European upcoming cybersecurity legislation – Current State of Play
In a significant milestone, the European Commission, Council, and Parliament jointly declared the successful conclusion of negotiations surrounding the text of the Cyber Resilience Act (CRA). This announcement marks a crucial step towards the completion of the CRA’s journey through the EU legislative process, expected to culminate early next year. As we detailed in our previous communication on the Commission’s proposal, the CRA is designed to introduce pioneering cybersecurity obligations for a diverse range of digital products distributed within the European market. While a comprehensive overview of the agreed upon text will be provided upon finalization and publication, this article offers a concise summary of the key provisions and their implications.
Timeline and Transition
The CRA is poised to be phased in, with its enforcement scheduled to commence in late 2025. This phased transition period allows stakeholders to adapt to the forthcoming regulatory landscape effectively.
Obligations for Digital Product Stakeholders
The scope of the CRA’s impact extends to manufacturers and importers of “products with digital elements” (PDEs), a category encompassing both hardware and software products. Though the final text is pending release, the anticipated obligations, derived from pre-agreement drafts and associated reports, are as follows:
(1) Cybersecurity-by-Design: Manufacturers must structure PDEs to adhere to specific essential cybersecurity requisites, employing risk assessment methodologies to mitigate known vulnerabilities.
(2) Conformity Assessments: PDEs will undergo conformity assessments to ensure compliance with established cybersecurity standards.
(3) Timely Vulnerability Notifications: Identification of vulnerabilities must be promptly reported (within 24 hours) to the relevant national cybersecurity authority, the entity responsible for maintaining the vulnerable PDE, and potentially, the European Union Agency for Cybersecurity (ENISA).
(4) Disclosure of Security Incidents: In the event of severe security incidents, stakeholders must disclose such occurrences to ENISA, the relevant national cybersecurity authority, and the users of the affected PDE.
(5) Due Diligence on Imports: Stringent due diligence procedures are to be conducted for imported PDEs, reinforcing the commitment to cybersecurity across borders.
While awaiting the official ratification and release of the finalized text, our commitment remains steadfast in providing a more in-depth summary of the agreed-upon provisions. The Cyber Resilience Act stands as a testament to the European Union’s dedication to fortifying cybersecurity measures, fostering a secure digital environment for all stakeholders involved. Stay tuned for further insights into the regulatory landscape that will shape the future of digital product governance in Europe.
Member states’ representatives have reached a common position on this proposed Cyber Resilience Act.
The regulation has undergone adjustments concerning reporting obligations, highly critical products category, and product lifetime before receiving endorsement at the ambassadorial level.
Reporting obligations have been introduced in the cybersecurity regulation, requiring manufacturers to notify the competent authority of any cybersecurity incidents or exploited vulnerabilities. The responsibility for this reporting has been shifted from ENISA to national Computer Security Incident Response Teams (CSIRTs), with encouragement for member states to establish a single national entry point for reporting.
CSIRTs that receive the reports must share them with their peers through a single reporting platform, unless there are valid cybersecurity-related reasons to delay transmission. ENISA will create the pan-European platform based on CSIRTs’ specifications, and it will notify any cybersecurity incident related to the platform promptly.
Previously added flexibility for manufacturers in reporting deadlines has been removed.
Then, regarding highly critical products, the latest version removed explicit references to the term. Instead, the European Commission will have a reduced discretion on this matter and will have to conduct an impact assessment before requesting mandatory certification for specific product categories.
The concept of expected product lifetime has also been included, with manufacturers required to indicate the expected product lifetime for security updates. The elements considered for this calculation have been moved to the preamble, and market surveillance authorities’ entitlement to request justification for the product lifetime calculation has been removed.
Responsibility for compliance with the cybersecurity law shifts to the economic operator making substantial modifications to a connected device. However, this responsibility is waived for security patches that do not alter the product’s intended purpose. Products with digital elements developed or modified by public administrations for their exclusive use are also exempted.
Enforcement of the regulation will involve EU market surveillance authorities issuing guidance documents to facilitate national-level enforcement. Spare parts exclusively manufactured to replace identical components in connected devices have been excluded from the regulation’s scope, with specific requirements to follow the same development and production processes as the original product.
The Spanish Presidency of the Council of the European Union has released a semi-final version of a draft of the Cyber Resilience Act that significantly reduces the number of product categories that must comply with specific regulations. The draft law stipulates that product manufacturers must self-assess their compliance, except for certain categories of products that require external vetting by authorized auditors. The revised list of special product categories includes Class I and II products, which are essential for the cybersecurity of other products or carry a high risk of adverse effects if manipulated.
Revised list of Class I products
Class I products now include anti-virus software, boot managers, digital certificate issuance software, operating systems, network interfaces, internet routers, microprocessors, and microcontrollers. Class II products encompass Virtual Private Networks (VPNs), runtime systems supporting virtualized execution of operating systems, and firewalls.
Highly critical products
The law also introduces a category for highly critical products, allowing the European Commission to mandate EU cybersecurity certification, but with limitations on its discretion. The Commission must conduct an impact assessment and specify the required level of assurance proportionate to the product’s risk level.
Administrative requirements and reporting
The draft law also mandates product manufacturers to report cybersecurity incidents and vulnerabilities to national Computer Security Incident Response Teams (CSIRTs), removing ENISA’s direct involvement. CSIRTs will guide the platform’s security arrangements and may delay notifications under justified circumstances. Manufacturers are required to determine the expected lifetime of their products based on various factors.
The Council text also includes provisions to ease administrative burdens for small and micro companies and clarifies that the regulation does not apply to spare parts exclusively supplied by the original product manufacturer with digital elements.
The Cyber Resilience Act is one step closer to becoming a reality
On July 5th, EU lawmakers involved in the European Parliament’s leading Industry Committee will discuss various aspects of the Cyber Resilience Act (CRA), including the treatment of open source, the support period for products, the reporting obligations, and the timeline for implementation.
Prior to the meeting, a largely consolidated version of the text has been shared. The committee is scheduled to vote on the regulation on July 19th.
A redefined and clarified scope of application
Following clarifications, the regulation’s scope now includes remote data processing solutions integrated into connected devices, such as cloud-enabled functionalities for smart home appliances.
However, websites that are not directly linked to a product with digital elements or fall outside the manufacturer’s responsibility for cloud services are not considered remote data processing solutions under this regulation. The scope also excludes free and open-source software that is not used in commercial settings, where developers employed by commercial entities can control code modifications.
Manufacturers must show due diligence
Manufacturers that incorporate components from third parties, including free and open-source software, into their products are required to exercise due diligence to ensure compliance with the cybersecurity requirements. If a vulnerability is discovered during this process, the manufacturers should address it and inform the component developer about the security patch they applied. Manufacturers of components must provide all relevant information to the final product manufacturer to comply with the regulation.
The regulation introduces a support period, which now includes the timeframe for handling vulnerabilities. Manufacturers are expected to determine the support period proportionate to the product’s expected lifetime and provide relevant information to market authorities upon request. Authorities are responsible for ensuring that manufacturers accurately determine the support period.
The proposition requires them to establish a single point of contact to communicate with market surveillance authorities on cybersecurity matters. The new wording clarifies that this requirement also applies to online marketplaces that act as intermediaries or produce connected devices.
The regulation addresses high-risk vendors, but the language has been toned down compared to previous versions.
Small and medium-sized enterprises
MEPs emphasize the need for the Commission to support small and medium-sized enterprises (SMEs) in complying with the regulation by streamlining financial support through programs like the Digital Europe Programme. Member states are also encouraged to consider complementary actions.
After review, EU countries may now establish controlled testing environments with the support of ENISA, the EU cybersecurity agency. Manufacturers of products using high-risk AI systems under the AI Act can participate in regulatory sandboxes established under that regulation.
The rapporteur proposed extending the date of application from 24 to 40 months and extending reporting obligations from 12 to 20 months after the regulation’s entry into force. However, these aspects may still undergo significant changes at the political level.
EU Council Proposes Amendments to the Cyber Resilience Act
The European Union Council, representing its 27 member states, is actively engaged in shaping a revised cybersecurity law that aims to strengthen digital security within the EU. A new fully reviewed text indicates that the Council is making significant adjustments.
Let’s now discover several noteworthy developments that have emerged from this review.
The Swedish EU Council presidency introduced two supplementary requirements to promote user privacy and data protection.
Firstly, every IoT device should have a unique product identifier to enable easy identification during the rollout of security patches.
Secondly, manufacturers must empower users to remove all data and settings securely, including Wi-Fi network access, when disposing of the product.
Moreover, manufacturers are required to include a justification in the cybersecurity risk assessment if an essential requirement does not apply to a particular product.
The Council aims to implement more rigorous assessments for critical products. Those latter are categorized according to specific criteria and will therefore be subject to external audits to ensure their cybersecurity resilience. Changes have been made to the categories to reflect the changing threat landscape.
On one hand, the first criterion for critical products is whether they have cybersecurity-related functionality that performs critical security functions such as authentication, access control, intrusion prevention, endpoint security or network protection.
On the other hand, the second criterion is for products that perform core system functions such as network management, configuration control, virtualization, personal data processing, or functions that could disrupt many connected devices.
The updated compromise made changes to the categories for both criteria, removing some products and adding new ones.
Standardization and Certification
The Cyber Resilience Act includes provisions for issuing technical standards to ensure compliance. The industry will drive standardization, but if the resulting standard deviates significantly or isn’t provided on time, the European Commission can issue common specifications.
The Council cautions against it due to complexities and limits the Commission’s discretion. Member states can contest non-compliant specifications. The act also narrows the Commission’s discretion in cybersecurity certification schemes. Standardization and certification are vital, and industry stakeholders drive the process, but the Commission can issue specifications if needed, with limited discretion, and member states can contest non-compliant ones.
Product Lifecycle and Reporting Requirements
The Council has extended the product lifecycle by removing the previous five-year limit.
Additionally, automatic security updates are proposed as the default option for connected devices, but exceptions are made for certain products integrated into other components or where automatic updates may interfere with operations.
Reporting of incidents and vulnerabilities will be directed to national Computer Security Incident Response Teams (CSIRTs), although the role of the EU cybersecurity agency, ENISA, is still under discussion.
Manufacturers will be required to inform users about corrective measures in a standardized, structured, and machine-readable format in case of incidents.
Additional National Measures
While harmonization is a goal of the Cyber Resilience Act, national governments have the option to impose additional security requirements for ICT products used by entities classified as essential or important under the revised Networks and Information Security Directive (NIS2).
IoT device manufacturers are first in line when it comes to compliance.
Read our practical guides on what you have to do, how much time you have to comply and what the legal ramifications of non-compliance are.
While free and open-source software, for now, does not fall under the purview of the Cyber Resilience Act, commercial software that include remote data processing solutions will need to comply with the Act.
Read our practical guides to understand what you need to do.
IoT device importers, distributors and resellers have many requirements under the CRA and in some circumstances can even be considered as manufacturers themselves.
Our guides detail these stakeholders’ responsibilities and liabilities.