EU Cyber Resilience Act: Cybersecurity Obligations for Connectable Hardware and Software Products Including IoT
The Internet of Things (IoT) segment has grown, and with it have come many examples of vulnerable products, from babycams whose feeds could be viewed by strangers online to hackable implantable cardiac devices. There are also infamous examples of botnets (i.e., clusters of hacked devices) featuring millions of IoT devices with one common trait: weak security.
The U.S. has had in place both laws and standards designed to address data security. While there is a general obligation to secure data in the General Data Protection Regulation (GDPR), recent developments in Europe show a greater focus on security of information in general, not just personal data.
In 2020 in the United Kingdom, the British government announced that it would work on legislation to require compliance with security requirements or specific standards for consumer connected products. One of the requirements touted was, for instance, a prohibition on setting universal default passwords. This requirement, in turn, would trigger an obligation to ensure that all passwords within a connected device are unique and strong to avoid granting hackers easy access to millions of products once a default password has been cracked. The resulting Product Security and Telecommunications Infrastructure Bill, currently being considered by the House of Lords, will give the UK Secretary of State authority to impose specific security requirements for “internet-connectable” and “network-connectable” products or require compliance with a given standard.
In the European Union, the European Commission published on September 15, 2022 a proposal for a “Cyber Resilience Act,” an EU Regulation “on horizontal cybersecurity requirements for products with digital elements.” This Regulation would require any manufacturer of a “product with digital elements” (i.e., “any software or hardware product and its remote data processing solutions”) to meet minimum cybersecurity requirements to be able to place that product on the EU market.
The concept of a “product with digital elements” does not appear to be limited to hardware + software combinations, as a number of categories of products listed in an annex to the draft Cyber Resilience Act are today pure “software” products, such as a wide range of cybersecurity tools. Thus, the scope of the Cyber Resilience Act is not limited only to IoT products.
The draft Cyber Resilience Act calls in effect for security by design by requiring manufacturers to design, develop, and produce products in accordance with cybersecurity requirements. Notably, manufacturers will be required to undertake an “assessment of the cybersecurity risks associated with [the] product and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases [...] with a view to minimising cybersecurity risks, preventing security incidents and minimising the impacts of such incidents.” This echoes provisions of the draft “NIS 2” Directive (a proposal for a Directive “on measures for a high common level of cybersecurity across the Union”) as well as the principle of “data protection by design and by default” found in the GDPR.
Under the provisions of the draft Cyber Resilience Act, manufacturers will have reporting obligations in relation to actively exploited vulnerabilities on the one hand and security incidents on the other. They will be required to inform ENISA, the EU Cybersecurity Agency, of (i) "any actively exploited vulnerability" contained in the product and (separately) (ii) "any incident having [an] impact on the security" of the product, in each case “within 24 hours of becoming aware of it.” In addition, manufacturers will have to inform users of the incident “without undue delay and after becoming aware” of it. Beyond information regarding the incident, they would also have to inform users, “where necessary, about corrective measures that the user can deploy to mitigate the impact of the incident.”
Moreover, the draft Cyber Resilience Act requires manufacturers to carry out conformity assessment procedures, draw up technical documentation, and ensure that the product bears a relevant CE marking. The interrelationship between this document and existing conformity assessment procedures for products must be carefully evaluated.
The draft Cyber Resilience Act does not place the regulatory burden only on manufacturers. Importers and distributors involved in placing products on the EU market are subject to specific obligations as well, notably in relation to documentation and CE markings. An importer or distributor will moreover be subject to the full obligations of a manufacturer if, for example, the product is marketed under the importer/distributor’s name or trademark, or if the importer/distributor carries out “a substantial modification” of the product already placed on the market.
The security requirements themselves appear to be future-proof and technology-neutral, for instance, the obligation to ensure products are “delivered with a secure by default configuration, including the possibility to reset the product to its original state” or that they are “designed, developed and produced to limit attack surfaces, including external interfaces”. In many ways, these requirements appear to reflect the common principles underlying information security best practices. Products belonging to a “critical” category (this includes a wide range of categories, such as identity management systems, password managers, malware detection software, microcontrollers, operating systems, routers, smart meters, etc.) are then subject to stricter rules, in particular a specific conformity assessment procedure.
The draft Cyber Resilience Act includes links to the draft AI Regulation as well (also under discussion at the Commission). If a product is classified as a “high-risk” AI system under the draft AI Regulation, compliance with the Cyber Resilience Act requirements will automatically be considered as compliance with the cybersecurity requirements under the AI Regulation.
As with other examples of recent legislation (from the GDPR to the Digital Markets Act and Digital Services Act), the draft Cyber Resilience Act includes tough penalties to ensure compliance, as non-compliance can lead to recall or withdrawal of the product from the market or another corrective action and can also lead to fines of up to 15 million EUR or 2.5% of the total worldwide turnover, whichever is higher. These fines are not the maximum risk for companies in case of non-compliance, though, as the draft Cyber Resilience Act explicitly states that it is “without prejudice to [the GDPR]” – which could lead to important questions of liability if a particular action or behaviour constitutes an infringement upon both sets of rules.
Now is the time to ensure that your information security practices are up to speed and that all levels within your organization are properly involved in the devising, rolling out, and maintaining a strong cybersecurity strategy that takes into account all applicable legislation. Companies operating globally will, of course, also need to follow the relevant national policy and guidance as it develops.