Products with digital elements should bear the CE marking to indicate their conformity with the Act. Under certain conditions, the software for testing purposes can be released before subjecting it to conformity assessment;
- essential requirements for manufacturers to handle vulnerabilities to ensure the cybersecurity of products throughout the whole life cycle and key obligations for economic operators in this respect;
- manufacturers will be required to notify within 24 hours the EU Cybersecurity Agency (ENISA) of any actively exploited vulnerability in their product and of any incident having impact on the security of the product with digital elements. ENISA will forward the notification to national authorities designated under the NIS2 Directive, the market surveillance authority and the European cyber crisis liaison organisation (EU-CyCLONe). The users of the product should also be notified without undue delay about the incident and, where necessary, about the corrective measures to mitigate its impact;
- rules on market surveillance and enforcement, including steep administrative fines for non-compliance of up to EUR 15,000,000 or 2,5% of the entity’s total worldwide annual turnover for the preceding financial year, whichever is higher.
High-risk AI systems
The Act has specific rules for products with digital elements that are classified as high-risk AI systems (as defined under the proposed AI Regulation) to make sure that manufacturers of such AI systems are not subject to duplicative requirements, but also that the necessary levels of cybersecurity assurance under the regulations are not reduced.
The Act is a regulation and will be directly applicable throughout the EU. Member States will need to designate a new or existing authority to act as market surveillance authority for supervision and enforcement of obligations under the Act on their territory. Once the Act is adopted, manufacturers will have 24 months to comply with new requirements, however, incident and vulnerability notification requirements will apply 12 months after the Act enters into force. The Act also includes transitional provisions for products with digital elements placed on the market before it enters into force.
The press release is available here, the Act here, the annexes to the Act here, the Q&A here and the factsheet here.
