On September 15, 2022, the European Commission presented a proposal for a new Cyber Resilience Act (“Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020”) to protect consumers and businesses from products with digital elements that have inadequate security features.
As recognized by the European Commission, while there are several statutes and regulations that apply to products with digital elements, currently EU legislation lacks a comprehensive framework governing the cybersecurity of products with digital elements in a uniform manner.
The aim of the new Cyber Resilience Act is to ensure that products with digital elements marketed in the EU have fewer vulnerabilities, while at the same time making the manufacturers responsible for cybersecurity throughout products’ life cycles. It will also improve transparency regarding security of hardware and software products, with an eye to granting better protection to both business and consumer users.
Scope of the proposal[1]
The new Cyber Resilience Act will apply to products with digital elements, i.e., any software or hardware product and its remote data processing solutions “whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.”[2]
The proposal identifies three different categories of products,[3] based on their functionality, intended use, and other criteria (such as the adverse impact on people, both potential and actual):
- Default Category products: these are “non-critical products” and are subject to self-assessed compliance. These include approximately 90 percent of the products subject to the Cyber Resilience Act,[4] such as photo editing products, word processing products, smart speakers, hard drives, and games.
- Critical products – Class I, which require the application of a standard or third-party assessment. These include password managers, network interfaces, firewalls, and microcontrollers.
- Critical products – Class II, which to be marketed must be subject to a mandatory third-party assessment and include operating systems for servers, desktops, and mobile devices, industrial firewalls and prevention systems, microprocessors, public key infrastructure and digital certificate issuers, and the like.
Significantly, the Cyber Resilience Act sets forth specific rules applicable to products with digital elements amounting to high-risk AI systems as defined under the proposed AI Regulation.
Main obligations
The Cyber Resilience Act provides detailed obligations for manufacturers that must be considered when planning, designing, developing, producing, and delivering products with digital elements, as well as when carrying out any maintenance activity. These include the following:
- A cybersecurity assessment must be carried out and, based on the results, the manufacturer must implement the measures listed under Annex I to prevent the relevant risks. These include secure by default configuration, control mechanisms ensuring protection from unauthorized access, encryption of data at rest or in transit, minimization measures, and the like.
- Due diligence obligations when components from third parties are integrated into products with digital elements, so that they do not compromise the security of the products.
- Once sold, manufacturers must warrant that for the expected product lifetime or for a period of five years (whichever is shorter), vulnerabilities shall be handled effectively and in accordance with the requirements set forth under the Cyber Resilience Act.
- Manufacturers who know or have reason to believe that their products are not compliant with the essential requirements set forth in Annex I shall immediately take appropriate measures, including (in the most extreme cases) recalling their products.
- Manufacturers will also have to notify the European Cybersecurity Agency (the “ENISA”) of any actively exploited vulnerabilities or incidents that concern products with digital elements.
- Manufacturers are also obliged to fulfill minimum information obligations to users, which include comprehensive technical documentation about the products. This information shall be provided in a language that can easily be understood by users and shall allow for secure installation, operation, and use of the products with digital elements.
Penalties and enforcement
The penalties for noncompliance with the requirements and obligations set forth in the Cyber Resilience Act can be up to EUR 15 million or 2.5 percent of total worldwide annual turnover for the preceding financial year—whichever is higher—for the most serious violations.[5]
Each Member State must designate an independent authority to exercise enforcement and supervision powers in relation to the Cyber Resilience Act.
Cyber Resilience Act timeline
The European Parliament and the European Council will examine the proposed Cyber Resilience Act. After it is adopted, businesses will have two years to adapt to the new requirements, while the notification obligation to ENISA will apply after one year.
The Cyber Resilience Act and its annexes are available here.
[1] Article 2 and Annex III.
[2] Article 6.
[3] Annex III.
[4] Factsheet on the Cyber Resilience Act drafted by the European Commission, accessible here.
[5] Article 53.