More security for ICT products and services in the EU?
On December 1, the European Commission announced political agreement on the Cyber Resilience Act (CRA), in the works since 2022. The full legal text of the act is accessible via Eur-Lex. Without evaluating the quality of the act itself, this article is a summary of what it is and what it proposes to accomplish, and a set of predictions of how it could impact the EU and worldwide ICT product market.
One Among Several EU Cybersecurity Laws
Once the act is formally approved by the European Parliament and European Council, it will be the latest in a series of EU regulations (laws that apply uniformly across the Union) and directives (legal frameworks that must be adopted by member states and transposed into national law within a given time period) governing cybersecurity and protection of information.
These include:
- Cybersecurity Act
- General Data Protection Regulation (GDPR)
- Network and Information Systems (NIS) and updated Network and Information Systems (NIS2) directives
- Digital Operational Resilience Act (DORA)
plus a host of individual, more granular rules and recommendations scattered across topic-specific frameworks such as the EU AI act.
Gilles Chevillon and other CyAN members have posted numerous articles on these topics on the CyAN blog, including an overview of DORA, and a comparison of NIST and DORA – check out our archives for these publications.
While several of the above rules came into force before 2020, most of the EU’s current legislative agenda to enhance security, resilience, and trust, and to reduce risk to society from a variety of digital threats are part of the 2020 EU Cybersecurity Strategy. Already in the run-up to the passage of the Cybersecurity Act, the inclusion of a cybersecurity certification framework for ICT products and services, to fall under the auspices of the EU Cybersecurity Agency (ENISA), led to a flurry of discussion and lobbying among vendors concerned about additional cost and regulatory complications – not least from US-based technology firms.
Adoption Timeline
Once the Cyber Resilience Act is adopted officially by the EU Parliament and Council,
[…] the Cyber Resilience Act will enter into force on the 20th day following its publication in the Official Journal.
Upon entry into force, manufacturers, importers and distributors of hardware and software products will have 36 months to adapt to the new requirements, with the exception of a more limited 21-month grace period in relation to the reporting obligation of manufacturers for incidents and vulnerabilities. (from the EU Commission press announcement).
Why the CRA?
The CRA’s primary objective is to enhance the security and trustworthiness of “products with digital elements” through a series of design and operational criteria. From the proposal itself:
Two main objectives were identified aiming to ensure the proper functioning of the internal market: (1) create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and ensure that manufacturers take security seriously throughout a product’s life cycle; and (2) create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements. (emphasis ours).
Specifically,
Four specific objectives were set out: (i) ensure that manufacturers improve the security of products with digital elements since the design and development phase and throughout the whole life cycle; (ii) ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers; (iii) enhance the transparency of security properties of products with digital elements, and (iv) enable businesses and consumers to use products with digital elements securely.
Interestingly, the text refers to existing secure-by-design and risk management requirements in specific sectors, such as medical devices, vehicles, and others as exempt from its scope; one of the stated goals of the CRA is to fill gaps and ensure a greater degree of cybersecurity quality in as-yet unregulated classes of devices and industries where they are used.
So…What Does It Actually Contain?
Some of the overarching aspects of the CRA are:
- Consistent definitions – of products with digital elements / critical elements, terms, expectations, standards, and other elements to remove ambiguity,
- inclusion of product cybersecurity in the broader scope of EU-mandated product safety rules,
- definitions of surveillance structures and their attributes,
- structures for enforcement and penalties in case of non-compliance, and
- increased accountability for importers and distributors, pre-empting a potential compliance loophole for non-EU produced products
CRA also places significant duties on manufacturers and vendors, including
- better product lifecycle risk management including after-sale and within a 5-year period of end-of-life,
- conformity assurance,
- consideration of third party supplier risk (see also NIS2 and DORA for major elements of third party risk management – TPRM),
- incident reporting and integration into EU-wide (EU-CyCLONe) crisis reporting if sufficiently significant (probably to some degree driven by systemically critical vulnerabilities such as Solarwinds, Log4Shell),
- clearer accountabilities and responsibilities throughout the product lifecycle including personnel training and qualification,
- more consistent ability to respond to regulatory requests for information, and
- documentation of various areas of design, risk management, and compliance
Relevant to the latter two topics, a very interesting detail in Chapter II, Article 10 is as follows:
Manufacturers shall, further to a reasoned request from a market surveillance authority, provide that authority, in a language which can be easily understood by it, with all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with digital elements […] (emphasis ours)
…thus, essentially placing the onus on producers to, “if we ask you to prove that your product is compliant, explain it to us and you make sure that we understand it”. This evokes Dutch financial regulators’ requirements for financial firms, in the wake of the 2007-2008 Global Financial Crisis, to explain any new financial product to the regulator in a way the regulator can understand it, rather than making it the regulator’s responsibility to decipher a provided explanation. It is also in line with what we see as an underlying EU philosophy to allow citizens, consumers, and other stakeholders to more easily make informed decisions about topics that affect their own safety and quality of life.
Some Thoughts About Impact
In short, CRA is a tremendously ambitious legislative package. It will undoubtedly increase cost and administrative overhead for product developers/vendors/distributors, add complexity to the product development and maintenance lifecycle, and potentially impact consumers through reduced choice and increased prices. It is conceivable that these increased requirements will also make it more difficult for smaller vendors to access markets, having a negative impact on innovation.
On the other hand, all of the expectations of entities involved in the ICT product supply chain should arguably already be in place. While it is impossible to guarantee the security of a software or other IT product, principles such as secure-by-design and methodologies like software bill of materials (SBOM), end-to-end source code security assurance and testing, and adherence to common quality and risk management standards such as NIST or ISO should dramatically reduce the amount of buggy products released into the market.
Enforcement of conformity with good security practices also makes it far more likely that serious, long-present vulnerabilities such as Log4Shell, which existed in a widely used component for 8 (!) years prior to its discovery and disclosure in 2021 will be spotted and remediated before they can cause havoc and incur cost for everyone.
Given the sheer size and connectivity of the EU market, the CRA will have global repercussions. Major laws in large markets, such as HIPAA in the US, have driven compliance by foreign-headquartered international firms, and influenced legislation in other jurisdictions by setting an example of what can be done to protect digital society through regulation. For example, GDPR arguably influenced the California Consumer Privacy Act (CCPA), although the latter has a much narrower scope than GDPR.
Increased management accountability, the emergence of the CISO as a business function with reporting lines to CEO and board, improved industry and public-private threat- and vulnerability-sharing methods and standards, and (blatant plug for our friends at the Good Faith Cybersecurity Researchers Coalition), a clearer and more structured environment for cybersecurity vulnerability reporting and remediation, will all help the streamlined adoption of the CRA’s requirements.
And last but not least, we believe that ongoing and rapid improvements in intelligent analysis, risk management, automation, and decision-making tools, a very real and useful part of the ongoing AI (r)evolution in IT, will drastically ease the compliance burden on companies of all size.
Whether and how public sector entities such as national cybersecurity centres (NCSCs), ENISA, CERTs, or other authorities will be able to support the smooth adoption of CRA remains to be seen. Until it is finally formally adopted, and the implementation grace period is past, we will also not know how and to what degree it can be enforced. Judicial precedent will take time to establish, and the EU and its member countries to not historically levy fines on lawbreaking firms anywhere near the level of what US federal and some state supervisory agencies have done in the past.
What is definitely encouraging is that lawmakers are increasingly taking the importance and security of ICT products much more seriously than 10-15 years ago. The combination of stronger laws, an increasingly rabid threat landscape, better reporting of vulnerabilities, a greater selection of information security tools available to CISOs, evolving cybersecurity maturity standards, and an increase in expectation of their suppliers’ security by consumers (hopefully extending more so than is presently the case among the majority of individual consumers) will all go hand in hand to make the digital ecosystem more secure. We’ll keep an eye on the role the CRA plays in this.
Images: I fed Bing AI image creator with the prompt to
“Please create illustrations using as much as possible of the text of the EU Cyber Resilience Act, available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52022PC0454 in the style of children’s book author Maurice Sendak, creator of the classic work Where the Wild Things Are“
I think you’ll agree that it was a worthwhile exercise.