EU Cyber Resilience act-the new cybersecurity regulatıon in Europe
​
In our recent visit to Embedded World 2024 in Nurnberg we had a chance to check the awareness of the community about the new regulation by European Community, namely “Cyber resilience Act (CRA)”. There were so many presentations by companies bringing the regulation to the attention of the community including Microsoft. We are glad to see that it has already been heard by the management of almost all vendors we got in touch with. The act has already been endorsed by the EU Parliament, while final adoption by the EU Council is expected in November 2024.
​
WHAT IS IT ALL ABOUT THEN?
In 2021 EC President von der Leyen announced Cyber Resilience Act [1] planned to be added to the existing baseline cybersecurity framework of the “Directive on the security of Network and Information Systems” [2] and the Cybersecurity Act [3]. The Cyber Resilience Act complements the Delegated Regulation of 29 October 2021 under the Radio Equipment Directive.[4]
​
MOTIVATION
As put forward on the EU web site [5]; it is “The regulation on cybersecurity requirements for products with digital elements, known as the Cyber Resilience Act, bolsters cybersecurity rules to ensure more secure hardware and software products”. The motivation is addressing the problem of high cost of cybercrime on hardware and software products at estimated €5.5 trillion levels. The reasons are listed as,
-Low level cybersecurity and widespread vulnerabilities in the products,
-insufficient and inconsistent provision of security updates,
-insufficient information provided to end users for them to select the right products with adequate cybersecurity properties and securely use the products” [5].
EU legal framework so far is not covering all the general class of “products with digital elements” like non-embedded software, while there are legislation applying to specific products. For example, existing framework does not cover all digital products, such as the products not falling under Radio Equipment Directive or the Medical Devices Regulation. Also, the current regulatory framework falls short in cybersecurity requirements covering the whole life cycle of a product.[6]
​
OBJECTIVES
In moving forward, two main objectives were identified aiming to ensure the proper functioning of the internal (EU) market as follows: [5]
-
Create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and ensure that manufacturers take security seriously throughout a product’s life cycle; and
-
Create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.
Also, four specific objectives were set out as:[5]
-
Ensure that manufacturers improve the security of products with digital elements since the design and development phase and throughout the whole life cycle.
-
Ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers.
-
Enhance the transparency of security properties of products with digital elements, and
-
Enable businesses and consumers to use products with digital elements securely.
-
​
CURRENT STATUS
At this point we should remind the reader that Cyber Resilience Act (CRA) has been officially endorsed by the European Parliament on 12th of March 2024 after initially approved by EU Council in December 2023 while final adoption by the EU Council is expected in November 2024. There will be 36 months grace period following this for the companies for adoption, but incident reporting obligation will be in force 21 months after that date.
CRA covers all products with digital elements including the clouds excluding the ones to which following EU acts apply:
​
-EU 2017/745 (Medical devices) [7]
-EU 2017/746 (In Vitro diagnostic medical devices) [8]
-EU 2019/2144 (Type-approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles, as regards their general safety and the protection of vehicle occupants and vulnerable road users) [9]
-The products certified under EU 2018/1139 (common rules in the field of civil aviation...) [10]
-The products developed exclusively for national security or military purposes, or the products specifically designed to process classified information.
​
The Annexes of the CRA are, “Essential cybersecurity requirements for the products”, “The minimum information and instructions that should be provided to the users”, “The list of critical product types”, “EU declaration of conformity details”, “Technical documentation requirements” and “Conformity assessment procedures” (Downloadable from the web [5])
​
WHO ARE OBLIGATED TO COMPLY
The proposed regulation [5] assigns obligations to the below economic operators of the “products with digital elements”:
-Manufacturers
-Authorized representatives
-Importers
-Distributors.
You can see the details of the obligations of each class of economic operators in the proposal between Article 10 to Article 17. It is worth to emphasize that the manufacturers are responsible from designing, developing, and producing the products in accordance with the essential cybersecurity requirements so; the security features integration should start from the design phase.
​
PENALTIES:
Penalties in the case of non-compliance are listed as.
-The non-compliance with the essential cybersecurity requirements and the obligations set out in Articles 10 and 11 shall be subject to administrative fines of up to 15 000 000 EUR or, if the offender is an undertaking, up to 2.5 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.
-The non-compliance with any other obligations under this Regulation shall be subject to administrative fines of up to 10 000 000 EUR or, if the offender is an undertaking, up to 2 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.
-The supply of incorrect, incomplete, or misleading information to notified bodies and market surveillance authorities in reply to a request shall be subject to administrative fines of up to 5 000 000 EUR or, if the offender is an undertaking, up to 1 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.
​
WHEN WILL THIS REGULATION ENTER INTO FORCE?
As it appears in the proposal:
This Regulation shall enter into force after 36 months grace period, but incident reporting obligation will be in force 21 months after the final adoption by EU Council.
​
CONCLUSION:
In this summary, we covered the key subjects taken from the proposal documents published by EC about the coming “Cyber Resilience Act”. This reflects our understanding so far giving some heads-up information and we carefully avoided from the interpretations. (*) We think that this regulation will lead to better cybersecurity postures in the products with digital elements sold in EU market. This will have positive effects globally as well. The reader is encouraged to read the reference [5] the CRA document and its annexes.
(*) The information contained in this document provided for informational purposes only and should not be construed as legal and business advice. The links in the document references to the other web sites where security and privacy practices are carried out by respective web site owners.
REFERENCES:
[1] https://ec.europa.eu/commission/presscorner/detail/en/SPEECH_21_4701
[5] https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act
[7] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32017R0745
[8] https://eur-lex.europa.eu/eli/reg/2017/746/oj
[9] https://eur-lex.europa.eu/eli/reg/2019/2144/oj
[10] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32018R1139
​