“We need to protect our IT area, our cyberspace, and our internal market” – EU Internal Market Commissioner, Thierry Breton (September 2022).
With the publication of the proposal for a Cyber Resilience Act (CRA) on 15 September, the European Commission hopes to limit the cybersecurity vulnerability of connected devices and increase user trust in connected hardware and software devices placed on the EU Single Market.
In this blog post, we unpack the Commission’s proposal to consider the potential sticking points in the product conformity process and in cybersecurity vulnerability handling, before looking at the role of the Council and European Parliament.
The CRA lays down minimum essential requirements for manufacturers to comply with the time of placing the product on the market and for the disclosure and handling of cybersecurity vulnerabilities. These essential requirements (e.g., that products are not to be placed on the market with known vulnerabilities) are intended to ensure the cybersecurity of products at the time of being placed on the market and for up to five years afterwards.
The CRA is not sector-specific; it applies to all connected hardware and software products, including embedded and non-embedded software. The CRA also lays down obligations on manufacturers to report exploited vulnerabilities in the product to both the EU Cybersecurity Agency (ENISA) and users.
Before placing a product on the market, the manufacturer must ensure that the product has been designed, developed, and produced in conformity with the mandatory essential cybersecurity requirements. After placement of the product on the market, the manufacturer must meet the vulnerability handling requirements, possibly for up to five years if the product is intended to last that long.
Conformity with essential requirements
Manufacturers’ conformity with the essential cybersecurity requirements for products and the minimum vulnerability handling requirements is demonstrated through a self-assessment under its own internal control process and the subsequent drawing up of an EU declaration of conformity, and the affixing of a conformity “CE” marking. Products with digital elements which hold a statement of conformity under an EU certifications scheme, or meet harmonised EU standards, are presumed to conform.
Additionally, the European Commission has defined a classification of critical products which cannot undergo self-assessment. “Class I” critical products, such as password managers, network interfaces, firewalls, and microcontrollers, must undergo either a standard EU-type examination procedure or a third-party assessment.
The higher risks products under “Class II”, such as operating systems, industrial firewalls, CPUs and secure elements etc, are subject to a third-party full-quality assessment procedure. The criterion for critical products is based on their functionality (e.g., critical software, intended use (e.g., critical entities under NIS2 Directive) and other elements (e.g., extent of the adverse impact to affect a plurality of persons).
Importers and distributors
The obligations on importers and distributors follow existing EU product regulations. Importers are ultimately to ensure that manufacturer has undertaken the conformity assessment procedure; drawn up the technical documentation; and affixed the CE marking, before placing the product on the market. The distributor is to verify that the product bears the CE marking and that both the manufacturer and importer have met their obligations. If the manufacturer or distributor make substantial modification to the product, they assume the obligations of the manufacturer.
Some manufacturers may already (choose to) subject their IoT devices to third-party conformity or verification procedures but the mandatory increased use for critical products under the CRA could lead to administrative bottlenecks and delays, especially if the list of critical products is broadened.
The classification of products is expected to be a key issue of debate – we see that consumer groups are against self-assessment for products that target vulnerable groups like children.
The requirement to notify only ENSIA of an exploited cybersecurity vulnerability will, on the face of it, be a welcomed approach to many manufacturers as a means of streamlining its reporting obligations under the CRA. However, if a cyber threat invokes the CRA, the DORA (Digital Operational Resilience), and the NIS2 Directive, then a manufacturer could be subject to four different reporting provisions and four different entities. The co-legislators must take a common-sense approach to regulation if it is to respect the objectives of the CRA.
Potential sticking points
The presumption of conformity of products that are covered by an EU certification scheme has the potential to result in a de-facto mandatory certification, which goes against the spirit of the voluntary nature of certification schemes under the Cybersecurity Act. This would be if manufacturers wanted to only undertake self-assessment of their non-critical products and where EU certification would be used competitively as a badge to make a company more attractive to consumers.
Meanwhile, the 24-hour deadline for a manufacturer to notify ENSIA of an exploited vulnerability may be seen by the industry as too short. Under the NIS2 Directive, the European Parliament secured a staged reporting obligation, resulting in a 72-hour window for incident reporting, to align with the General Data Protection Regulation (GDPR). The EPP is one group which will likely push again for a 72-hour deadline, with the S&D expected to champion the central role of ENISA.
While intending to close the vulnerability gap for connected devices, the CRA will need to ensure legal certainty for economic actors who are subject to existing law, including the Cybersecurity Act, NIS2 Directive, and Radio Equipment Directive.
The CRA will be put under the scrutiny of the EU Member States in the Council and the members of the European Parliament. Following the publication of the proposal, cybersecurity attachés have already been briefed by the Commission and have started to read through the proposal within the Horizontal Working Party on Cyber Issues.
In the European Parliament, the Industry, Research and Energy (ITRE) Committee will lead the CRA under the Italian MEP Nicola Danti, who belongs to the Renew group. Danti, formerly of S&D, was the group’s shadow rapporteur on the Cybersecurity Act. The Internal Market and Consumer Protection (IMCO) Committee will give its opinion, as the CRA is a product security proposal aimed at improving the functioning of the internal market and user trust in devicesThe Civil Liberties (LIBE) Committee will also play a role, mainly in data protection.
The cybersecurity of the Internet of Things (IoT) has long been seen as an area of concern for the EU. Two-thirds of cyber-attacks exploit the vulnerabilities of connected products.
The CRA represents an effort by the EC to ensure that devices are not being placed on the market with known vulnerabilities and that emerging vulnerabilities can be patched throughout the products’ lifetimes.
To reiterate, the CRA is an opportunity to improve the cybersecurity of IoT devices, but many aspects of the proposal need to be clarified through a scrutiny process by the Council and Parliament to ensure that they are workable and effective. Stakeholders can provide their initial views to the Commission on the proposal for a Cyber Resilience Act until 21 November 2022.