Image: Getty Images/Westend61
The European Commission has proposed cyber-resilience legislation that could lead to cybersecurity labels and penalties for device manufacturers with shoddy cybersecurity features and practices.
The proposed law covers hardware and software of “products with digital elements” sold in the European Union and connected to any network.
The Cyber Resilience Act (CRA) proposal covers most network-connected devices except medical devices for human use and excludes “free and open-source software developed or supplied outside the course of a commercial activity”. What it describes as “high-risk AI systems” and electronic health record systems fall in scope.
Among other requirements, once sold, manufacturers must ensure that for the expected product lifetime or for a period of five years (whichever is the shorter), security vulnerabilities are “handled effectively”.
Device manufacturers will need to report actively exploited vulnerabilities to Europe’s cybersecurity authority ENISA within 24 hours of becoming aware of it, as well as immediately inform users.
The CRA aims to close gaps in current EU legislation and complement the existing Network and Information Systems (NIS Directive), the recently adopted NIS 2 Directive (which covers SaaS and cloud providers), and the EU Cybersecurity Act.
“When it comes to cybersecurity, Europe is only as strong as its weakest link: be it a vulnerable Member State, or an unsafe product along the supply chain,” said Thierry Breton, commissioner for the internal market.
Breton said that hundreds of millions of computers, phones, household appliances, virtual assistance devices, cars and toys are a potential entry point for a cyberattack. “And yet, today most of the hardware and software products are not subject to any cybersecurity obligations. By introducing cybersecurity by design, the Cyber Resilience Act will help protect Europe’s economy and our collective security.”
Once in effect, manufacturers will have 24 months to become compliant. By then, software and connected devices would need to bear the CE marking to indicate compliance with the new cybersecurity standards. National authorities will be able to impose fines of up to €15m ($15m) or up to 2.5 % of the the firm’s worldwide annual turnover for the preceding financial year, whichever is higher.
The EU plans to rate different products as Class II or Class I depending on what negative impacts a cyber incident can have. Class I includes a range of security hardware and software. Class II includes everything from operating systems to processors, routers, smart cards, IoT devices, robotic sensors, and Industrial Automation & Control Systems.
It will also require manufacturers have a “coordinated vulnerability disclosure policy” that specifies how reports from third-parties are submitted and permits bug bounty programs.
Importing firms also need to ensure the products sold in the EU comply with the CRA, have CE markings, and provide their contact details on products. They will need to retain documentation of product conformity for 10 years after selling it.
European Parliament and the Council will now need to examine the draft CRA and vote on its final text. Once adopted, manufacturers and member states have two years to adapt to the new requirements.