On 15 September 2022, the European Commission published a proposal for a new regulation on cyber security (Cyber Resilience Act) (COM (2022) 454 final) that will protect consumers and businesses from products with inadequate safety features.
The proposal forms a part of the EU Cybersecurity Strategy and the EU Security Union Strategy, and has been presented partly as a result of the increased number of cyber-attacks during the covid-19 pandemic. The European Commission estimates that the annual costs of data breaches are at least EUR 10 billion and the annual costs of malicious attempts to disrupt traffic on the internet to are estimated to be at least EUR 65 billion.
The regulation is proposed to be applicable to all products that are directly or indirectly connected to another device or a network, with exceptions for products such as medical devices, aviation and cars, as these products are already covered by existing EU rules.
The responsibility to comply with these requirements fall on the manufacturers, that must ensure compliance throughout the manufacturing process, including during the planning, development and production stages. The manufacturers shall also report any vulnerabilities during the product’s life cycle or during the first five years from its release onto the market, whichever is shorter. Further, importers and distributors are required to only import and distribute products that fulfil the requirements that are stipulated in the regulation, which can be done by verifying the technical documentation, or by ensuring that the product in question has a CE-mark, for example.
The proposal imposes obligations on manufacturers to produce a declaration of conformity as well as other technical documentation that certify compliance with the essential requirements. This documentation shall, amongst other things, include a detailed description of the product, its manufacturing process and a risk assessment, as well test reports from the manufacturing process.
A more detailed conformity assessment is proposed for products that are regarded to have a high level of cyber risk, such as operating systems for computers and mobile phones, password managers, and browsers. This conformity assessment will require inspections and tests to be conducted by notified bodies that are appointed and monitored by the national notifying authority. The European Commission is proposed to have the competence to impose additional requirements regarding products with a high level of cyber risk. For these products, a European cybersecurity certificate will be required in accordance with the cybersecurity act (regulation 2019/881) in order to be granted the CE-mark.
The proposal includes additional essential requirements that all products must fulfil during the manufacturing process, which, for example, includes ensuring that personal data is protected through encryption and that vulnerabilities are addressed through security updates. Manufacturers must also conduct a risk assessment, the result of which is to be included in the technical documentation which shall be produced in conjunction with the release of the product on the market. The proposal stipulates further requirements regarding vulnerability handling during the product’s lifecycle. For example, manufacturers must notify any vulnerabilities to the European Union Agency for Cybersecurity (ENISA) within 24 hours of becoming aware of it. The users of the products shall also be informed of the incident and, if necessary, of any available measures. The products safety shall be tested and inspected regularly by the manufacturer.
The Commission’s proposal delegates competences between the Member States, ENISA and the Commission.
Member States shall appoint national authorities that will be responsible for ensuring compliance, monitoring and inspection of the work of the manufacturers and the notified bodies during, for example, conformity assessments. Member States must also stipulate penalties for lack of conformity, which should consist of fines that do not exceed EUR 15 000 000 or 2.5% of the economic actor’s yearly turnover.
ENISA is proposed to receive notifications from manufacturers about vulnerabilities that have been discovered in products and forward these to the national authorities in question, as well as to the national contact points which should be appointed by the Member States in conjunction with the entering into force of the the Network and Information Security Directive (NIS2) directive. Based on these notifications, ENISA should produce a biennial technical report on the emerging trends regarding cyber security risks in relation to digital products.
The Commission is proposed to be give the competence to update the list of products with a high level of cyber risk in correspondence to the product development and emerging trends. The Commission will further ensure coordination and cooperation amongst the notified bodies. The Commission is also proposed to have a central role in the different processes that shall be applied when products with a high level of cyber risk are discovered.
According to the Commission, this regulation will lead to fewer cyber-attacks and thus lower costs within incident handling. The Commission is moreover of the view that increased cyber security in digital products will lead to less reputational damage for businesses, and thereby contribute to a rise in the demand for digital products as the trust from consumers grows. Consumers and users will receive clearer instructions and information when buying digital products, which will also lead to increased protection of fundamental rights such as data protection.
The proposal has been widely welcomed but some definitions have been criticised for being vaguely formulated and not considering the differences in the various products’ development and manufacturing processes, which may lead to arbitrary decision-making. It has further been pointed out that the regulation will lead to high costs for affected economic actors, which may lead to an exclusion of SMEs from the market.
The proposal has been submitted to the European Parliament and the Council who will deal with it in their internal procedures before going into the so called trilogue discussion with the Commission. Once adopted, economic operators and Member States will have two years to adapt to the new requirements. The objective is to implement the Cyber Resilience Act to complement the EU Cybersecurity framework which includes the Directive on the security of Network and Information Systems (NIS Directive), for which the European Commission has proposed a revised version (NIS 2 Directive) – provisionally agreed but awaiting formal approval by the European Parliament and the Council, as well as the Cyber Security Act, which entered into force on 27 June 2019.