The Cyber Resilience Act and steps forward in March 2024

Reading time: 6 minutes - Difficulty: advanced

The latest update of the Cyber Resilience Act raises as many questions as it answers with regard to the version of the regulation voted for by the European Parliament. Read this article to find out about the regulatory changes to be implemented.

Text adopted by Parliament and the situation in Europe

On March 12, 2024, the Regulation on Horizontal Cybersecurity Requirements for Products with Digital Elements amended Regulation (EU) 2019/1020 on market surveillance.

The Cyber Resilience Act is due to be approved by the Council and published in the Official Journal of the European Union.

We know that the regulation will come into force 20 days after publication in the OJEU and applied 36 months after that date (and therefore about mid-2027).

 

As mentioned in a previous article, the Cyber Resilience Act aims to establish conditions for the development of secure products with digital elements, ensuring the cybersecurity of (hardware and software) products placed on the EU market.

The various acts and initiatives adopted by the Union to date only partially address cybersecurity issues and risks, forming a legislative framework for the internal market that increases legal uncertainty for both manufacturers and end users. However, one thing is certain.

 

All products with digital elements, either integrated in or connected to an electronic information system, can be vehicles for a cyber attack.

As a result, even hardware and software considered to be less critical can be used to compromise a device or network, enabling attackers to gain unlawful access to systems.

The aim of the Cyber Resilience Act, therefore, is to ensure that products are protected by manufacturers, regardless of whether the data is processed or stored locally on the user’s device or remotely by the manufacturer.

 

Learn more about how to prepare for the Cyber Resilience Act

 

Request a consultation

Do you want to help our page grow? Follow us on Linkedin

 

The manufacturer’s responsibilities

Manufacturers must exercise due diligence with respect to the integration of components, including free and open source software, developed by third parties. The appropriate level of due diligence depends on the nature and level of the cybersecurity risk associated with a particular component.

There is also an obligation to manage the vulnerabilities of products with digital elements in their entirety, including all integrated components, and to dutifully report the vulnerabilities encountered.

 

Lastly, there is the obligation, among others, for manufacturers to prepare an EU declaration of conformity.

With regard to the CE marking of products, manufacturers must observe the requirements in Annex I, which are:

  • Part 1 Section 1 Essential Requirements for Design, Development and Production
  • Part 1 Section 2 Cybersecurity Requirements.
  • Part 2 Requirements for vulnerability management

 

We will cover this point in more detail further on, but first we need to take a look at the concept of substantive change, i.e.:

 

The Product Liability Directive 85/374/EEC is complementary to the Cyber Resilience Act.

Where security is deficient due to the lack of security updates after the product has been placed on the market, and this leads to damage, the manufacturer is held responsible.

The product should be considered substantially modified if the software update changes the intended use of the product. The modifications may be ones not envisaged by the manufacturer in the initial risk assessment, or it could be that the nature of the hazard or the level of the cybersecurity risk has increased due to the software update made available on the market.

 

Final implementation of the Cyber Resilience Act

The regulation on horizontal requirements for products with digital elements applies generally to devices such as laptop computers, smartphones, sensors, routers and industrial control systems; to software or firmware products; and to hardware/software components such as computer processing units.

The regulation also applies to:

  • Products intended for use in vehicles other than cars, trucks and trailers (approval cat. M, N, O), and therefore motor vehicles (cat. L), agricultural vehicles (cat. T, R and S) and off-road mobile machinery (cat. Z)
  • Products for use in rail systems
  • In conjunction with the Machinery Regulation (EU) 2023/1230

 

The Cyber Resilience Act does not apply to:

  • Products covered by the Medical Devices Regulation (EU) 2017/745
  • Products covered by the In Vitro Diagnostics Regulation (EU) 2017/746
  • Products covered by the Regulation on type-approval requirements for motor vehicles (EU) 2019/2144
  • Products with digital elements certified in accordance with Regulation (EU) 2018/1139 (Civil Aviation)
  • Products covered by Directive 2014/90/EU (Marine Equipment).
  • Products regulated by other Union standards with requirements that address all or some of the risks covered with the adoption of delegated acts
  • Spare parts
  • Products developed or modified exclusively for the purposes of national security or defense

 

The products subject to the regulation are divided into classes according to their riskiness, namely, Class I Important Products and Class II Important Products (both listed in Annex III according to the aforementioned list), to which are added Critical Products, indicated in Annex IV, which include products with significant risk, such as gateways and smart cards.

The question still remains: the Commission could amend Annexes III and IV to add or remove products from the list and change the level of assurance required.

 

It should be pointed out that Article 24 of the Cyber Resilience Act is directed at providers of free and open source software, specifying that they fall under the scope of cybersecurity requirements when such software represents a commercial activity, reserving a more flexible regulatory regime for software without a market. However, this does not exempt anyone from adopting cybersecurity policies for the proper management of vulnerabilities.

 

CE marking, security requirements and penalties

The security objectives of EU cybersecurity certification schemes define the minimum acceptable level of security by setting the degree of assurance (“basic,” “substantial” or “high”) based on the risk associated with the intended use of the products.

We now need to fit the pieces of the puzzle together to form a picture of which rules to follow to declare conformity:

 

Module Mod. B and C with Notified Body Mod. H with Notified Body Mod. A with Self-Assessment Reg. (UE) 2019/8813
Procedures EU type examination + EU type conformity based on domestic production Comprehensive quality assurance Internal control procedure Risk level
Important Products – Class I Annex III X X X1 Substantial or high
Important Products – Class II Annex III X X Substantial or high
Critical Products Annex IV X2 X2 To be confirmed
Products not included in Annex III and IV X Substantial or high

1= if the manufacturer has applied harmonized standards; 2= if the requirements for the EU certification scheme have not yet been adopted; 3= EU cybersecurity certification scheme (where available/applicable)

 

With regard to essential requirements:

The essential requirements mentioned in the Cyber Resilience Act include the principle of Secure Development (Annex I – Sec. 1), i.e. the obligation to ensure an appropriate level of risk-based protection, implementation of organization and processes for secure product development, indicating it as a technical requirement to be applied on the basis of the Risk Assessment.

As mentioned, vulnerability management is also key, and in particular the ability to regularly test and review the security of products with digital elements, providing effective mechanisms to securely deploy product updates.

 

In conclusion, failure to comply with essential cybersecurity requirements is punishable by administrative penalties of up to:

  • € 15,000,000, or,
  • if the offender is an enterprise, up to 2.5 percent of the total annual worldwide turnover of the previous financial year, whichever is higher.

 

It’s never too early to get informed, and the area covered by the Cyber Resilience Act is decidedly urgent. Request a consultation.

 

Any questions or comments?

 

Share us your feedback

Do you want to help our page grow? Follow us on Linkedin

 

Go back to the blog
Send this to a friend