The European Union (EU) released a proposal to introduce cybersecurity requirements for “products with digital elements” on September 15, 2022. The draft proposal, known as the Cyber Resilience Act, puts forth a regulatory framework to shore up cybersecurity of hardware and software products. A copy of the proposal was reviewed by Medianama for this summary.
The proposal defines ‘product with digital elements’ as any “software or hardware product and its remote data processing solutions”. It also includes software or hardware components placed on the market separately. It means that every digital product, whether wireless or wired, will be covered under this legislation.
“Computers, phones, household appliances, virtual assistance devices, cars, toys… each and every one of these hundreds of million connected products is a potential entry point for a cyberattack. And yet, today most of the…products are not subject to any cybersecurity obligations,” Thierry Breton, Commissioner for the Internal Market, said in a statement.
The European Commission (EC) said that the proposal intends to create conditions for the following:
- Ensuring fewer vulnerabilities in the development of secure products by ,
- Allowing users to take cybersecurity into account when selecting and using products with digital elements
- Directing manufacturers to take security seriously throughout a product’s life cycle;
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
Why it matters: The EC said that digital products are a target of several cyberattacks costing €5.5 trillion. They said that it is the first ever EU-wide legislation of its kind that introduces mandatory cybersecurity requirements for digital products throughout their whole lifecycle.
- Moreover, it is likely to bolster cybersecurity of products available in the EU and may propel countries around the world to follow suit.
Key takeaways from the bill
The Commission revealed that the legal basis for this proposal is Article 114 of the Treaty on the Functioning of the European Union (TFEU), which provides for the adoption of measures to ensure the establishing and functioning of the internal market.
“The purpose of the proposal is to harmonise cybersecurity requirements for products with digital elements in all Member States and to remove obstacles to the free movement of goods,” read the proposal.
What does the proposal stipulate: The proposal includes the following requirements—
- Design, development and production of digital products, and obligations for economic operators with respect to cybersecurity;
- Vulnerability handling processes put in place by manufacturers to ensure the cybersecurity during the whole life cycle,
- Market surveillance and enforcement of these rules
It must be noted that it is not applicable on digital products developed exclusively for national security or military purposes or specifically designed to process classified information.
Obligations of manufacturers
The proposal mandates that a manufacturer will have to ensure that the product has been designed, developed and produced in accordance with the guidelines for which it will have to undertake an assessment of the cybersecurity risks associated with the product.
The company will have to then take the outcome of that assessment into account “during the planning, design, development, production, delivery and maintenance phases of the product”.
“…with a view to minimising cybersecurity risks, preventing security incidents and minimising the impacts of such incidents, including in relation to the health and safety of users,” read the proposal.
- Informing prospective users: They also have to include a cybersecurity risk assessment in the technical documentation and they have to lay down “clear justification” in the document when certain requirements are not applicable to the marketed product.
- They have to keep the technical documentation and the EU declaration of conformity, at the disposal of the market surveillance authorities for ten years after the respective product has been placed on the market.
- Moreover, manufacturers have to ensure that the accompanying information and instructions are in a language which can be easily understood by users. “They shall be clear, understandable, intelligible and legible,” read the proposal, adding that they should also offer customers a secure installation.
- Dealing with third-party suppliers: The proposal directs manufacturers to exercise due diligence when integrating components sourced from third parties in their products. “They shall ensure that such components do not compromise the security of the product with digital elements,” read the proposal.
- Documenting risks: “The manufacturer shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects…including vulnerabilities they become aware of and any relevant information provided by third parties, and, where applicable, update the risk assessment of the product,” the proposal stated.
- Handling vulnerabilities: The manufacturers have been asked to handle vulnerabilities “effectively” of a digital product over its lifetime or for a period of five years from the placing of the product on the market, whichever is shorter.
- Coming up with procedures: The manufacturers have to put in place “appropriate policies and procedures”, which includes coordinated vulnerability disclosure policies, to process and address potential vulnerabilities reported from internal or external sources.
- Declaration of conformity: The manufacturers have to draw up an EU declaration of conformity to state that the fulfilment of the applicable essential requirements has been demonstrated.
- CE Marking: The manufacturers have to bear the CE marking on their digital products which has to be “affixed visibly, legibly and indelibly”.
- Complying with authorities: The manufacturers have been asked to comply with information requests from market surveillance authorities in a language which can be easily understood by them.
- “They shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by the product with digital elements, which they have placed on the market,” the legislation stated.
- Every manufacturer will have to inform, before it ceases operation, market surveillance authorities about its inability to comply with the proposed rules. They also have to inform users of the product.
Reporting obligations of manufacturers
The legislation mandates that a manufacturer has to notify ENISA (European Union Agency for Cybersecurity) any actively exploited vulnerability contained in their products within 24 hours of becoming aware of the attack.
“The notification shall include details concerning that vulnerability and, where applicable, any corrective or mitigating measures taken,” read the proposal.
The intimation will also have to be done in cases of incidents having an impact on the security of the digital product. The notification will cover information on the severity and impact of the incident, and indicate whether the manufacturer suspects involvement of unlawful or malicious actors or considers it to have a cross-border impact, the proposal outlined.
Intimating users: The manufacturer has to inform users of their product about any security incident and corrective measures that can be deployed by the user to mitigate the impact of the incident.
- Furthermore, the legislation asked them to report a vulnerability to the person or entity maintaining the component, which is integrated into the product, if and when they identify a vulnerability in a component. They have to inform the entity even if the component is open-sourced.
Preparing reports: The proposal also calls for ENISA to prepare a biennial technical report on emerging trends regarding cybersecurity risks in digital products based on the notifications received by it.
Appointing a representative: The legislation permits manufacturers to appoint a representative, sort of like a compliance officer, to perform tasks specified in the proposal and liaise with government authorities in cases of information requests.
Outlining procedure for market surveillance
The proposal directs every EU member state to “designate one or more market surveillance authorities” to oversee effective implementation of the legislation.
These authorities have to be provided with adequate financial and human resources to fulfil their tasks under this regulation, as per the rules. They may “provide guidance and advice to economic operators on the implementation of this regulation”.
The market surveillance authorities have to report to the EC on an annual basis the outcomes of relevant market surveillance activities.
- Extent of access: The market surveillance authorities will be granted access to the data
required to “assess the design, development, production and vulnerability handling of such products, including related internal documentation of the respective economic operator”.
- Dealing with significant cybersecurity risk: The authority will have to carry out an evaluation of the product when there are reasons to believe that a product, including its vulnerability handling, presents a significant cybersecurity risk.
- It can compel the relevant operator to take corrective actions for compliance with the rules which can include asking the operator to withdraw the product, or recall it within a reasonable period, depending upon the risk.
- Moreover, the market surveillance authority has the power to direct an operator to take appropriate measures to ensure that a digital product pose a risk to the health or safety of persons.
- Furthermore, the authority can withdraw the product from the market or recall it if they present a “significant cybersecurity risk” in spite of their compliance with the rules.
- Sweeps: The market surveillance authorities can conduct “simultaneous coordinated control actions” of particular digital products to check compliance or detect infringements.
Provisions on confidentiality and penalties
“All parties involved in the application of this Regulation shall respect the confidentiality of information and data obtained in carrying out their tasks and activities…,” read the proposal.
The measure is to protect the following;
- Intellectual property rights, and confidential business information or trade secrets, including source code,
- Effective implementation for the purpose of inspections, investigations or audits;
- Public and national security interests;
- Integrity of criminal or administrative proceedings.
There is also a provision in which member states can exchange, where necessary, “sensitive information with relevant authorities of third countries” with whom they have confidentiality arrangements “guaranteeing an adequate level of protection”.
What are the penalties?
The legislation grants EU member states powers to lay down rules on penalties which can be invoked when someone violates the rules, and ensure their enforcement.
“The penalties provided for shall be effective, proportionate and dissuasive,” read the proposal.
What are the fines?
Violating essential requirements: The non-compliance with essential requirements (such as failing to meet reporting obligations) will result in administrative fines of up to 15 million euros. The rules clarify that if the offender is an undertaking, it can be fined up to 2.5 percent of its total annual turnover worldwide for the preceding financial year, whichever is higher.
- Violations which are not covered above: The rules propose administrative fines of up to 10 million euros, or up to 2 percent of a company’s total annual turnover worldwide for the preceding financial year, whichever is higher, if it is an undertaking.
- Supplying wrong information: “The supply of incorrect, incomplete or misleading information to notified bodies and market surveillance authorities in reply to a request shall be subject to administrative fines of up to €5,000,000 or, if the offender is an undertaking, up to 1 percent of its total worldwide annual turnover for the preceding financial year, whichever is higher,” read the rules.
The authorities will have to keep the following in mind when deliberating upon the quantum of fines:
- Nature, gravity and duration of the infringement and of its consequences;
- Whether fines have been already applied by other market surveillance authorities to the same operator for a similar infringement;
- Size and market share of the operator committing the infringement.
You can download a copy of the proposal here.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.