The Cyber Resilience Act: What do plans to strengthen cybersecurity mean for “products with digital elements”?
Together, the Internet of Things (IoT) and all the stakeholders it encompasses form one of the strongest and most sustainable growth industries of recent years. The increasing interconnectedness of physical and virtual objects is challenging European legislators to embed the evolving landscape in a pan-European regulatory framework. A particular aspect that should not be overlooked is the involvement of a wide range of stakeholders – and with it, the increasing vulnerability to information security risks as the level of interconnectedness increases.
Particularly relevant from a regulatory perspective is a new proposed regulation issued by the European Commission, known as the Cyber Resilience Act. The draft, published on 15 September 2022, was already discussed in the Council in December of that year, but the first reading by the Parliament is still pending as of March 2023.
The legislation primarily concerns software or hardware products with remote data processing solutions, or more precisely so-called “products with digital elements”. The regulation is intended to affect not only vendors but also other stakeholders connected with the product: it also imposes obligations on manufacturers (including software developers), importers and distributors.
This article aims to provide an overview of the new cybersecurity obligations provided for in the Cyber Resilience Act and to distinguish them from the scope of the act implementing the Digital Content Directive and the Sale of Goods Directive, which has already come into force and covers contracts for “digital products” and “goods with digital elements”.
Cyber Resilience Act (draft CRA)
In an effort to create a harmonised regulatory framework for cybersecurity requirements for products with digital elements, the European Commission published a draft of a new regulation on cyber resilience in September 2022. In particular, the current EU regulatory framework does not sufficiently address the cybersecurity of non-embedded software, despite the fact that cybersecurity attacks are increasingly targeting vulnerabilities in such products and causing significant societal and economic costs. The planned regulation is intended to address two key issues: firstly, the inadequate general level of cybersecurity, reflected in particular in widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them; and secondly, insufficient access to information and understanding among users to enable them to choose or use products with adequate cybersecurity features in a safe way.
Scope
The scope of the draft CRA extends to so-called “products with digital elements” whose intended and reasonably foreseeable use involves a direct or indirect data connection to another device or network. “Product with digital elements” means “any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately”. This means that the definition only covers devices that can (also) communicate wirelessly. According to Recital 9 of the draft CRA, software-as-a-service (SaaS) products explicitly do not fall within the scope of the regulation but are instead subject to the scope of the NIS2 Directive, which is also currently at the draft stage. The regulation provides for only a few exceptions to its material scope, such as medical devices subject to the Medical Devices Regulation or products with digital elements developed exclusively for national security or military purposes. Open-source software is explicitly addressed in Recital 10, which states that free and open-source software developed or supplied outside the course of a commercial activity should not be covered by the regulation. However, the wording of the law does not explicitly exclude such software from its scope of application, as was the case, for example, with the implementation of the Digital Content Directive in Sect. 327(6) No. 6 of the German Civil Code (BGB). This rather watered-down exception has been criticised by some, who argue that the development of open-source software depends on global exchange, and that the strict requirements of the draft CRA could cut the EU off from opportunities for open-source software development.
In addition to the ‘standard category’, the draft CRA also distinguishes between “critical” products with digital elements according to Art. 2 No. 3, 6(2), and “highly critical” products with digital elements according to Art. 2 No. 4, 6(5) draft CRA, which entail correspondingly higher cybersecurity risks. By way of example, the Commission mentions the following product categories:
Class 1 (“critical” products with digital elements):
- Password managers
- Identity and access management systems
- Products with digital elements with the function of a virtual private network (VPN)
- Browsers
- Antivirus programs
- Security information and event management (SIEM) systems
Class 2 (“highly critical” products with digital elements):
- Operating systems for servers, desktops, and mobile devices
- Public key infrastructure and digital certificate issuers
- Microprocessors (CPUs)
- Hardware Security Module (HSMs)
- Smart meters
Obligations
The regulation addresses different stakeholders: manufacturers, importers and distributors, with the most significant obligations falling on manufacturers (including software developers). They must have procedures in place to deal with cybersecurity vulnerabilities in their products, including addressing and reporting them, and reporting security incidents both to ENISA (the European Union Agency for Cybersecurity) and to affected users.
The classification of products into risk groups is based on verifiable self-declarations by the manufacturers. Manufacturers will have to confirm that their products with digital elements comply with the requirements of the regulation by affixing a CE marking to the product. Finally, a conformity assessment procedure must be carried out to demonstrate compliance with the specified security requirements, either by the manufacturer or by a third party, depending on the classification in the security categories described.
The draft law also covers the following areas:
- Cybersecurity must be taken into account in more or less all phases of the life cycle of the product with digital elements, including the delivery and maintenance phases, and a documentation obligation to this effect applies.
- A reporting obligation for actively exploited vulnerabilities and security incidents.
- An obligation to monitor and eliminate vulnerabilities during the expected lifetime of the product and the establishment of procedures to do so (over a maximum period of 5 years).
- An obligation to provide clear and understandable instructions for use for products with digital content.
- An obligation to provide security updates for at least 5 years.
- Rules for market surveillance and enforcement of the above rules and requirements.
While the far-reaching obligations are an important step towards a stronger cybersecurity regime and thus better consumer protection, they may also have an impact on access to the European market and on its international competitiveness. Moreover, it is questionable whether imposing obligations on all participants in the product chain is really the best way to ensure a high level of cybersecurity, as the most effective measures can often be taken by manufacturers, in particular with regard to updates and design.
The regulation will apply regardless of whether the product with digital elements is sold to consumers or in the B2B sector. While the Digital Content Directive and the Sale of Goods Directive only gave consumers new rights in the area of contract law, the CRA aims to create a new general framework, independent of whether a contract has actually been concluded.
Sanctions
Failure to comply with the requirements of the CRA would likely be punishable by a fine of up to €15 million or up to 2.5 per cent of the total worldwide annual turnover in the preceding business year, imposed by a body to be determined by the Member States. In this case, the fine will be based on the higher of the two amounts. In Germany, the Federal Office for Information Security (BSI) could be made responsible for this.
Furthermore, the relevant authorities can take staggered measures: they can require a removal order of an identified risk and thus the (re-)establishment of conformity (level 1), they can restrict or prohibit the provision of a product with digital elements on the market (level 2) or finally also require a product recall (level 3).
The Commission’s proposal provides for the Regulation to apply 24 months after its entry into force, although the obligation to report incidents, for example, is to apply 12 months after entry into force.
Digital Content Directive and Sale of Goods Directive
The Digital Content Directive, which was implemented in Germany on 1 January 2022 by the “Act on the Implementation of the Directive on Certain Aspects Concerning Contracts for the Supply of Digital Content and Digital Services”, has created a uniform legal framework for contracts on so-called digital products for the first time. The Sale of Goods Directive, also implemented on 1 January 2022, created a uniform legal framework on so-called goods with digital elements. Both directives create a new framework for “digital” contract law between businesses and consumers. As such, a consumer contract is required for the relevant standards to apply, in contrast to the provisions of the CRA, which are largely of general application.
The acquisition of digital content and services by consumers in return for payment is governed by the consumer contract for digital products. This rule, introduced by the Digital Content Directive, is mainly applied to the use of databases, social media, cloud and SaaS services, media downloads and streaming services. Contracts for digital products must be distinguished from contracts for goods with digital elements. In this case, goods contain or are linked to “stand-alone” digital products. Examples include smart devices such as smartphones and smartwatches. With the exception of software provided as a service, a “product with digital elements” according to the above definition can in fact also be any digital product as defined in the implementation of the Digital Content Directive or any good with a digital element as defined in the Sale of Goods Directive, provided that they provide for remote data processing designed by or under the responsibility of the manufacturer.
In particular, the draft CRA, like the Digital Content and Sale of Goods Directives, provides for an obligation to update affected products or goods. While the obligation to update under the draft CRA applies to manufacturers, the obligation under the Digital Content and Sale of Goods Directives applies to sellers. The exact relationship between these two obligations is not yet clear. However, it is at least conceivable that non-compliance with the updating obligation under the draft CRA, as well as with the other product-related obligations contained therein, could constitute a product deficiency within the meaning of Sect. 327e of the German Civil Code (BGB). A provision clarifying this situation would be desirable in the further legislative process of the Cyber Resilience Act.
Conclusion
As is always the case when the Commission proposes new legislative initiatives, it will first be necessary to wait and see how the proposal is further developed. Trilogue negotiations are expected to start in the middle of the year, so adoption by Parliament and Council before the end of the year seems unlikely. After that, the regulation will not be directly applicable until 24 months after its entry into force. The exception to this is Art. 11 (obligation to report actively exploited vulnerabilities and security incidents), which will already apply 12 months after entry into force. Projects such as the Cybersecurity Act make it clear that the European Union is finally giving information security and the threat of attacks the importance they have had in practice for years. In the long term, this development can also bring financial benefits to organisations. For example, the Commission expects the CRA to reduce the cost of security incidents to affected companies from €470 billion to €290 billion per year – a reduction of €180 billion. At the same time, the market as a whole, with an estimated annual turnover of €1485 billion, is expected to face implementation costs of €29 billion, mainly due to new compliance requirements.
Although it may be months or even years before a Cyber Resilience Act is actually applied, it is worth assessing and adapting your own products and processes in advance, especially because of the ongoing obligations it creates, as well as those of the Digital Content and Sale of Goods Directives, such as the obligation to update. With our legal expertise and many years of consulting experience in the IT and e-commerce industries, we can help you.
Do you have any further questions about the Cyber Resilience Act?