Cyber Resilience Act enhances cybersecurity requirements for digital products sold in EU
On September 15, 2022, the European Commission formally adopted the terms of the new Cyber Resilience Act (CRA), which obligates manufacturers to improve the cybersecurity requirements of digital products that are sold within the European Union.
In a broader sense, the CRA is a key cog in the wheel of legislation being enacted by the EU institutions covering the cybersecurity domain. The CRA follows quickly in the footsteps of the Cybersecurity Act 2019, the 5G Toolbox 2020, and NIS2 (Network and Information Security Directive) 2020.
The European Union is rightly enhancing cybersecurity capabilities within the workings of EU governments and across a whole range of different business activities. Thierry Breton, the EU Internal Market Commissioner, recently said that the CRA fills a gap within the EU cybersecurity framework by setting out essential compliance requirements for manufacturers in the design, production, and development of products with digital elements.
Moreover, CRA obligations cover the full life-cycle of the products that come within the scope of this new legislation. While there are CRA requirements to be fulfilled by importers and distributors of products with digital elements under the CRA, the leading focus of attention of the CRA is directed at manufacturers of digital products.
Key elements of the CRA
Article 2 defines the scope of the CRA as follows:
“This regulation applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or to a network.”
Article 3 of the CRA gives a deeper explanation of these definitions:
(1) “‘Products with digital elements’ means any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately”.
(2) “‘Remote data processing’ means any data processing at a distance for which the software is designed and developed by the manufacturer or under the responsibility of the manufacturer and the absence of which would prevent the product with digital elements from performing one of its functions.”
The European Commission lists out in Class II Annex III the types of critical products that will require third party conformity assessment, thus ensuring that such products will fully comply with the provisions of the CRA.
Examples of such critical products include the following:
- Operating systems for servers, desktops and mobile devices
- Firewalls and intrusion detection systems intended for industrial use
- General purpose microprocessors
- Routers, modems intended for connection to the Internet and switches intended for industrial use
- Smartcards, smartcard readers, and tokens
- Industrial automation and control systems
- Industrial Internet of Things (IoT) devices
- Robot sensing
- Smart meters
Class 1 of Annex III lists the critical products that will have to carry out third-party conformity assessments, but these requirements can be avoided if such products are already recognised under a European cybersecurity certification scheme in accordance with the EU Cybersecurity Act 2019.
Examples of such Class I critical products include the following:
- Identity management system software
- Standalone and embedded browsers
- Software that searches for, removes or quarantines malicious software
- Network configuration management tools
- Remote access/sharing software
- Mobile device management software
Post the legal enactment of the CRA, the European Commission will have the delegated power to add further products that will come under the scope of Class I and Class II of Annex III of the CRA.
Enforcement of the CRA and the role of EU member states
Each of the 27 member states of the EU will have to appoint an existing body or set up a new organization that will oversee, supervise, and enforce the CRA legislative requirements and safeguards. If such a new market surveillance authority considers that a product with digital elements poses a significant cybersecurity risk, it has the power to take a series of corrective actions that will include the following:
- Ensure that the manufacturer remedies the cybersecurity vulnerabilities
- Delays, prohibits or restricts the placing of such a product on the marketplace
- Fines for breaches of the CRA can be as high as €15 million or 2.5% of the global revenues of companies that fail CRA compliance
There will be a very close relationship between ENISA (European Network and Information Security Agency) and the market surveillance authorities that will be appointed by national member states under this CRA regulation. Article 11 of this European Commission proposal states that a manufacturer has a reporting obligation to inform ENISA within 24 hours of becoming aware of an exploited vulnerability contained in a product with digital elements. ENISA will then inform the CSIRT (Cyber Security Incident Response Team) in the member state where the cybersecurity vulnerability takes place in accordance with the obligations of the NIS2 Directive.
ENISA will also inform the designated member state market surveillance authority under the CRA about the new notified exploited vulnerability.
The future key challenges for the CRA
Companies want business certainty. It is very important that the provisions of the CRA do not overlap with existing EU legislation such as the Cybersecurity Act or the Radio Equipment Directive (RED). The integrity of the EU internal market needs to be constructed via a uniform rules-based approach so as to guarantee the free movement of products within the 27 member states of the European Union.
Huawei supports harmonized, certified, and technical standards for digital products that promote the highest levels of cybersecurity in Europe (and indeed across the globe). Our end-to-end assurance scheme, which is fully enshrined within all our business operations, guarantees that the strongest tiers of cybersecurity are advanced by Huawei at all times. This process helps Huawei build trust from the perspective of our customers and with key governmental representative stakeholders working within the cybersecurity domain.
Digital transformation is a driver of innovation. Policy frameworks must ensure that the most innovative products underpinned by resilient cybersecurity protections are capable of expeditiously reaching the marketplace. The final agreed texts of the CRA must guarantee that the process to deliver innovation for society is not negatively impacted. Moreover, more clarity is going to be required as to how SMEs are going to meet CRA compliance criteria.
Legislative timeframe for CRA enactment
The ITRE (Industry, Technology, Research and Energy) committee of the European Parliament will now consider the text of the CRA as proposed by the European Commission. This ITRE committee will appoint an MEP known as a ‘rapporteur’ that will lead on this CRA legislative file. The ITRE committee members will propose amendments to the CRA text in Q1 2023. This will be followed by a vote to approve the ITRE text of the CRA by all the members of the European Parliament. Following the adoption of the CRA by the European Parliament, the EU Council (representing the 27 member states of the EU) will take a common position on the provisions of the CRA. The final stage in the legislative process is where the European Commission, the European Parliament, and the EU Council engage in the trilogue process of negotiation over a period of up to six months to hammer out an agreement on the final texts of the CRA.
After the final adoption of the CRA at a European level, the 27 EU member states will have 24 months to put in place all the requirements of this CRA regulation at a national level. Moreover, member states will have to ensure that CRA reporting obligations that apply to manufacturers are in place 12 months after the final sign-off of the CRA by the EU institutions.