Skip to main content
Insights

EU Cyber Resilience Act

By 30. September 2022November 8th, 2022No Comments

Copyright: European Union

This is a first summary of the new EU Cyber Resilience Act. It introduces essential security requirements for manufacturers, importers and distributors of products with digital elements. The goal is to make products more secure and to ensure that manufacturers remain responsible for cybersecurity throughout a product’s lifecycle.

While existing regulations mainly target the operators of OT systems (e.g. NIS, NIS2, …), this is the first time that we see a regulation that targets almost all manufacturers of products with digital elements (that ranges from pure software, to consumer products to embedded (industrial) IoT devices with hardly any exceptions). (Basic) security of products and responsible handling of vulnerabilities will no more be an optional manufacturer decision but a precondition for selling the product in the EU market.

To give you a first overview, we collected the most important information from the draft (mostly direct citations):

This Regulation lays down

  • rules for the placing on the market of products with digital elements to ensure the cybersecurity of such products
  • essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products with respect to cybersecurity
  • essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes
  • rules on market surveillance and enforcement of the above-mentioned rules and requirements

In addition: The technical documentation shall contain all relevant data or details of the means used by the manufacturer to ensure that the product with digital elements and the processes put in place by the manufacturer comply with the essential requirements set out in Annex I. It shall at least contain the elements set out in Annex V.​

Scope

This Regulation applies to products with digital elements whose intended, or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.​

Products are partly excluded when there are comparable regulations in place, e.g.:​

  • medical devices (Regulation (EU) 2017/745 and 2017/746)​
  • motor vehicles and their trailers (Regulation (EU) 2019/2144)​
  • civil aviation (Regulation (EU) 2018/1139)​
  • national security or military purposes​
  • More general: The application of this Regulation to products with digital elements covered by other Union rules laying down requirements that address all or some of the risks covered by the essential requirements​

The obligation to ensure the requirements set out in the regulation are fulfilled lies with the manufacturer, the importer or the distributor.

Status and Timeline

The EU Cyber Resilience Act is a draft which resulted ​from an impact assessment (How does it affect the EU market, if ….). It is now for the European Parliament and the Council to examine the proposed Cyber Resilience Act. Once the proposal is adopted and enters into force, economic operators and Member States will have two years to adapt to the new requirements. An exception to this rule is the reporting obligation on manufacturers for actively exploited vulnerabilities and incidents, which would apply one year from the entry into force, since they require fewer organisational adjustments than the other new obligations.

Notifications (incomplete)

Manufacturers shall

  • within 24 hours of becoming aware of it, notify to ENISA any actively exploited vulnerability contained in the product​
  • within 24 hours of becoming aware of it, notify to ENISA any incident having impact on the security of the product​
  • inform […] the users of the product with digital elements about the incident and, where necessary, about corrective measures​
  • upon identifying a vulnerability in a component, including in an open source component, which is integrated in the product with digital elements, report the vulnerability to the person or entity maintaining the component.

Surveillance Authority of Member States ​

  • Where the market surveillance authority of a Member State has sufficient reasons to consider that a product with digital elements, including its vulnerability handling, presents a significant cybersecurity risk, it shall carry out an evaluation of the product […]
  • Where, in the course of that evaluation, the market surveillance authority finds that the product with digital elements does not comply with the requirements laid down in this Regulation, it shall without delay require the relevant operator to take all appropriate corrective actions to bring the product into compliance with those requirements, to withdraw it from the marketor to recall it within a reasonable period, commensurate with the nature of the risk, as it may prescribe

Existing certifications

Products with digital elements and processes put in place by the manufacturer which are in conformity with harmonised standards or parts thereof the references of which have been published in the Official Journal of the European Union shall be presumed to be in conformity with the essential requirements covered by those standards or parts thereof, set out in Annex I.​​

A harmonised standard is a European standard developed by a recognised European Standards Organisation: CEN, CENELEC, or ETSI. It is created following a request from the European Commission to one of these organisations. ​No part of IEC 62443 is a harmonized standard yet (neither is e.g., ISO 27001).​

Classes

All products with digital elements are in scope, 90% percent are expected to be non-critical. There are two classes of critical products with digital elements (incomplete list with industrial focus):​​

Class I

  • Different kind of security products (e.g., firewalls, IDS, SIEM, password manager, …)
  • Industrial Automation & Control Systems (IACS) not covered by class II, such as programmable logic controllers (PLC), distributed control systems (DCS), computerised numeric controllers for machine tools (CNC) and supervisory control and data acquisition systems (SCADA);
  • Industrial Internet of Things not covered by class II

Class II

  • Industrial Automation & Control Systems (IACS) intended for the use by essential entities of the type referred to in [NIS2]
  • Industrial Internet of Things devices intended for the use by essential entities of the type referred to in [NIS 2]
  • Robot sensing and actuator components and robot controllers
  • Smart meters

Conformity assessment 

  • The manufacturer shall perform a conformity assessment of the product with digital elements and the processes put in place by the manufacturer to determine whether the essential requirements set out in Annex I are met.
  • The manufacturer or the manufacturer’s authorised representative shall demonstrate conformity with the essential requirements by using one of the following procedures:
    • Base Product: self declaration sufficient
    • Certified compliance (in full) to harmonised standards, common specifications or European cybersecurity certification schemes OR assessment by notified body
    • conformity assessment based on full quality assurance (based on module H) set out in Annex VI
  • The manufacturer shall affix the CE to each individual product with digital elements that satisfies the applicable requirements of this Regulation.

Penalties

  • The non-compliance with the essential cybersecurity requirements laid down in Annex I and the obligations set out in Articles 10 and 11 shall be subject to administrative fines of up to 15 000 000 EUR or, if the offender is an enterprise, up to 2.5 % of the its total worldwide annual turnover for the preceding financial year, whichever is higher.
  • The non-compliance with any other obligations under this Regulation shall be subject to administrative fines of up to 10 000 000 EUR or, if the offender is an enterprise, up to 2 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.
  • The supply of incorrect, incomplete or misleading information to notified bodies and market surveillance authorities in reply to a request shall be subject to administrative fines of up to 5 000 000 EUR or, if the offender is an enterprise, up to 1 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.

If you have any questions about the EU Cyber Resilience Act we are here to help.