Cordery

Legal.Compliance.

EU Cyber Resilience Act

What’s this all about?

Cybersecurity legislation keeps growing apace. The EU’s “Proposal for a Regulation Of The European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020” (“the EU Cyber Resilience Act proposal”) was approved this summer by the Council of the EU, which will complement other EU cyber legislation such as the NIS legislation and DORA (we have written FAQS about DORA which can be found here https://www.corderycompliance.com/eu-dora-faqs-0923-05/). This article looks at the key aspects of this legislative proposal.

Why are rules being made about this?

Hardware and software products are increasingly subject to successful cyberattacks, leading to a massive ever-mounting global annual cost of cybercrime. These products seem to suffer from:

  • A low level of cybersecurity, reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them; and,
  • An insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or using them in a secure manner.

While existing EU legislation applies to certain so-called “products with digital elements”, most hardware and software products are currently not covered by any EU legislation tackling cybersecurity aspects, including the cybersecurity of non-embedded software. Therefore the EU Cyber Resilience Act proposal was introduced to plug the cybersecurity gaps – products with digital elements will only be able to be on the EU market when they comply with the requirements of the EU Cyber Resilience Act proposal as finally adopted.

What does it cover in a nutshell?

The EU Cyber Resilience Act proposal lays down:

  • Rules for the placing on the market of products with digital elements to ensure the cybersecurity of such products;
  • Essential requirements for the design, development and production of products with digital elements, and obligations for so-called economic operators in relation to these products with respect to cybersecurity;
  • Essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during their whole product life cycle, and obligations for economic operators in relation to these processes; and,
  • Rules on market surveillance and enforcement of the above-mentioned rules and requirements.

What does it apply to?

The EU Cyber Resilience Act proposal applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.

Products with digital elements covers any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately – certain products are expressly excluded from the EU Cyber Resilience Act proposal which fall under other EU rules.

Who falls within scope?

Those who fall in scope in differing ways under the EU Cyber Resilience Act proposal in relation to various products with digital elements are:

  • Manufacturers (including developers), along with their authorized representatives;
  • Importers; and,
  • Distributors.

What are the main obligations?

The EU Cyber Resilience Act proposal sets out various cybersecurity requirements concerning products with digital elements, including the following:

Manufacturers

  • When placing a product with digital elements on the EU market, manufacturers must ensure that it has been designed, developed and produced in accordance with essential requirements set out (in broad terms) in the EU Cyber Resilience Act proposal;
  • For the purposes of complying with the requirements referred to immediately above, manufacturers must undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimizing cybersecurity risks, preventing security incidents and minimizing the impacts of such incidents;
  • When placing a product with digital elements on the market, manufacturers must include a cybersecurity risk assessment in the technical documentation, as detailed in the EU Cyber Resilience Act proposal;
  • Manufacturers must systematically document relevant cybersecurity aspects concerning the product with digital elements, including vulnerabilities they become aware of and any relevant information provided by third parties;
  • When placing a product with digital elements on the market, and for the expected product lifetime or for a period of five years from the placing of such products on the market, whichever is shorter, manufacturers must ensure that vulnerabilities of such products are handled effectively and in accordance with the essential requirements as detailed in the EU Cyber Resilience Act proposal;
  • Manufacturers must have appropriate policies and procedures, including coordinated vulnerability disclosure policies to process and remediate potential vulnerabilities in the product with digital elements reported from internal or external sources;
  • Manufacturers must carry out the chosen conformity assessment procedures referred to in the EU Cyber Resilience Act proposal or have them carried out, following which manufacturers must draw up the EU declaration of conformity and affix the CE marking, in accordance with what is detailed in the EU Cyber Resilience Act proposal;
  • Manufacturers must ensure that products with digital elements are accompanied by information and instructions, as detailed in the EU Cyber Resilience Act proposal;
  • Manufacturers must, without undue delay and in any event within 24 hours of becoming aware of it, notify the European Union Agency for Cybersecurity (ENISA) of: (a) any actively exploited vulnerability contained in the product with digital elements. The notification must include details concerning that vulnerability and, where applicable, any corrective or mitigating measures taken; (b) any incident having impact on the security of the product with digital elements. The incident notification must include information on the severity and impact of the incident and, where applicable, indicate whether the manufacturer suspects the incident to be caused by unlawful or malicious acts or considers it to have a cross-border impact. Manufacturers must also inform, without undue delay and after becoming aware, the users of the product with digital elements about the incident and, where necessary, about corrective measures that the user can deploy to mitigate the impact of the incident;

Importers

  • Importers must only place on the market products with digital elements that comply with the essential requirements set out in the relevant parts of the EU Cyber Resilience Act proposal. Importers also have various obligations including ensuring that: (a) the appropriate conformity assessment procedures have been carried out by the manufacturer; (b) the manufacturer has drawn up the appropriate technical documentation; and, (c) the product with digital elements bears the CE marking and is accompanied by the information and instructions for use;
  • Importers who know or have reason to believe that a product with digital elements, which they have placed on the market, or the processes put in place by its manufacturer, are not in conformity with the essential requirements detailed in the EU Cyber Resilience Proposal must immediately take the corrective measures necessary to bring that product with digital elements or the processes put in place by its manufacturer into conformity with the essential requirements detailed in the EU Cyber Resilience Proposal or withdraw or recall the product, if appropriate; and,
  • Upon identifying a vulnerability in the product with digital elements, importers must inform the manufacturer without undue delay about that vulnerability. Where the product with digital elements presents a significant cybersecurity risk, importers shall immediately inform the market surveillance (regulatory) authorities of the EU country in which they made the product with digital elements available on the market to that effect, giving details, in particular, of the non-conformity and of any corrective measures taken;

Distributors

  • When making a product with digital elements available on the market, distributors must act with due care in relation to the requirements of the EU Cyber Resilience Act proposal;
  • Before making a product with digital elements available on the market, distributors must verify that: (a) the product with digital elements bears the CE marking; and, (b) the manufacturer and the importer have complied with certain obligations as detailed in the EU Cyber Resilience Act proposal;
  • Where a distributor considers or has reason to believe that a product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements detailed in the EU Cyber Resilience Proposal, the distributor must not make the product with digital elements available on the market until that product or the processes put in place by the manufacturer have been brought into conformity. Where the product with digital elements poses a significant cybersecurity risk, the distributor s must inform the manufacturer and the appropriate EU country market surveillance (regulatory) authorities to that effect;
  • Distributors who know or have reason to believe that a product with digital elements, which they have made available on the market, or the processes put in place by its manufacturer are not in conformity with the essential requirements detailed in the EU Cyber Resilience Act proposal, must make sure that the corrective measures necessary to bring that product with digital elements or the processes put in place by its manufacturer into conformity are taken, or to withdraw or recall the product, if appropriate; and,
  • Upon identifying a vulnerability in the product with digital elements, distributors must inform the manufacturer without undue delay about that vulnerability. Where the product with digital elements presents a significant cybersecurity risk, distributors must immediately inform the market surveillance (regulatory) authorities of the Member States in which they have made the product with digital elements available on the market to that effect, giving details, in particular, of the non-conformity and of any corrective measures taken.

Who will regulate it?

EU country market surveillance (regulatory) authorities will be responsible for the supervision and enforcement of the EU Cyber Resilience Act, once it is in full force.

These authorities will have the power to impose fines and to require non-compliant organizations to take all appropriate corrective actions to bring a product with digital elements into compliance with the requirements of the EU Cyber Resilience Act proposal, or to withdraw it from the market, or to recall it.

These authorities will also have the power to undertake so-called “sweeps” (subject to national procedures) of products with digital elements to check for compliance or to detect for infringements of the EU Cyber Resilience Act proposal requirements.

At the EU level the European Commission also has a regulatory role to play with regard to products with digital elements that present significant cybersecurity risks and are non-compliant with the requirements as detailed in the EU Cyber Resilience Act proposal – such products can be withdrawn or recalled etc. at the EU-wide level.

What are the sanctions for failure to comply?

At the higher level (concerning manufacturers’ obligations), fines for non-compliance can be imposed of up to €15 million  or up to 2.5% of an organization’s total worldwide annual turnover for the preceding financial year, whichever is higher.

At the lower level, concerning non-compliance with other obligations, fines can be imposed of up to €10 million  or up to 2% of an organization’s total worldwide annual turnover for the preceding financial year, whichever is higher.

What are the next steps?

The Council of the EU (made up of the Ministers of EU countries) has agreed a so-called “Common Position” and is negotiating with the European Parliament on the final version of the EU Cyber Resilience Act proposal.

It is possible that the EU Cyber Resilience Act proposal might be adopted as final legislation before the elections for the European Parliament in early June 2024, but as with much other outstanding draft EU legislation to be finalized, the EU Cyber Resilience Act proposal might not be finally adopted until at some point after summer 2024, with full application two years after that.

What about the UK?

At this stage the UK government has not introduced any existing similar proposal. But, given the interest and awareness in the UK about cyber-security and cyber resilience issues it may only be a question of time until mandatory cyber-security requirements are introduced for hardware and software products.

Takeaways

Organizations who may be affected by the EU Cyber Resilience Act proposal should follow developments closely so as to be better prepare to deal with it when it is eventually in full application.

Resources

We report about data cyber-security issues here: https://www.corderycompliance.com/category/cyber-security/.

We have written about NIS legislation here https://www.corderycompliance.com/eu-nis2-cyber-rules-1/, here https://www.corderycompliance.com/client-alert-nis-2-directive/, and here: https://www.corderycompliance.com/nis-regime-an-introduction/.

The European Commission proposal can be found here https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52022PC0454.

Information about the Council of the EU’s Common Position can be found here https://www.consilium.europa.eu/en/press/press-releases/2023/07/19/cyber-resilience-act-member-states-agree-common-position-on-security-requirements-for-digital-products/.

For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.

Jonathan Armstrong, Cordery, Lexis House, 30   Farringdon Street, London, EC4A 4HH André Bywater, Cordery, Lexis House, 30             Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784 Office: +44 (0)207 347 2365
Jonathan.armstrong@corderycompliance.com Andre.bywater@corderycompliance.com
 

 

Contact a Cordery Specialist +44(0)207 118 2700 | Contact Us

Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority.
SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520
Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom

Cordery Compliance Limited trading as Cordery provides some products and services which are not regulated by the Solicitors Regulation Authority; we will clearly state this to you if this is the case.

We use the word “partner” to refer to a shareowner or director of the company, or an employee or consultant who is a lawyer with equivalent standing and qualifications.

Cordery is a registered trademark of RELX (UK) Limited, used under license. The Knowledge Burst logo is a registered trademark of Reed Elsevier Properties Inc., used under license.

Copyright © 2021 Cordery. All rights reserved.