Europe’s new cyber resilience act (CRA) was presented by the European Union today. The EU says it wants the legislation to protect consumers and businesses in Europe from products, software and apps with inadequate security features. It will introduce mandatory cybersecurity requirements for products with digital elements throughout their whole lifecycle.
Margaritis Schinas, vice-president for promoting our European way of life at the European Commission said that he believed that the EU was showing leadership in proposing something that would become “a global standard.” The EU has already
In a press conference today, Schinas and Thierry Breton, commissioner for the internal market, presented the CRA, explaining that manufacturers will have obligations to take cybersecurity into account in all stages of product, software and app development. Cybersecurity risks will also have to be documented for all wireless and wired products and software. The EU says that there will also be an increasing responsibility for manufacturers to providing security support and software updates to address any identified vulnerabilities. It is estimated that this will cost the relevant companies 2% of annual global revenue.
The CRA was first announced in September 2021 by Ursula von der Leyen, European Commission president, during her State of the European Union address. It builds in the EU’s 2020 cybersecurity strategy and the 2020 EU security union strategy.
The proposal will be reviewed by the European parliament and the council and, once adopted, economic operators and member states will have two years to adapt to the new requirements. Manufacturers will need to report actively exploited vulnerabilities and incidents one year from the date of entry into force.
Why has the EU created the Cyber Resilience Act?
Schinas told reporters that the pandemic accelerated the increase of cyberattacks due to the transition to digital services. He said that financial services and healthcare services were targeted more than most due to the vast amounts of data held by organisations in the sectors. Data breaches alone carry an annual cost of €10bn, with the annual costs of malicious attempts to disrupt traffic on the internet are estimated to be at least €65bn, according to the EU’s impact assessment report.
The EU presented its cybersecurity strategy in December 2020, proposing to integrate cybersecurity into every element of the supply chain. The CRA is designed to compliment this framework.
Breton said that Europe can only be as strong as its weakest link, which could be an unsafe product along the supply chain. He told reporters that products such as computers, phones, household appliances, virtual assistance devices, cars and toys were all included as the younger generations use digital spaces that connect to the physical world.
“Today most of the hardware and software products are not subject to any cyber security obligations,” he said. “By introducing cybersecurity by design, the CRA will help protect Europe’s economy and our collective security.”
What does the CRA cover?
The EU’s new legislation will mean manufacturers will have to report actively exploited vulnerabilities and incidents as well as ensure that the vulnerabilities are handled effectively for a period of five years, or the expected product lifetime – whichever is shorter.
They will also need to have clear and understandable instructions for the use of products with digital elements, with security updates to be made available for at least five years.
According to information provided by the EU, there will be three categories of products, software and apps with different requirements to meet. The “default category”, which will make up 90% of products, will only require a self-assessment of the product’s vulnerabilities. These would include products such as photo editing and word processing software, smart speakers, hard drives and games.
The next two “critical” categories, I and II, will make up 10% of the affected companies. Class I critical is made up of password managers, network interfaces, firewalls and microcontrollers and will require a third party assessment or applying a standard. Class II critical covers operating systems, industrial firewalls, CPUs and secure elements and require a third party assessment of functionality (critical software), intended use (industrial control/NIS2) and other criteria such as extent of impact.
Margrethe Vestager, executive vice-president for a Europe fit for the digital age, said: “We deserve to feel safe with the products we buy in the single market. Just as we can trust a toy or a fridge with a CE marking, the CRA will ensure the connected objects and software we buy comply with strong cybersecurity safeguards. It will put the responsibility where it belongs, with those that place the products on the market.”
The proposed regulation will apply to all products that are connected either directly or indirectly to another device or network. There are some exceptions for products, for which cybersecurity requirements are already set out in existing EU rules, for example on medical devices, aviation or cars.
British organisations must take action
Tech Monitor spoke to Keiron Holyome, VP of UKI, Eastern Europe, Middle East and Africa at BlackBerry, who said that the European requirements must be viewed as a “new global standard.”
“The EU’s new act further highlights that British organisations must take action, particularly when it comes to the use of potentially insecure smart devices for home working,” says Holyome.
“BlackBerry’s latest research found that only 21% of UK home workers say their employer has established a cybersecurity policy for the use of smart devices in the home office,” he continues, explaining that this creates a huge opening for cybercriminals looking to target UK enterprises, with knock-on effects to employees themselves.
He added: “Although smart devices may seem innocent, bad actors can easily access home networks with connections to company devices – or company data on consumer devices – and steal intellectual property worth millions.
“Therefore, it is vital that British organisations evaluate their cybersecurity defences now, while introducing mandatory cybersecurity requirements for hardware and software products used by employees for home working.”
Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.