Reading Time: 5 minutes Difficulty: AdvancedThe need to protect companies and users who purchase and use products, software and components in the digital sphere is becoming increasingly urgent; the Cyber Resilience Act, a regulation for the CE marking of digital products connected to the internet, is therefore one of the regulatory references we will hear more about.
The need to protect companies and users who purchase and use products, software and components in the digital sphere is becoming increasingly urgent; the Cyber Resilience Act, a regulation for the CE marking of digital products connected to the internet, is therefore one of the regulatory references we will hear more about.
What is the Cyber Resilience Act? An introduction to the Regulation
The Cyber Resilience Act will be implemented, presumably in 2023, on the basis of the proposal for a European Regulation released in September 2022, for the CE marking of digital products connected to the internet.
This will in fact be linked to the New Machinery Regulation for the marking of cybersecurity products, the presumption of conformity of which will also be valid for the purposes of the applicable essential safety requirements of the Machinery Regulation (for example ESR 1.1.9).
The objective of the Cyber Resilience Act is in fact to define a broader regulatory framework for the information security of digital products connected to the internet, setting down more stringent obligations for placing these products on the EU market.
This complements the ENISA Regulation 2019/881, also referred to in the New Machinery Regulation in regard to the presumption of conformity, as a common cybersecurity certification framework.
The Cyber Resilience Act establishes the importance of documents, security features, continuous monitoring of possible vulnerabilities, and the consequent availability of security updates.
The Cyber Resilience Act divides cybersecurity products into three risk classes:
- Class II (critical products with obligation of the certification authority)
- Class I (critical products)
- Default category, subject to self-declaration (non-critical products)
Class II products:
- Operating systems for servers, desktop computers and mobile devices
- Hypervisors and container runtime systems that support the virtual running of operating systems
- Public key infrastructure and digital certificate issuers
- Firewalls, intrusion detection and/or prevention systems for industrial use
- Routers and modems for connection to the internet and switches for industrial use
- Industrial automation and control systems (IACS) intended for use by essential entities of the type referred to in Annex I to Directive NIS2, such as programmable logic controllers (PLCs), distributed control systems (DCSs), computer numerical controllers for machine tools (CNCs) and supervisory control and data acquisition (SCADA) systems
- IIoT devices intended for use by essential entities of the type referred to in Annex I to Directive NIS2
Class I products:
- Identity Management System Software and Privileged Access Management Software
- Software that scans for, removes, or quarantines malicious software
- Products with digital elements with virtual private network (VPN) function
- Security Information and Event Management (SIEM) systems
- Management of updates/patches, including boot managers
- Remote access/sharing software
- Firewalls, intrusion detection and/or prevention systems not classified in class II
- Routers and modems for connection to the Internet and switches, not in class II
- Industrial automation and control systems (IACS) not covered by class II, such as programmable logic controllers (PLCs), distributed control systems (DCSs), computer numerical controllers for machine tools (CNCs), and supervisory control and data acquisition (SCADA) systems
Do you want to help our page grow?
Follow us on LinkedINLearn more about how to prepare for the Cyber Resilience Act
Let’s look more specifically at what compliance with the Cyber Resilience Act will involve..
The Cyber Resilience Act starts from the assumption that protecting consumers and organizations from cybersecurity risks means protecting their data and their infrastructure.
In this sense, the Regulation establishes the terms for inspection and sanctioning by the national market surveillance authorities of the Member States, requiring them to provide the national data protection authorities with any significant information; and reserves to ENISA the task of considering remedial measures.
In fact, the Cyber Resilience Act requires the manufacturer to guarantee the IT security of the products right from the design phase and throughout the entire life cycle (including after-sales support, which is necessary for the resolution of vulnerabilities).
More specifically, digital products connected to the internet must:
- be provided with a secure default configuration
- ensure protection against unauthorized access through control and authentication mechanisms
- protect the privacy of data
- protect the integrity of data
- follow the principle of data minimization, limiting data collection to only what is required to fulfill a specific purpose.
- protect the availability of product features and related services
- be designed to limit potentially vulnerable interfaces
- be developed to mitigate the risk of an IT incident
- provide information such as access or modification of data, services or functions
- ensure that security updates can mitigate vulnerabilities
In parallel with the New Machinery Regulation
In a similar way to the New Machinery Regulation recently approved and being published, the Cyber Resilience Act will no longer only address the manufacturer or the developer. The roles of importer and distributor have been introduced; they are also responsible for the circulation on the European market of products in line with information security requirements.
Another point of affinity between the two regulations concerns the substantial changes.
In fact, in the event of substantial changes, such as significant software updates over time or maintenance, a new assessment must be carried out if these changes adversely affect the conformity of the product.
Which products does the Cyber Resilience Act apply to?
As mentioned, the Cyber Resilience Act addresses different classes of products with different levels of risk, which include both physical digital products, such as IoT devices, and intangible digital products, i.e. software embedded in devices.
More generally, it will apply to all “products with digital elements whose intended and reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network” – (article 2 of the proposed Regulation).
On the other hand, connected devices to which sector legislation already applies, such as medical devices, civil aviation devices, or software-as-a-service are excluded from the Cyber Resilience Act.
When is the Cyber Resilience Act expected to take effect?
Currently in the state of proposal, the Cyber Resilience Act will soon have to be discussed by the European Parliament and Council. Following the future approval, manufacturers will have 12 months to report any vulnerabilities found, and a further 12 months to adapt to the new rules.
It’s never too early to get informed, and the area covered by the Cyber Resilience Act is decidedly urgent.
Do you want to help our page grow?
Follow us on LinkedINGo back to the blog