New requirements for manufacturers of products with digital elements
With increasing digitisation and the networking of products, threats from digital space are also rising in equal measure: EU Commission President von der Leyen already noted last year during the State of the Union Address that if everything is networked, everything can be hacked. In order to make the EU more resilient to cyber attacks, the EU Commission announced a “Cyber Resilience Act” (CRA) last year and published a corresponding proposal today .
Target group and obligations
In accordance with the EU Commission’s presentation, the new regulation is intended to establish duties for manufacturers of products with digital elements and create binding cybersecurity requirements for them. In addition to hardware products, such as sensors and cameras, smart cards, mobile devices or network devices such as routers and switches, software products and associated services in particular are also to be covered. However, certain products, such as radio equipment or medical devices, which are covered by sector-specific legislation, are exempt from the requirements of the CRA.
According to the proposal, manufacturers of products that fall within the scope of the CRA must comply with the following requirements, among others, in the future:
- Products must meet basic cybersecurity requirements in terms of design, development and manufacturing processes even before they are launched on the market.
- Manufacturers must monitor digital products throughout their lifecycle and address any vulnerabilities through automatic and free updates.
- In the event of an incident that may affect the security of the product’s hardware and/or software, manufacturers are required to notify the EU cybersecurity authority ENISA.
Special requirements for “critical products”
Manufacturers of what the EU Commission considers “critical products” must also undergo a special conformity procedure. To this end, the CRA proposal divides certain products into two classes:
- Class 1 includes, but is not limited to, identity management systems, browsers, password managers, antivirus programs, firewalls, virtual private networks (VPNs), comprehensive IT systems, physical network interfaces, and routers and chips used in essential facilities as defined in the Network and Information Security Directive 2 (“NIS‑2 Directive”).
- The higher Class 2 includes, in particular, desktop and mobile devices, virtualised operating systems, digital certificate issuers, general-purpose microprocessors, card readers, robotic sensors, smart meters and all IoT devices, as well as routers and firewalls for industrial use, which is considered a “sensitive environment”.
According to the EU Commission’s proposal, a third-party assessment is also to be required for Class 2 products.
Market surveillance bodies and sanctions
In order to ensure verification of compliance with the requirements of the CRA, the member states are required to establish market surveillance bodies, which are to be able to carry out EU-wide coördinated control measures. In the event of a violation, the penalties include the recall of the relevant products and fines of up to EUR 15 million or 2.5 percent of annual revenue, whichever is higher.
Following the EU Commission’s proposal published today, the European Council and the European Parliament will now deal with the proposed legislation. The Commission’s proposal provides for the new requirements to apply 24 months after the regulation enters into force, although some elements, such as the duty to report security incidents, are to apply after 12 months.
The CRA is intended to apply to all digital products in the European single market. To avoid being caught off guard by the tight implementation deadlines, manufacturers should already check the product requirements for cybersecurity that they will have to comply with in the future. Especially for products that are not yet capable of remote security updates (OTA updates), a corresponding technical channel should be created. Updatability is also becoming more important than ever in terms of potential product alerts.
Furthermore, it is noteworthy that the EU Commission has abandoned the concept of voluntary self-commitment by manufacturers. Certification in accordance with the Cyber Security Act is therefore likely to become less important, as is the BSI’s voluntary IT security label. Independent of the specific design of the CRA, there is also the question of enforcement. The GDPR demonstrates that strict legal requirements without supervisory control are more of a paper tiger. While high fines are envisaged, data protection supervisory authorities across Europe complain that they are not sufficiently equipped either financially or in terms of personnel to enforce the law.back