On September 15, 2022, the European Commission published a proposal for a “Cyber Resilience Act” and an EU Regulation on “Horizontal Cybersecurity Requirements for Products with Digital Elements”. The latter required manufacturers of “any software or hardware product and its remote data processing solutions” to comply with some minimum cybersecurity requirements when placing a product on the EU market.
The draft Cyber Resilience Act echoes the NIS 2 Directive and GDPR, mandating cybersecurity by design. This directs manufacturers to design, develop, and produce products the fulfil cybersecurity requirements. This lays the onus on manufacturers for assessing:
“Cybersecurity risks associated with [the] product and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases […] with a view to minimising cybersecurity risks, preventing security incidents and minimising the impacts of such incidents.”
Put simply, manufacturers must ensure that products are “delivered with a secure-by-default configuration, including the possibility to reset the product to its original state”. They also need to guarantee that the products are “designed, developed and produced to limit attack surfaces, including external interfaces”. The objective, clearly, is to make security requirements future-proof and technology-neutral. Stricter rules to conformity assessment procedures apply to products belonging to a “critical” category, such as identity management systems, password managers, malware detection software, microcontrollers, operating systems, routers, smart meters, among others.
The draft Cyber Resilience Act includes links to the draft AI Regulation as well. Products classified as “high-risk” AI systems are, by default, considered as compliant with the cybersecurity requirements under the AI Regulation.
Aligning with GDPR, the Cyber Resilience Act imposes tough penalties to ensure compliance. This includes fines of up to 15 million EUR or 2.5% of the total worldwide turnover, whichever is higher. Penalties for non-compliance include recall or withdrawal of the product from the market. That beyond, the draft Cyber Resilience Act also explicitly states that it is “without prejudice to [the GDPR]” – meaning that the manufacturer could be held liable for infringing upon both sets of rules.
It is more critical now than ever before to ensure that your information security practices watertight, and stakeholders across all levels within your organization are focused on devising, rolling out, and maintaining a strong cybersecurity strategy accounts for all applicable legislations. Companies operating globally will, of course, also need to follow the relevant national policy and keep up with all developments on that front.
