EU-wide cybersecurity for digital products

On 10 October 2024, the Council of the European Union adopted the Cyber Resilience Act, the new law on cybersecurity requirements for products with digital elements. Following this adoption, the only step remaining is the signature of the President of the Council and the European Parliament. The new regulation will be published in the EU Official Journal in the coming weeks.
 

The new regulation will enter into force twenty days after publication in the EU Official Journal and will be directly applicable in all EU member states 36 months after its entry into force. Some provisions will apply earlier:

• May 2026: conformity assessment bodies can assess compliance with the CRA requirements
• August 2026: the obligation to report vulnerabilities and other security incidents begins
• approx. November 2027: all CRA requirements for new products must be met
   

A hacker attack occurs every 11 seconds. This results in costs of over 5 trillion euros. This is stated by the EU Commission in its cyber security strategy, thereby underlining the need to ensure a higher level of cyber security in the future. The aim is to incorporate the defined requirements as a permanent part of the entire supply chain.

The new ‘Cyber Resilience Act’ is intended to ensure that digital products become more secure for individuals and businesses. Manufacturers of such products, both hardware and software, will be obliged to use software updates to fix vulnerabilities and to inform the end users of their products about possible cybersecurity risks. In addition, the draft regulation defines requirements for software development and thus also emphasises the ‘security by design’ required by the ‘Cyber Security Act’ already in force.
 

The overarching aim of the cybersecurity rules proposed by the European Commission is to ensure that hardware and software products on the internal market are more secure. The Commission has set out the objectives of the legislation in four measures:

1. Ensure that manufacturers improve the security of products with digital elements from the design and development phase and throughout their entire life cycle.
2. Ensure a coherent cybersecurity framework that facilitates compliance for hardware and software manufacturers
3. Improve transparency regarding the security features of products with digital elements
4. Enables businesses and consumers to use products with digital elements securely
    

The scope of the regulation shows that this area is very broadly defined:

‘This Regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network.’

Due to the loose definition of ‘digital elements’, the regulation thus covers both hardware such as machines and IoT devices and pure software products.

Exceptions are also mentioned in the scope of application; for example, medical devices according to Regulation (EU) 2017/745 do not fall within the scope of the planned legal act.

The legislation also regulates the future interaction with Delegated Regulation 2022/30, which already stipulates security requirements for internet-enabled systems within the meaning of the Radio Equipment Directive 2014/53/EU. Brussels announced that, in order to avoid overlaps, Regulation 2022/30 should either be repealed or merely supplemented.
 

In line with previous EU legislation (e.g. the Machinery or Low Voltage Directives), the Cyber Resilience Act also provides for a conformity assessment procedure.

The core of the procedure is the cyber risk assessment. Article 13, paragraph 2 of the draft provides:

‘[...] manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing incidents and minimising their impact, including in relation to the health and safety of users.’

Depending on the criticality of the products, the conformity assessment procedure distinguishes between self-certification and two procedures in which notified bodies must be involved. Details can be found in the factsheet on the Cyber Resilience Act.

In our view, the details in Annex VII, paragraph 2, of the regulation are particularly noteworthy for manufacturers. The document mentions various aspects (design, development, production, vulnerability analysis) as content for the technical files. This means that, if the European Commission has its way, software architectural decisions as well as decisions regarding the development and build process must be documented accordingly in the software development process in the future. This will, of course, mean increased documentation work for companies. In particular, the rapid technological development of software development tools (e.g. for build processes) will certainly present companies with organisational challenges in the future that can be overcome but should not be underestimated.

The wording of the content:

"CONTENTS OF THE TECHNICAL DOCUMENTATION

(…)

a description of the design, development and production of the product with digital elements and vulnerability handling processes, including:

(a) necessary information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing;

(b) necessary information and specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates;

(c) necessary information and specifications of the production and monitoring processes of the product with digital elements and the validation of those processes;'
 

The German Federal Office for Information Security (BSI) is providing support for manufacturers in identifying the CRA requirements with the publication of the Technical Guideline TR-03183. Further information can be found in our technical article ‘Technical guideline for cyber resilience requirements’.
 

In the coming months, the Commission will request the European standardisation organisations CEN and CENELEC to ‘develop harmonised standards for the essential cybersecurity requirements set out in Annex I to this Regulation’. When issuing such a standardisation request, the Commission will endeavour to take into account existing European and international cybersecurity standards that have already been published or are in the process of being developed. Examples of such standards and specifications that could potentially be harmonised to meet the CRA requirements are:

• EN ISO/IEC 15408 series parts 1-5: Information security, cybersecurity and privacy protection - Evaluation criteria for IT security
• EN 17640: Fixed-time cybersecurity evaluation methodology for ICT products
• EN ISO/IEC 29147:Information technology - Security techniques - Vulnerability disclosure
• EN ISO/IEC 30111: Information technology - Security techniques - Vulnerability handling processes
• EN 303 645: Cyber security for consumer internet of things
• Parts of the EN IEC 62443 series: Security for industrial automation and control systems

In line with the new Machinery Regulation (EU) 2023/1230, the Commission may, in the absence of harmonised standards for the cybersecurity requirements of Annex I, adopt implementing acts with common specifications for technical requirements. The legislator reserves this option in case the desired standards are not delivered within the set deadline, the standardisation mandate is not accepted or the content of the documents does not comply with the mandate.

The following documents are a valuable source of information for machine manufacturers:

• CLC IEC/TS 63074: Safety of machinery - Security aspects related to functional safety of safety-related control systems
• CEN ISO/TR 22100-4: Guidance to machinery manufacturers for consideration of related IT-security (cyber security) aspects
• prEN 50742: Safety of machinery - Protection against corruption
   

The NIS-2 directive applies to network and information systems used to provide essential and important services in key sectors. The regulation requires organisations (= operators) in various sectors to ensure that the networks and systems they use to provide services and carry out their activities achieve a higher level of cyber security. In our technical article "NIS-2 Directive in mechanical engineering", we explain which companies are directly affected (as operators) and what requirements and sanctions the directive provides for.

The Cyber Resilience Act, on the other hand, lays down cybersecurity requirements for hardware and software products that companies (=manufacturers) place on the market in the EU. For products that fall within the scope of the CRA, manufacturers must carry out security assessments, implement vulnerability management procedures and provide users with the necessary information.