Cyber security through regulation? – The Cyber Resilience Act contains extensive requirements for products with digital elements

With the advance of digitalisation, ubiquitous networking and the ever-increasing importance of the IoT, the risk of cyber security incidents with far-reaching effects on the economy and society is also increasing. As part of its security strategy, the EU has developed regulatory requirements to ensure the cyber security of products with digital content. The regulatory concept ties in with the product safety system of the New Legislative Framework and regulates far-reaching obligations for manufacturers, importers and distributors with regard to digital security. After approval by the EU Parliament, the Council of the EU approved the Cyber Resilience Act (‘CRA’) on 10 October 2024. This means that the CRA will come into force in a few weeks.

Background

The EU is consistently pursuing its cybersecurity strategy. For example, the EU directive on measures for a high common level of cybersecurity (NIS2 Directive) came into force in 2023. It contains extensive cybersecurity requirements for companies in certain sectors (see article of 31 May 2023). The Digital Operational Resilience Act (DORA Regulation), which also came into force in 2023, established a harmonised framework for managing cybersecurity and ICT risks in financial markets. Following these sectoral provisions, the EU is now issuing comprehensive cybersecurity requirements for all products with digital elements with the Cyber Resilience Act (CRA). The CRA's regulatory system is based on the New Legislative Framework (NLF), which characterises the current nature of product safety law. The CRA stipulates obligations that are typical for product safety law within its scope of application and tailors them to the special requirements for the security of digital products.

Scope

The Cyber Resilience Act applies to all products with digital elements that are made available on the market of the European Union and whose intended purpose or reasonably foreseeable use includes a direct or indirect data connection to a device or network (art. 2 (1) CRA). The definition is very broad: in principle, it covers any software and hardware that can be used to process, store or transmit digital data. The only requirement is that the products are placed on the European market for distribution or use in the course of a commercial activity. This includes, in particular, commercially marketed IoT products.

Excluded are services that are not linked to a specific product. In practice, the differentiation will raise difficult questions. For example, services such as Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) should not regularly be subject to the Cyber Resilience Act (recital 12) – but the provider may be subject to the NIS2 Directive. However, if these services are necessary for the product with digital elements to fulfil one of its functions and if they are designed or developed by the product manufacturer itself or under its responsibility, these services also fall within the scope of the Cyber Resilience Act (recital 12, art. 3 no. 2 CRA). As an example of a service within the scope of the regulation, the draft refers to cloud services for use in smart homes (recital 12).

In view of the controversial debate on free software and open source software, the trilogue negotiations have brought about some changes: the CRA is only applicable to this software if it is placed on the market in the course of commercial business activities and thus made available on the market. In principle, it depends on whether its manufacturer makes it ‘into money’ in order to ensure a clear distinction between the development and delivery phases. In order to take account of the great importance of free and open-source software that is published in accordance with the CRA but not made available on the market, it is not the manufacturers but the so-called ‘managers of open-source software’ who are obliged in this case. For them, the CRA provides for less stringent obligations in art. 24 CRA, adapted to the specific nature of the situation. The CRA defines an open source software manager as a legal entity that is not a manufacturer but whose purpose or objective is to systematically and sustainably support the development of specific products with digital elements that are considered free and open source software and are intended for commercial activities, and which ensures the marketability of these products.

The Cyber Resilience Act only allows for a few exceptions to its scope of application. Cybersecurity requirements already apply to the excluded product categories under special legal provisions. Therefore, medical devices (Regulation (EU) 2017/745), in vitro diagnostic medical devices (Regulation (EU) 2017/746), aviation security (Regulation (EU) 2018/1139), the type-approval of motor vehicles and their trailers (Regulation (EU) 2019/2144) and certain spare parts (art. 2 para. 6 CRA). Small and micro-enterprises are to be given relief in fulfilling their obligations (e.g. through simplified forms).

Essential Requirements

Article 6 of the CRA states that products with digital elements may only be made available on the market if they meet the essential requirements (Annex I Part I and, with regard to the vulnerability management procedures defined by the manufacturer, Part II), are properly installed, maintained, used in accordance with their intended purpose and, where applicable, the necessary security updates are installed. In order to meet these basic safety requirements, products with digital elements must, for example, ensure an appropriate level of cybersecurity and have no known exploitable vulnerabilities when made available on the market (Annex I Part I (1) and (2)). As is characteristic of product safety law, detailed obligations for the various economic operators along the supply chain are laid down, building on each other, based on this principle of product conformity.

Obligations of manufacturers

The most extensive obligations fall to the manufacturer. As usual, a quasi-manufacturer who has the products with digital elements designed, developed or manufactured by third parties and then markets them under its own name or trademark (art. 3 no. 13 CRA). In addition, the extensive obligations of manufacturers apply to anyone who has made a substantial, i.e. a safety-related, modification to the product and places the product on the market (art. 22 CRA). Furthermore, importers and distributors shall be considered to be manufacturers if they place the product on the market under their own name or trademark or make a substantial modification to a product already placed on the market (art. 21 CRA).

Manufacturers must ensure that products to be placed on the market are designed, developed and manufactured in accordance with the ‘essential requirements’ (art. 13 para. 1, art. 6 no. 1 CRA). In doing so, a manufacturer must take due care to ensure that components from third parties do not compromise the security of the product with digital elements, including when integrating free and open-source software, regardless of whether it has been placed on the market as part of a commercial activity (art. 13 para. 5 CRA). To ensure that the product complies with the essential requirements, manufacturers must carry out a comprehensive cybersecurity risk assessment and address the product to those risks in accordance with the detailed specifications of the CRA (art. 13 para. 2, Annex Part I (2)). The risk assessment must be included in the technical documentation to be prepared as usual (art. 13 paras. 4 and 12 CRA). Before the product with digital elements may be placed on the market, the manufacturer must also – as a general rule in all NLF legal acts – subject the product to a conformity assessment procedure, issue a declaration of conformity and affix the CE marking, a marking for product identification and his contact details to the product (art. 13 paras. 12, 15 and 16 CRA).

Depending on the safety classification, the manufacturer can carry out the conformity assessment procedure itself or must have it carried out by a notified body (art. 27, 32 CRA). It does not matter whether the programmes are intended for professional use or may even be made available to private users free of charge. The product categories concerned can be adapted by the Commission by means of delegated acts. Interpretation difficulties are to be expected with regard to the classification of dual-use products.

According to the essential requirements, products with digital elements must, among other things,

• be delivered with a secure default configuration and offer the option of resetting the product to its original state while retaining all security updates – unless otherwise agreed in B2B transactions,
• offer protection against unauthorised access through appropriate control mechanisms (authentication, identity or access management systems),
• protect the confidentiality and integrity of stored and processed data,
• work according to the principle of data minimisation,
• be designed, developed and manufactured in such a way as to provide the smallest possible attack surface,
• ensure automatic security updates with the option to opt out, and
• functionally separate security updates from (other) functional updates as far as technically feasible,
• provide users with the option to permanently and easily delete all data and settings.

In addition, the manufacturer shall ensure a procedure for effective treatment of vulnerabilities (art. 13 para. 8, art. 6 no. 2 CRA). The CRA provides for further fundamental requirements for the treatment of vulnerabilities in Annex I Part II. Manufacturers must, after placing the product on the market, during a support period determined by them, but subject to a shorter typical service life of the product, at least five years, inter alia,

• identify and document vulnerabilities and components of the products with digital elements, including by creating a software bill of materials (so-called SBOM) – however, the manufacturer should not be obliged to publish this (recital 78),

• regularly review the security of the product and, where appropriate, update the risk assessment for the product,

• remediate vulnerabilities without undue delay through security updates,

• make information on remedied vulnerabilities public and provide security patches or updates free of charge – subject to agreements to the contrary in B2B transactions.

If the manufacturer has reason to believe that the product with digital elements does not comply with the essential requirements, it must take corrective action and, if necessary, withdraw the product from the market or recall it (art. 13 para. 21 CRA). In order to enable direct and rapid communication with users, the manufacturer must set up a single point of contact (art. 13 para. 17 CRA).

In addition to the usual duties of cooperation, reporting, providing information and submitting documents (art. 13 paras. 22 and 23 CRA), the CRA provides for a special reporting obligation on the part of the manufacturer. If the manufacturer becomes aware of an actively exploited vulnerability, he must report it to the Computer Security Incident Response Team (CSIRT) designated as the coordinator under the NIS2 Directive and to the European Union Agency for Cybersecurity (ENISA) via a specially established uniform reporting platform, in a timely manner and providing the information required by the CRA (art. 14 para. 1 CRA). The creation of a detailed report on the vulnerability is also planned. In order to ensure the coordinated management of major cybersecurity incidents and crises, ENISA can forward the reported information to the European Network of Liaison Organisations for Cyber-Crisis Management (EU-CyCLONe). The proposed regulations are not without concern in view of the principle in the IT industry that vulnerabilities should not be disclosed if possible and in view of the concentration of information about security vulnerabilities in products.

Importers

Importers place products with digital elements from a manufacturer based outside the EU on the market in the EU (art. 3 no. 16 CRA). Before they can place a product with digital elements on the market, they must ensure that the manufacturer has fulfilled the described manufacturer obligations (art. 19 CRA). The importer obligations of the CRA do not go beyond the usual NLF obligations, which is why a detailed description is not provided here. Typically for the NLF, the hijacker must also provide his contact details on the product. If the product poses a significant cybersecurity risk, the importer must also inform the manufacturer and the market surveillance authorities of the member states. In addition, importers must report the detection of vulnerabilities to the manufacturers and, in the case of a high risk, also to the relevant authorities, and take remedial action themselves – including recall – if a product they have placed on the market does not meet the conformity requirements.

Distributors

Finally, the Regulation also requires distributors to verify the cybersecurity of products with digital elements. In this respect, too, the CRA is acting within the usual framework for New Legislative Framework legislation. Among other things, distributors must verify before placing a product on the market that the manufacturer and the importer have fulfilled their respective obligations to provide the technical information and instructions and the declaration of conformity (art. 20 CRA). If a distributor is aware (or has reason to believe) that the essential requirements for a product have been violated, they are obliged to ensure that the necessary measures are taken immediately to restore conformity or to withdraw the product from the market or recall it.

Sanctions for violations

The draft regulation provides for a graduated system of heavy fines for breaches of duty:

• For failure to comply with the essential requirements for products with digital elements (according to the Annex to the CRA), the draft regulation provides for fines of up to EUR 15 million or up to 2.5% of the company's total worldwide annual turnover in the previous financial year – the higher amount shall be decisive.
• The same sanctions will apply to manufacturers of products that breach their obligations regarding, inter alia, risk assessment, technical documentation or reporting vulnerabilities (art. 13 and art. 14 CRA).
• For violations of other obligations under the regulation, the draft provides for fines of up to EUR 10 million or up to 2% of the total worldwide annual turnover of the previous financial year.
• Fines of up to EUR 5 million or up to 1% of the total worldwide annual turnover of the previous financial year may be imposed for false, incomplete or misleading information provided to notified bodies and market surveillance authorities.

However, there are no sanctions for violations by manufacturers who qualify as small or micro-enterprises or for open-source software managers of the reporting requirements to be fulfilled within 24 hours regarding actively exploited vulnerabilities (art. 14 para. 2a CRA) and regarding serious incidents (art. 14 para. 4a CRA).

In order to verify compliance with the requirements of the Regulation, the market surveillance authorities are to be granted rights to demand information from the economic operators. The exchange should be open and regular. If necessary, however, the authorities may also take covert measures (e.g. test purchases under false identity) (art. 60 CRA).

These sanctions are in addition to the measures provided for in the regulation for the market surveillance authorities (e.g. orders to eliminate an identified risk, to restrict, ban or recall an affected product, art. 54 CRA). In addition, civil liability (defect liability and product liability law) and injunctive relief and claims for damages under the Unfair Competition Act (UWG) may also be imposed for violations.

Outlook

Now that the Council of the EU has approved the draft CRA on 10 October 2020, only the formal signing and publication of the CRA is still pending. The CRA will then come into force in the next few weeks. After it comes into force, the affected economic operators will have three years to implement the requirements. However, the obligations to carry out conformity procedures will take effect after just 18 months, and the reporting obligations for manufacturers will take effect after 21 months. In view of the usual development times for new products, manufacturers, importers and distributors must already be taking the impending obligations into account and preparing for their implementation in order to avoid risking any of the draconian sanctions.