Ensuring a cybersecurity framework throughout the lifecycle, and enhancing transparency.
The Cyber Resilience Act (CRA) wishes to bolster cybersecurity and ensure more secure hardware and software products. Successful cybercrimes are estimated to be responsible for at least 5.5 trillion euros of damages annually. Existing EU cybersecurity legislation does not address the cybersecurity of non-embedded software, and increasing attacks cause significant delays and costs. The main goals of this new legislation are to ensure that products reach the markets with fewer known vulnerabilities, and to allow consumers to take cybersecurity into account when purchasing a new digital product.
Four main objectives:
- Ensure manufacturers improve cybersecurity of products from development throughout the life cycle.
- Ensure a coherent cybersecurity framework, facilitating compliance.
- Enhance transparency of security properties.
- Enable businesses and consumers to use secure products.
Current legislation only partially addresses cybersecurity-related problems and risks, thus creating a legislative patchwork within the internal market that increases legal uncertainty. To increase the overall level of cybersecurity of all products with digital elements, it is necessary to introduce objective-oriented and technology-neutral essential cybersecurity requirements. In the strategic sector of chip production, a limited number of non-EU suppliers produce semiconductors that power Europe’s industry. The European chips act will promote a European chip ecosystem to boost innovative capacity. Two categories are listed:
- The first category includes browsers, password managers, antiviruses, firewalls, virtual private networks (VPNs), network management, systems, physical network interfaces, routers, and chips used for entities falling under the NIS2 (Network and Information Securit) Directive. It includes operating systems, microprocessors, and industrial IoT.
- The second category includes higher-risk products such as desktop and mobile devices, virtualized
operating systems, digital certificate issuers, general-purpose microprocessors, card readers,
robotic sensors, smart meters, and all IoT routers and firewalls for industrial use.
The main difference between the two categories is the compliance process. The CRA legislation will complement the NIS2 Directive legislation that will expand the scope of entities required to comply with its rules.
The main obligations of the act:
- Essential cybersecurity requirements. Products with digital elements will only be allowed on the market where they meet the “essential cybersecurity requirements” set out in section 1 of Annex I of the CRA. For example: “products must protect the availability of essential functions, including the resilience against and mitigation of denial-of-service attacks.”
- Vulnerability handling requirements. Manufacturers must comply with various requirements relating to handling vulnerabilities, which are set out in section 2 of Annex I of the CRA. For example, “once a security update has been made available, manufacturers must publicly disclose information about fixed vulnerabilities and have a policy on coordinated vulnerability disclosure”.
- Extra requirements for “critical” products. All products must undergo a self-certification conformity assessment procedure. “Critical products” must undergo a more formal assessment under Annex III.
- Conformity of products and information, and instructions to users. Chapter III of the CRA provides various conformity requirements. An EU declaration of conformity must be provided with the product (in the format set out in Annex IV of the CRA). “Technical documentation” must be drawn up before the product is placed on the market. Annex V to the CRA sets the precise details of what the technical documentation must contain. Annex II sets out what must be contained in the “information and instructions to the user.”
- Reporting obligations. Manufacturers must notify ENISA of any event within 24 hours of becoming aware of any actively-exploited vulnerability contained in the product or any incident impacting the product’s security.
- Obligations on the rest of the supply chain. Distributors and importers must ensure that their products comply with the CRA legislation.
