Draft of the EU Cyber Resilience Act

On September 15, 2022, the EU Commission published the long-awaited draft of the Cyber Resilience Act (”Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020”). The scope of the newly introduced obligations for the manufacturers, distributors and importers of products with digital elements is enormous. 

I. Cyber Resilience Act

1. The aim of the regulation

The purpose of the Cyber Resilience Act is essentially to achieve four central regulatory objectives:

a) rules for the placing on the market of products with digital elements to ensure the cybersecurity of such products;

b) essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products with respect to cybersecurity;

c) essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes;

d) rules on market surveillance and enforcement of the above-mentioned rules and requirements.

2. Scope

In accordance with the draft regulation, the regulation applies only to “products with digital elements”. Known already from the reform of the German Civil Code 2022, this term is defined under the regulation as “any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately. Accordingly, remote data processing means any data processing at a distance for which the software is designed and developed by the manufacturer or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions.

No “products with digital elements” are, for example “products with digital content” and “digital products”. The former is distinguished from “products with digital elements” in that the digital part of the product does not have central importance for the functional capacity of the product as such. The latter is distinguished by the fact that they are entirely digital. 

“Products with digital elements” also do not represent products that fall under sectoral legislation. This would apply, in particular, for medical devices. 

3. Obligations of manufacturers

In Art. 10 et seqq Cyber Resilience Act, the draft regulation contains a broad catalogue of new obligations of the involved economic operators.

According to the draft regulation, the manufacturers of products with digital elements must, in particular, ensure that appropriate security measures are designed, developed and implemented in accordance with the essential security requirements attached to the Cyber Resilience Act. To meet these obligations, the manufacturers must assess the cybersecurity risks associated with a product with digital elements and take the results of this assessment into account in the planning, design, development, production, delivery and maintenance phase of the products with digital elements, in order to minimize cybersecurity risks, prevent security incidents and to minimize the impact of such incidents, including with regard to the health and security of the users. This assessment of the cybersecurity risks must form a part of the technical documentation of the products with digital elements that are placed on the market. In addition, the manufacturers must monitor and eliminate vulnerabilities during the entire life cycle of the devices, at most, however, for 5 years through automatic and free updates.

The list of basic security requirements comprises an “appropriate” level of cybersecurity, the prohibition of placing products with known vulnerabilities on the market, security through standard configuration, protection against unauthorized access, limitation of attack points and minimizing of the impact of incidents.

Products with digital elements must ensure data confidentiality, among others, through encryption, protection of data integrity and processing of only data that are absolutely necessary for the functioning of the products.

In order to ensure all this for the long term, manufacturers must be obligated to determine and immediately eliminate vulnerabilities through regular testing. Similar to the recently revised directive on Network and Information Security (NIS2), the proposed legal act should obligate manufacturers to report exploited vulnerabilities and incidents. To this end manufacturers must report to ENISA (European Union Agency for Cybersecurity) without undue delay, but no later than within 24 hours, upon becoming aware of an actively exploited vulnerability or upon becoming aware of an incident that might impact the security of products with digital elements. The increase in various obligations can be complicated, when at the same time reports must be sent to e.g. to various data protection supervisory authorities and possibly even the BSI (German Federal Office for Information Security).  

4. Obligations of other economic operators

As already known from other areas of product security law, a comprehensive package of obligations for importers and distributors regarding the IT security of the products they place on the market has now also been introduced with the Cyber Resilience Act.

For example, importers are obligated to check compliance with essential requirements regarding the products with digital elements and of the processes introduced by manufacturers before the products are placed on the market, as well as to check the CE marking of the products. Thus, the importer must ensure that:

a) appropriate conformity assessment procedures are carried out by the manufacturer;

b) the manufacturer has drawn up the technical documentation;

c) the product with digital elements bears the CE marking and is accompanied by required information and instructions for use.
In addition, the importers must attach their names and contact information on the product with digital elements or, if this is not possible, on the packaging.

On the other hand, the distributors must verify before placing products on the market that:

a) the product with digital elements bears a CE marking;

b) the manufacturer and the importer have complied with their obligations for enclosing the technical information and instructions and the EU declaration of conformity and that the importer has included its name and contact information.

If an importer or distributor places a product on the market in its own name, it is considered the manufacturer within the meaning of the Cyber Resilience Act.

5. Critical products

Apart from this difference, the Commission has listed several critical products that are deemed to present higher cybersecurity risks. The critical products are divided into two “classes”, where the main difference is in their conformity procedure.

Class I includes, for example, identity management systems, browsers, password managers, anti-virus programs, Virtual Private Networks (VPNs), network management, systems, physical network interfaces, routers, chips used for essential facilities within the meaning of NIS2 and all operating systems, microprocessors and industrial IoT (Internet of Things) that do not fall under Class II.

The higher risk category, Class II, comprises desktop and mobile devices, virtual operating systems, digital certificate issuers, all-purpose microprocessors, card reading devices, robotic sensors, intelligent measuring equipment and all IoT devices, routers and firewalls for industrial use, that are considered a “sensitive environment”.

In order to update and adapt the list of these Class I and Class II products and to prescribe the certification of highly critical products, the EU Commission should be granted comprehensive rights for amending the Cyber Resilience Act.

6. Product conformity

Another component of the Cyber Resilience Act is the obligation of the manufacturers to perform conformity assessments. These include both the conformity of the products with digital elements as well as the conformity of processes of the manufacturers. This conformity assessment can be carried out using three different procedures:

a) an internal control procedure;

b) an EU-type check followed by the conformity with the EU-type based on the internal manufacturer control; or

c) a conformity assessment based on a comprehensive quality assurance.

This conformity check does not apply to such products with digital elements that are considered EHR (Electronic Health Record) systems within the meaning of the European Health Data Space Regulation.
The manufacturer of Class I and Class II critical products must maintain a special procedure for compliance with the regulations. For Class II products, an assessment by a third party is required.

An EU Declaration of Conformity is prepared once the product conformity assessment verifies the product conformity.

7. National market surveillance authorities

In accordance with the draft regulation, the Member States are obligated to set up one or several market surveillance authorities which have the purpose of verifying compliance with the Cyber Resilience Act. The economic operators are obligated to cooperate in such a verification.

The design of these market surveillance authorities is reminiscent of the national authorities and points of contact introduced under the NIS Directive which are entrusted with the tasks in connection with the security of network and information systems.

Should the market surveillance authorities deem the product as non-conforming based on a conformity check, they are entitled to prohibit the sale of the product if other measures also fail to adequately remedy the situation. This can extend to an EU-wide prohibition of sales.

8. Sanctions

A sanctions regime comparable with the GDPR (General Data Protection Regulation) is provided for non-compliance with obligations imposed by the regulation. In this regard, the fine for non-compliance with the basic security requirements could amount to up to EUR 15 million or 2.5 % of the worldwide group annual turnover of the prior year, depending on which amount is higher. For violations of other obligations, the limit is EUR 10 million or 2 % of the worldwide group annual turnover of the prior year.

9. Transitional period

In accordance with the draft regulation, its date of applicability should be 24 months after its entry into force. This does not apply to the reporting obligation for the manufacturer, which applies from 12 months after the entry into force.

II. What happens next?

The period for feedback on the draft is from September 19, 2022 to November 14, 2022. This deadline extends by the time required until the draft is available in all EU languages. Currently, this is not the case. 

Feedback received is subsequently summarized by the Commission and submitted to the European Parliament and the Council, so that the summarized feedback can be taken into account in the legislative process, and in particular, in the legislative debates.