4 October 2022
IoT - next gen – 5 of 5 Insights
Co-Author: Lucas Falk
On September 15 2022, the European Commission published its “Proposal for a Regulation on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020” (Cyber Resilience Act – CRA). The Cyber Resilience Act introduces cybersecurity requirements for a broad scope of products with digital elements, including software, and has potential to become one of the most important EU cyber security laws.
The Cyber Resilience Act has strong links with other cyber security laws such as the NIS-2 Directive, the Cyber Security Act, the AI-Act and the GDPR (in particular its data protection by design and cybersecurity elements).
The Cyber Resilience Act has a broad scope of application. It applies to all products with digital elements whose use includes a direct or indirect logical or physical data connection. A product with digital elements in this context means any software or hardware product with remote data processing solutions.
The application is limited or excluded where sectoral rules achieve the same level of protection as the one provided by the CRA. This is the case regarding Software as a Service (SaaS) which shall only be covered by the NIS-2 Directive, which aims at ensuring a high level of cybersecurity of services provided by essential and important entities.
Products with digital elements developed exclusively for national security or military purposes are not covered by the regulation.
Economic operators covered by the CRA (in particular manufacturers, importers and distributors of products with digital elements) need to fulfill several obligations before and whilst placing a product with digital elements on the market.
Placing on the market means the first making available on the EU market, i.e. when there is any supply of a product with digital elements for distribution or use on the European Union market in the course of a commercial activity. It does not matter if this is in return for money or free of charge.
There are several obligations which need to be fulfilled by several or all economic operators.
Manufacturers and importers shall place only products with digital elements on the EU market that comply with the essential cybersecurity requirements laid down in the CRA to ensure an appropriate level of cybersecurity and ensure that there are no exploitable vulnerabilities.
If importers and distributors identify a vulnerability in a product with digital elements they shall inform the manufacturer without undue delay. Where the product presents a significant cybersecurity risk, they need to immediately inform the market surveillance authorities of the member states in which they made the product available on the market.
Importers and distributors need to ensure that the product with digital elements has been accompanied with appropriate instructions and information in a language that is easy to understand in order to ensure a safe use by the user.
When importers or distributors become aware that the manufacturer of a product with digital elements is not able to comply with the obligations laid down in the CRA, they shall inform the relevant market surveillance authority and, if possible, the users of the product.
In case of reasoned concerns regarding the compliance of the product with the CRA, the competent market surveillance authority can request that manufacturers, importers and distributors provide with all the data required to assess the design, development, production and vulnerability handling. This includes related internal documentation in order to demonstrate the conformity of the product with the CRA in a language that can be easily understood by that authority.
Where importers or distributors place a product with digital elements on the EU market under their name or trademark, they are considered manufacturers under the CRA and are subject to the obligations of the manufacturer.
Where a natural or legal person carries out a substantial modification of the product it shall be considered a manufacturer under the CRA and is subject to the obligations of the manufacturer.
A manufacturer is any person who develops or manufactures products with digital elements or has them designed, developed, manufactured and markets them under his name or trademark.
Manufacturers shall ensure that
To fulfill this obligation manufacturers shall undertake an assessment of the cybersecurity risk associated with their product and take its outcome into account during planning, designing, developing, producing, delivering and maintaining the product, aiming to minimize cybersecurity risks, prevent incidents and minimize the impacts of such, including in relation to the health and safety of users. In addition, due diligence must be exercised when integrating components sourced from third parties to ensure that those components do not compromise the security of the product.
Relevant cybersecurity aspects must be systematically documented.
A cybersecurity risk assessment must be included in technical documentation when the product is placed on the EU market.
Manufacturers must ensure that vulnerabilities of the product are handled effectively during the expected product lifetime or five years counted from the placing on the market, whatever is shorter.
Before placing the product on the market, they need to
Manufacturers need appropriate policies and procedures, including coordinated vulnerability disclosure policies to process and remediate potential vulnerabilities.
Manufacturers may also choose to appoint an authorized EU representative which may fulfill some of the manufacturer’s obligations.
Manufacturers must carry out appropriate conformity assessment procedures to ensure the conformity with the CRA before placing a product on the market.
The requirements are based on the risks involved with the products: For this purpose, critical products with digital elements are divided into two classes, reflecting the level of cybersecurity risk linked to these categories of products. A potential cyber incident involving products in class II might lead to greater negative impacts than an incident involving products in class I, for instance due to the nature of their cybersecurity-related function or intended use in sensitive environments.
If the product is classified as a critical product
If the compliance of the product has been demonstrated, manufacturers shall
If there is any actively exploited vulnerability contained in the product or if any incident has impact on the security of the product, manufacturers need to report this to EU cyber security agency ENISA without undue delay and in any event within 24 hours. ENISA then shall prepare a biennial technical report.
Furthermore, upon identifying a vulnerability in a component, manufacturers need to report the vulnerability to the person or entity maintaining the component.
An importer is any person established in the EU who places a product with digital elements on the EU market that bears the name or trademark of a (natural or legal) person established outside the EU.
Before placing a product on the market importers must ensure that
Importers shall not place products on the market where they consider that it is not compliant with the essential cybersecurity requirements laid down in the CRA until that product has been brought into conformity by the manufacturer.
Importers must indicate
on the product with digital elements or on its packaging.
For ten years after the product with digital elements has been placed on the market, importers must keep a copy of the EU declaration of conformity.
A distributor is any person in the supply chain other than the manufacturer or distributor, that makes a product with digital elements available to the EU market without affecting its properties.
Distributors must act with due care regarding the requirements of the Cyber Resilience Act when making a product with digital elements available on the market.
Before making it available they need to verify that
Each Member State appoints at least one market surveillance authority to ensure the effective implementation of the CRA. This can be either an existing or a completely new authority. The market surveillance authority cooperates with other national authorities, authorities of other Member States or the European Commission where necessary.
When the market surveillance authority has sufficient reasons to consider that a product with digital elements presents a significant cyber security risk, it evaluates the product regarding its compliance with the CRA. If the result of the evaluation is that the product is not compliant with the CRA it requires the operator to take all appropriate corrective actions to make the product compliant, to withdraw it from the market or to recall it within a reasonable period. When the market authority considers that the non-compliance is not limited to its national territory, it informs the commission and the other Member States.
Sanctions may differ from Member State to Member State. However, sanctions must be effective, proportionate and dissuasive.
In case of an infringement of essential cybersecurity requirements and the obligations of manufacturers, fines up to 15.000.000 EUR or up to 2.5 % of the total worldwide annual turnover for the previous financial year are possible, whichever is higher.
In case of an infringement of any other obligations, fines up to 10.000.000 EUR or up to 2 % of the global annual revenue generated in the previous financial year are possible.
The supply of incorrect, incomplete or misleading information to notified bodies and market surveillance authorities in reply to a request could lead to fines up to 5.000.000 EUR or up to 1 % of the global annual revenue generated in the previous financial year.
The Cyber Resilience Act is still in the making. Once it has been passed, it shall apply after a grace period of 24 months. Reporting obligations of manufacturers shall apply after 12 months following its entry into force.
Miles Harmsworth considers the next generation of IoB devices and the approach to regulating them.
30 January 2023
Thomas Kahl looks at key legal issues for connected mobility manufacturers and related businesses from a German law perspective.
6 February 2023
by Thomas Kahl
Matt Quezada looks at what the UK's PSTI Act means for the security of the Internet of Things.
14 November 2022
Advancing technologies are forcing legal updates to product safety but what are the proposed changes and how will they impact manufacturers of connected products?
6 February 2023
Paul Voigt looks at the EU's plans to protect the security of digital products.
4 October 2022