Cyber Resilience Act – EU’s next weapon against cybercrime?
Over the last few years, the digital transformation of the world brought us innovation and efficiency in our daily lives. Unfortunately, criminal activities also diverted to the digital world. Therefore, cyber security gained more prominent attention. However, why does this topic get so much recognition? Cybercrime affects private persons, companies, and governments and has become more aggressive and confrontational over the past years. In 2021 ransomware attacks alone cost the global economy around 20 billion EUR. However, cyber incidents do not only leave financial scars but also often damage reputation.
To minimize losses, Ursula von der Leyen, President of the European Commission, announced a new regulation in September 2021. This year, on 15 September 2022, the European Commission proposed the regulation on cyber security requirements for products with digital elements, the so-called Cyber Resilience Act (CRA). The CRA will go along with other (new) cyber security regulations like the NIS2 directive or the Cyber Security Act. In this blog, I would like to give an insight into the key factors of the new proposal for the Cyber Resilience Act.
Background to the new Cyber Resilience Act
Since current EU legislation lacks to regulate cybersecurity aspects for hardware and software in the internal market, the Cyber Resilience Act aims to prepare a framework to ensure the development of secure products with digital elements. Furthermore, it allows users to consider cyber security while purchasing a new product.
Companies and society are currently faced with two main problems: low levels of cyber security and inefficient understanding and access to information. These problems result in high cybercrime costs: By 2025, Cyber Ventures expects cybercrime costs of 10,5 trillion USD. According to the World Economics Global Cybersecurity Outlook 2022, 42 % of cyber chiefs are concerned about infrastructure breakdown due to a cyber-attack. They also call to focus not only on the technical side of cyber security but also from a business perspective, so companies should work on a joint cyber security strategy.
The European Commission emphasises the following objectives:
ensure that manufacturers improve the security of products with digital elements from the design and development phase and throughout the whole life cycle;
ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers;
enhance the transparency of security properties of products with digital elements, and
enable businesses and consumers to use products with digital elements securely.
Cyber resilience act in practice
In terms of responsibility, the cyber resilience act presents an exciting aspect. Whereas individuals/companies dealt with information security in the past, responsibility is now shifting towards the manufacturers. If the proposal will be approved, manufacturers must:
provide documentation on all potential cyber risks;
include cybersecurity from planning to maintenance;
report vulnerabilities and incidents;
ensure vulnerabilities are handled effectively for the expected product lifetime or a period of five years;
clear and understandable instructions;
security updates are to be made available for at least five years.
Furthermore, specific obligations will also apply to importers and distributors of the products covered by the CRA.
Let’s also take a brief insight into the suggested penalties:
Fines up to 15 million EUR or up to 2,5 % of an undertaking’s total worldwide annual turnover (whichever is higher) can be imposed for non-compliance with the regulation.
There will be mandatory assessments for the affected products, and which assessment (self-, standard, or third-party assessment) has to be made depends on the assigned category. The EU expects that 90 % of the products will be default-category. These are products that citizens are most likely to have contact with every day, for example, classic computer applications, smart speakers, or video games. The remaining 10 %, like identity management software, microcontrollers, public key infrastructure, or CPUs, will be classified into one of the critical categories (“Class I” and “Class II”).
In addition, to standardised rules that benefit all stakeholders, this regulation should also bring advantages regarding Data Protection and Privacy rights. It is also estimated that 180 to 290 billion EUR can be avoided annually in cyber security costs in the EU.
But from a practical perspective: cyber incidents are only sometimes detected the second the attackers start, and it could take weeks or months to find breaches. In this way, the upcoming regulation may help to tackle cybercrime a few steps earlier. And still, even with elaborate cyber security risk management, EU regulations cannot prevent human failures.
Apart from probably initial implementation problems in practice or a need for clearly defined procedures/requirements, the regulation provides a proper legal framework regarding information security. However, cyber security will continue to evolve immensely in the upcoming years, and we will see how this develops. Until 13 January 2023, the EU Commission seeks feedback on the proposed regulation. You are welcome to give your thoughts and opinions to help to improve the proposal. After going through the ordinary legislative procedure, the proposal might be approved by the European Parliament and the Council of the European Union in late 2024.