Commission unveils ‘ security by design’ rules for digital products
Written By
With the aim of creating the first EU-wide legislation of its kind, the European Commission recently presented a proposal for a new European Cyber Resilience Act (“Cyber Resilience Act”). The Act, published on 15 September 2022, introduces horizontal mandatory cybersecurity requirements for products with digital elements which are not specific to sectors, throughout their whole lifecycle. The proposal is complementary to the requirements under the proposal for a NIS2 directive which aims at ensuring a high level of cybersecurity of services provided by essential and important entities.
The aim of the Cyber Resilience Act is to protect consumers and businesses from products with inadequate security features. It will apply to manufacturers, importers and distributors, so-called economic operators. Within the scope of this new draft regulation are all products that are connected either directly or indirectly to another device or network, like smart Internet of Things devices, computers, mobile devices, operating systems and apps, as well as safety-critical components that are installed in networks or industrial facilities. There are some exceptions for products, for which cybersecurity requirements are already set out in existing EU rules for medical devices, aviation or cars.
To this end, the proposed measures lay down:
(a) Rules for the placing on the market of products with digital elements to ensure their cybersecurity;
(b) Essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products;
(c) Essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle as well as obligations for economic operators in relation to these processes. Manufacturers will also have to report actively exploited vulnerabilities and incidents; and
(d) Rules on market surveillance and enforcement.
The core element of the Cyber Resilience Act are the necessary requirements that all products with digital elements must fulfil. These include security-by-design features, such as ensuring protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems. Cybersecurity should be considered part of the design process and throughout the development and manufacturing process in the whole product life cycle. No product may be delivered with known vulnerabilities, according to the Commission's plans.
For the majority of products, manufacturers can indicate compliance with the requirements by self-assessment. This can be done as part of an EU statement of conformity, which is already required under existing Union harmonisation legislation and the upcoming General Product Safety Regulation. For critical products such as operating systems, firewalls or connected devices in industrial use, the draft requires a stricter verification procedure. For products classified as critical class II products, the assessment must be carried out by a third party.
As noted, the obligations encompass the whole product lifecycle. Manufacturers must ensure security during the expected product lifetime: they will need to regularly check the products for vulnerabilities and eliminate them immediately and free of charge by means of security updates.
According to the draft, the period for mandatory security support is capped at a maximum of five years - even when it comes to rather long-lived products such as smart home control systems. If manufacturers become aware that vulnerabilities contained in their products with digital elements are being actively exploited, they must issue and incident report this within 24 hours to a notified body.
The Annexes contain detailed security requirements, vulnerability handling requirements and provisions with respect to information and instructions to be provided to end users.
In case of non-compliance with the essential cybersecurity requirements, the draft foresees administrative fines of up to EUR 15 million or, if the offender is an undertaking, up to 2.5 per cent of its total worldwide annual turnover for the preceding financial year, whichever is higher.
Next steps
Once adopted, economic operators and Member States will have two years to adapt to the new requirements. An exception to this rule is the reporting obligation on manufacturers for actively exploited vulnerabilities and incidents. This obligation will apply already one year from the date of entry into force considering the fewer organisational adjustments than the other new obligations.
The Cyber Resilience Act is now open for feedback until 22 November 2022. Drafting feedback requires an impact assessment on your business. The feedback will be published on this site. All feedback received will be also summarised by the European Commission and presented to the European Parliament and Council, which are now examining the Act, with the aim of feeding into the legislative debate.
Do you have questions about how the Cyber Resilience Act, its interplay with the NIS2 and the RCE Directives as well as other European acts, will affect your business? Bird & Bird is ready to help you to carry out an assessment of the impact of the incoming legislation on your business and assist in preparing your compliance plan.
For more information, please contact Natallia Karniyevich and Feyo Sickinghe
