EU Cyber ​​Resilience Law: What to expect

The European Commission recently proposed the EU Cyber ​​Resilience Act, a regulation on cybersecurity requirements for products containing digital elements. The proposal introduces a wide range of technical and governance measures that must be implemented by the manufacturers of these products in the design and development phase and throughout their life cycle, and leads to potentially heavy fines in case of non-compliance. It is one of many EU cybersecurity laws and initiatives that are currently being negotiated and finalized as part of broader efforts to shape the EU’s digital agenda. This notably includes the broader cybersecurity governance requirements proposed under the NIS 2 directive, which is intended to apply to critical industries, the DORA regulation for the financial services sector and the European law on the cybersecurity.

Rules for products with digital elements

What constitutes a “product” that falls within the scope of the law is defined very broadly and includes any form of software or hardware that is intended or will be reasonably foreseeably connected to a network or other device.

Certain products are however excluded from the scope of the proposal, such as medical devices subject to the Medical Devices Regulation or products developed exclusively for national security or military purposes.

Security requirements for EU market access for software and hardware

The main objective of the proposal is to establish a minimum cybersecurity standard for the development of software and hardware products, with specific obligations for the different actors in the supply chain. The manufacturers (including the developers) of the products concerned are subject to the most important obligations and they will have to ensure that their products meet the essential cybersecurity requirements. These requirements primarily comprise a set of technical standards that sit alongside other organizational and governance requirements. A focus on risk assessment and risk management principles is central to the proposal’s approach, along with particular attention to vulnerability management and disclosure. Specifically, as part of the proposal, products must be:

  • Subject to an assessment of the cybersecurity risks associated with this product.

  • Taking into account the identified risks, designed, developed and produced in such a way as to ensure an appropriate level of cybersecurity according to the risks, including by, where necessary, the implementation of certain essential technical measures.

  • Delivered with no known exploitable vulnerabilities and subject to appropriate policies and procedures to detect and remediate potential vulnerabilities.

  • Accompanied by safety information and instructions to ensure transparency to the user of the product.

Manufacturers must also carry out a conformity assessment procedure. Depending on the type of product (i.e. whether it is considered “normal” or “critical”) and whether harmonized standards, common specifications or European cybersecurity certification schemes are followed or not, different conformity demonstration procedures are applicable. Manufacturers must ensure their product is CE marked and exercise due diligence if they use third-party parts and document their actions. To ensure security throughout the product lifecycle, manufacturers must have vulnerability management processes in place, including addressing and remediating vulnerabilities, and reporting exploited vulnerabilities or detected security incidents, both to ENISA (the European Union Agency for Cybersecurity) and to the user. .

Importers can only import products that meet the minimum requirements. Importers are required to verify that the manufacturer has carried out conformity assessments, has the correct technical documentation and that the product has the correct certification.

Distributors must “act with due care” in relation to the requirements of the proposal. They have the obligation to verify that the product bears the CE marking and that the manufacturer and the importer have complied with their obligations.

Enforcement

Failure to comply with essential cybersecurity requirements is punishable by administrative fines of up to EUR 15,000,000 or up to 2.5% of an economic operator’s total worldwide annual turnover for the previous fiscal year, whichever is greater.

Supervision and enforcement of the standards set out in the law is the responsibility of market surveillance authorities which should be designated by each EU member state. These authorities may, in the event of non-compliance, require the operator concerned to take all appropriate corrective measures to bring the product into compliance with the requirements of the law on cyber-resilience, to withdraw it from the market or to call back within a reasonable time. .

Next steps

The Parliament and the Council of the EU will now examine the proposal and discuss possible modifications. Once agreed and adopted by the European legislator, the cyber resilience law should apply after two years. An exception is provided for the obligation of notification of vulnerabilities, which will apply one year after adoption. Transitional rules are foreseen for certain products, such as those which have already obtained a certificate or an approval decision for cybersecurity requirements and which are subject to other EU legislation, or which have been placed on the market before the Cyber ​​Resilience Act came into effect.

Comments are closed.