Welcoming the EU Cyber Resilience Act: a more secure digital future for Europe

To combat and prepare for the risks associated with the acceleration of digital transformation, the regulatory and legislative requirements landscape is in constant motion.

The latest developments come in the shape of the EU Cyber Resilience Act, a wide-ranging and significant piece of legislation that aims to shape the digital future of Europe.

Jameson Hyde, Technical Director at NCC Group, shares thoughts on the proposals and what they mean for the increased security and safety of organisations and citizens alike.

What is the EU Cyber Resilience Act?

The EU Cyber Security Act sets out essential cybersecurity requirements for the design, development and production of software and hardware products connected to the internet. These specific cybersecurity requirements must be met by manufacturers and importers before the product is able to be put on the market in the EU. It also sets out essential requirements for the vulnerability handling processes put in place by manufacturers to ensure cybersecurity is considered for the whole life cycle of a product.

The purpose of the Act – as set out by the EU Agency for Cybersecurity (ENISA) – is to harmonise certification schemes operated within the Union, to strengthen the digital single market and increase trust in ICT products and services for consumers.

It is worth noting that software provided as part of a service (SaaS) is not covered by the proposed Act, as it only covers products with digital elements that are sold within the European single market.

The EU's Act comes at a similar time as the US White House confirmed the development of a common label for IoT devices that would allow consumers to easily recognise which devices meet a minimum cybersecurity standard.

How will different sectors be impacted?

The Act will span across a multitude of sectors, as all hardware and software products with digital elements that can connect to another device or network, whether directly or indirectly, are included.

The European Commission state that the Act will complement existing regulations in key sectors. For example, it will be used alongside the NIS2 Directive (a directive on the security of network and information systems) in governing the cybersecurity of essential and important entities, like utilities and transport, to strengthen the security of the entire supply chain.

However, there are some cases where existing regulations will be replaced by the Cyber Resilience Act. For example, the Radio Equipment Directive, which currently governs radio equipment, will be repealed or amended once the Cyber Resilience Act comes into play.

Additionally, there are a few exceptions that will not be covered, such as open-source software or services that are already covered by existing rules, such as products in medical, aerospace and automotive industries.

What do manufacturers need to consider?

Manufacturers will need to consider several things when bringing new products to market to remain compliant with the Act.

Firstly, products must be accompanied by information and instructions for users in a readable format. These instructions must include information on the product’s security properties, cybersecurity risks, technical security support offered, how security updates can be installed, and the secure decommissioning of the product. Manufacturers must also report any actively exploited vulnerability or security incident within 24 hours of becoming aware of it.

Conformity assessments will become necessary for manufacturers to show that products are compliant. While some systems can be self-assessed, manufacturers will need to engage a notified body when assessing higher-risk products. These could include identity and privileged access management, general purpose microcontrollers, Health and Safety Monitoring Systems (HSMs), operating systems, smart meters, smartcards, robots and industrial control systems.

Breaking these regulations will not only make new products less secure but will also come with a hefty cost. Non-compliance can be subject to fines of up to €15 million or, up to 2.5 % of the organisation’s total worldwide annual turnover for the preceding financial year – whichever is higher.

While the Act coming into effect may seem like some time away, manufacturers are advised to begin preparing for these legislative changes sooner rather than later. It is a good time to ensure you are following best practice, and that security is a priority throughout the production process.

As is the case with other regulations of this nature, manufacturers who implement security by design, prioritising the protection of their products and users throughout their operations, are typically well-positioned to meet these requirements without much additional effort. The Act is a reminder and aligns with the principle that establishing appropriate security requirements, controls, and mitigations in early phases of product development and performing informed testing at appropriate later stages guides effective product security.

What happens next?

It is now up to the European Parliament and the Council to examine the proposed Cyber Resilience Act. As it currently stands, once adopted and in force, manufacturers, importers and EU Member States will have two years to adapt to the new requirements. So, we could see most of the changes come into effect by 2025.

One exception to this is that manufacturers will be required to report actively exploited vulnerabilities and incidents one year after the Act comes into force, as it requires fewer organisational adjustments than the other new obligations.

The new Act is sure to shake things up in the European digital space and the regulation of products, but will ultimately help to keep both organisations and consumers safer and more secure in an increasingly complex landscape of networked products.