The European Commission published a proposal for a Cyber Resilience Act on 15 September 2022 (the ‘Regulation’), which aims to:
- ensure that cyber security is considered during the development of hardware and software products and is continuously improved throughout that product’s life cycle; and
- improve transparency so that users can take cybersecurity into account when selecting and using a product with digital elements.
The Regulation will apply to products with a data connection to another device or network, which will include both internet of things and t software products. Existing EU legislation such as the draft NIS2 Directive and Regulation 2019/881 focuses on ensuring a high level of cybersecurity of services provided by essential entities but does not directly cover mandatory security requirements. Through this proposed Regulation, the European Commission intends to establish comprehensive cybersecurity requirements to address the gaps in existing cybersecurity legislation. Consequently, the Regulation will not apply to products which are already regulated by other EU cybersecurity regulation, for example certain Software as a Service (SaaS) products, regulated by the proposed NIS2 Directive, and medical devices caught by Regulation (EU) 2017/745 and/or Regulation (EU) 2017/746 are both exempt.
Essential cyber security requirements
The Regulation further sets out a list of essential cyber security requirements that in-scope products must comply with before being brought to market. Such security requirements include ensuring that products are delivered without any known vulnerabilities, and that the settings are configured to secure by default.
Obligations of manufacturers, distributors and other parties in the supply chain
Obligations will be put in place for manufacturers, distributors, importers and other parties to reflect their respective roles and responsibilities in the supply chain. For example, manufacturers will need to:
- carry out a cyber-security risk assessment and take the outcome of that assessment into account during the development of the in-scope products; and
- report (1) any actively exploited vulnerabilities, being any vulnerability for which there is reliable evidence that execution of malicious code was performed without permission, or (2) incidents affecting the security of an in-scope product, to the EU cybersecurity agency ENISA within 24 hours of becoming aware of it. They will also need to inform users.
In-scope products with an increased cyber-security risk can be labelled as ‘critical products’, and will be subject to specific conformity assessment procedures. The Commission is also empowered to adopt delegated legislation which specifies categories of ‘highly critical products’, for which manufacturers will be required to obtain a European Cyber Security Certificate.
Manufacturers will be required to provide clear instructions which allow the user to securely install and operate the in-scope products.
The Regulation will impact a broad range of parties in the technology supply chain, who should consider how the additional cyber-security requirements will impact their manufacturing and distribution processes. Whilst the majority of the obligations will come into effect 24 months after entry into force, manufacturers will only have twelve months to comply with the Act’s reporting obligations.