European Cyber Resilience Act: can new requirements for products strengthen your organization’s cybersecurity resilience?

On 15 September 2022, the European Commission published a Cyber Resilience Act (CRA), which aims at setting common cybersecurity standards for connected devices and services. The European Union has long been taking action against cybercrime. Following up on its path to the digital decade to deliver on the EU’s digital transformation by 2030, this regulation seeks to protect consumers and the market from cyber incidents. Being a package of rules that should embed digital security in Europe, it also includes two guidelines: one on networks and information systems (NIS), which aims to improve Member States’ cybersecurity capabilities and encourages information sharing while the other one being the Cybersecurity Act, which entered into force in 2021 and defines the tasks of European cyber watchdog, ENISA. 

With this blog post, Dr2 Consultants is happy to provide an overview of the main implications and opportunities for European businesses, focusing on: 

  • The objectives of the legislation. 
  • The implications for providers of digital products and connected services. 

Read our summary below and if you want to have an in-depth view of the content of the proposal, you can check here our detailed analysis.

What’s the objective of the European Cyber Resilience Act?

As different economic sectors have become more dependent on digital technologies in executing their businesses, the opportunities that digital connectivity brings also expose economies to cyber threats. The amount, complexity, scale, and impact of cybersecurity events are also growing. When everything is connected, a cybersecurity incident can affect an entire system, disrupting many economic and social activities. The Cyber Resilience Act introduces rules to protect digital products that are not covered by any previous regulation. This way, it will be the first (‘the Internet of Things or IoT) legislation in the world. 

First communicated by European Commission President Ursula von der Leyen in her State of the Union Address in September 2021, the Cyber Resilience Act seeks to establish common cybersecurity rules for digital products and associated services that are placed on the EU market. Von der Leyen emphasized the growing importance of cybersecurity and called on Europe to properly address cyber threats and to become a leader in cyber defence. “With the economy and society relying more and more on digital solutions, it is crucial to ensure that we can defend ourselves in a world increasingly prone to the hacking of connected products and associated services”, she stated. Also, Commissioner for the Internal Market, Thierry Breton, specified his expectation for this initiative. He wished to increase Europe’s cyber defence capabilities by including defence requirements in the legislation. 

What implications will the European Cyber Resilience Act have for your business?

Dr2 Consultants has identified a number of essential requirements for hardware manufacturers, software developers, distributors and importers who place digital products or services on the EU market. The requirements proposed include: an ‘appropriate’ level of cybersecurity, the prohibition to sell products with any known vulnerability, security by default configuration, protection from unauthorised access, limitation of attack surfaces, and minimisation of incident impact. 

EU Data Policy Services

The default category consists of low-risk products, covering 90% of the market, including smart toys, TVs or fridges, and would require companies to perform a self-assessment to ensure that a product meets cybersecurity standards.

Furthermore, two categories for critical products are listed: 

  1. The first category includes browsers, password managers, antiviruses, firewalls, virtual private networks (VPNs), network management, systems, physical network interfaces, routers, and chips used for entities falling under the NIS2.  Moreover, it also includes all operating systems, microprocessors and industrial IoT not covered in class II.
  2. The second category includes higher-risk products such as desktop and mobile devices, virtualised operating systems, digital certificate issuers, general purpose microprocessors, card readers, robotic sensors, smart meters and all IoT, routers and firewalls for industrial use.  

The main difference between the two categories is the compliance process. Moreover, the commission asks manufacturers to perform regular tests to identify vulnerabilities in their products. Lastly, Member States would also have to put in place market surveillance bodies. The penalties for non-complying with the requirements can amount to €15 million or 2.5% of the annual turnover. 

Stakeholder reactions

In H1 2022, the Commission launched a public consultation and call for evidence on the Cyber Resilience Act, open until 25 May 2022. The first overall reactions from the industry and other stakeholders to this initiative were positive. Consumers expect the products they purchase to be safe and secure. Hence, creating greater awareness of the importance of these security requirements in products will result in customers considering key security criteria when making purchasing decisions.  

However, to avoid confusion, the industry also warned that the legislation should encompass a clear definition, considering differences in the development, functionality, and use of digital products. Different sectors also ask the Commission that it should consider existing vertical legislation for specific sectors and/or product groups. Adding essential cybersecurity requirements risks excluding SMEs from the market. Businesses also need to know exactly what kind of technical specifications they must comply with to ensure adherence to CRA obligations. For instance, app developers warn of the extra costs in maintaining a cyber-resilient environment for the benefit of consumers. They prefer guidelines or recommendations. 

Next steps

A new call for feedback on the proposed legislation is open until 23 January 2023. In the meantime, the European Parliament’s Industry, Research and Energy Committee (ITRE) has been appointed as the responsible committee, under the lead of MEP Nicola Danti (IT) as Rapporteur for Renew Europe. Shadow Rapporteurs will be Henna Virkkunen (FI) for EPP, Beatrice Covassi (IT) for S&D, Ignazio Corrao (IT) for the Greens/EFA and Evžen Tošenovský (CZ) for ECR. The Internal Market and Consumer Protection (IMCO) and Civil Liberties, Justice and Home Affairs (LIBE) Committees will produce an opinion. .    

On 18 November, the Czech presidency of the Council of the EU circulated the first compromise text on the Cyber Resilience Act, making major changes to the proposal’s scope and free movement clause. On 6 December, the Telecommunications Council discussed the progress report. It revealed that an essential part of the discussions in the Council focused on the extent to which Software-as-a-Service is covered in the regulation.

Even before the draft was out, Denmark, Germany and the Netherlands issued a non-paper calling for an extension of the scope to Software-as-a-Service. A new text from the Czech presidency, dated 2 December, updated the previous compromise text by placing SaaS firmly outside the regulation’s scope. In particular, the draft law has been rephrased to only apply to remote data processing solutions based on software or hardware that support the functioning of a connected device. The push for keeping SaaS outside the new cybersecurity rules is consistent with what Internal Market Commissioner Thierry Breton said at the Telecommunications Council meeting on 6 December. During the meeting, Breton stressed that SaaS is already covered by the NIS2 Directive, adding that incorporating these services under the Cyber Resilience Act would be a legal challenge because of the legal basis on which the proposal was based.

On 2 June 2023, EU Ministers will meet to discuss the progress on the file. The Presidency’s objective for the next six months is to advance as far as possible the negotiations in the Council on the Cyber Resilience Act.

Dr2 Consultants will follow the legislative developments very closely, and thanks to its expertise and wide range of clients in the digital sector, Dr2 Consultants is expertly placed to assist your company in identifying the impact of and leveraging the opportunities offered by the Cyber Resilience Act. 

Would you like to know more about how your organization can make the most out of this regulation? Subscribe to Dr2 Consultants’ newly launched service for EU data-related policies or get in touch with our Managing Partner Jasper Nagtegaal.