The European Union Cyber Resilience Act came into effect on December 10th. This law impacts all producers, suppliers, and technology importers involved in connections with other devices or networks within the union.
Instances of relevant products include intelligent doorbells, baby monitors, security systems, routers, mobile applications, speakers, playthings, and health trackers. Those adhering to the law will bear a CE mark, indicating that the device complies with EU standards for health, safety, and environmental protection, enabling customers to factor in security when making purchases.
The objective of the Act is to elucidate and consistently implement existing cybersecurity regulations to ensure all devices sold in the EU adhere to a minimum level of protection. It mandates that tech producers, importers, and suppliers offer security assistance and updates.
“Digital hardware and software products represent one of the major entry points for effective cyber attacks,” as stated on the official Act website. “In an interconnected environment, a cybersecurity incident in a single product can impact an entire organization or an entire supply chain, often spreading across internal market boundaries in a matter of minutes.”
Examples of incidents where the security of products with digital components has been abused include the WannaCry ransomware, Pegasus smartphone spyware, and Kaseya VSA supply chain attack.
“Before the European Cyber Resilience Act, the various acts and initiatives taken at Union and national levels only partially addressed the identified cybersecurity-related issues and risks, creating a legislative patchwork within the internal market,” the Act’s website details.
The law includes security requisites for all phases of a product’s lifecycle, ranging from its design and creation to production, deployment, maintenance, and eventual disposal. While the Act is now in effect, many responsibilities will be implemented gradually, with the majority required by December 11, 2027.
SEE: NIS 2 Compliance Deadline Arrives: What You Should Be Aware Of
The Product Security and Telecommunications Infrastructure Act, which took effect in April, sets the same standard for manufacturers, importers, and suppliers of internet-of-things devices in the United Kingdom. In the nation, each device must have a distinct password, the duration of its security assistance, and a mechanism for reporting security concerns, at the least.
Who needs to adhere to the Cyber Resilience Act?
Any enterprise producing, supplying, or importing products with digital aspects must comply with the Act. These encompass:
- Security and access management solutions: software and hardware for privileged access management, password managers, biometric readers, etc.
- Applications: browsers, VPNs, etc.
- Network and security systems: firewalls, security information and event management systems, etc.
- Essential hardware and constituents: routers, modems, microprocessors, etc.
- Operating systems and virtualization: operating systems, boot managers, hypervisors, etc.
- Public key and certificate management: public key infrastructure, software for digital certificate issuance, etc.
- Smart gadgets and Internet of Things (IoT) products: intelligent assistants, smart door locks, baby monitors, security systems, internet-connected toys with interactive attributes like location tracking or recording, wearables for children, health monitoring, etc.
- Hardware with advanced security functionalities: hardware with secure enclosures, smart meter gateways, smart cards, etc. These are deemed as “critical” products and hence will be subjected to more frequent security updates and improved vulnerability management measures. Additionally, they must possess a European cybersecurity certificate at an assurance level of at least “substantial.”
Exceptions may be granted for devices that are subject to cybersecurity requisites in other regulations, such as medical devices, aviation gadgets, and automobiles. For a comprehensive list, refer to Annex III and IV of the Act.
SEE: Data (Use and Access) Bill: Overview and Implications for UK Enterprises
What does the Cyber Resilience Act entail?
For producers
- Rectify vulnerabilities in the product for no less than five years or its lifespan, whichever is shorter.
- Keep technical records showing adherence at each step, including designs (security should be integrated into the design by default), manufacturing specifics, and conformity evaluations.
- Attach the CE marking to compliant products and guarantee that accurate instructions are accessible in the languages of the target markets.
- Inform the European Union Agency for Cybersecurity, ENISA, and the assigned Incident Response Team of exploited vulnerabilities within 24 hours of detection. Additionally, a vulnerability notification must be disseminated within 72 hours and a final report within either 14 days or a month.
- Notify consumers and market surveillance authorities if the enterprise ceases operations.
For importers
- Verify compliance of products with regulations by reviewing the producer’s documentation.
- Maintain technical documentation and conformity statements accessible for no less than ten years after the product’s launch.
- Report non-compliant or hazardous products to manufacturers or pertinent authorities.
For suppliers
- Check the producer’s or importer’s documentation before introducing products to the market to assure adherence to regulations.
- Guarantee that storage and transportation conditions do not jeopardize product compliance.
- Keep records of suppliers and clients to simplify recalls or other safety measures.
- Report non-compliant or hazardous products to the producer or importer.
If importers or suppliers release the product under their own brand or if an entity makes substantial alterations before making it available on the market, they will also be held to the same standards as manufacturers.
How will the implementation of the Cyber Resilience Act be ensured?
The European Union Cyber Resilience Act will predominantly be implemented through conformity assessments and market surveillance. The majority of assessments can be conducted internally, whereas crucialProducts need to undergo evaluation by certified third parties. Processes may differ based on the level of risk associated with the product. Surveillance Bodies of the national market will oversee adherence by conducting inspections, carrying out tests, and scrutinizing documentation.
What consequences arise from non-conformity?
Manufacturers failing to comply with the legislation may face fines of up to €15,000,000 or an amount equivalent to 2.5% of their worldwide annual turnover for the preceding financial year, whichever is higher.
Importers and distributors not adhering to the regulations could be fined up to €10,000,000 or an amount equivalent to 2% of their total worldwide annual turnover for the preceding financial year, whichever is higher. Measures such as recalls and bans may also be enforced to rectify the situation.
Criticism of the Cyber Resilience Act
The Cyber Resilience Act has faced criticism from some quarters. In 2023, 34% of CISOs and leaders in cybersecurity worldwide identified legislation as a primary source of stress, singling out the E.U. Cyber Resilience Act.
According to Harley Geiger, a legal expert specializing in data protection at Venable LLP, the impact of the legislation on cybersecurity in the E.U. could parallel that of the GDPR on privacy. Nevertheless, he expressed apprehension regarding the mandatory requirement for companies to report vulnerabilities that have been exploited within 24 hours of their identification.
Geiger conveyed to TechRepublic in 2023: “The concern here is that within a 24-hour window, it is improbable that the vulnerability will be resolved or mitigated. Consequently, there is a possibility of accumulating a list of software vulnerabilities that remain unaddressed, circulated among numerous E.U. government entities.”
He elaborated that ENISA would share this information with the cybersecurity response teams of the concerned member states and the surveillance departments.
“If the software is utilized pan-Europe, more than 50 government bodies could potentially be implicated. The influx of reports in such a scenario could be substantial,” he warned TechRepublic. “This situation is perilous and heightens the risk of unauthorized exposure or exploitation of this data for intelligence objectives.”
About Author
