Cyber Resilience Act - New initiative to create cybersecurity rules for digital products

Political context

In her State of the Union Address of 15 September 2021, President von der Leyen first revealed the self-proclaimed goal that the European Union ("EU") should become a leader in cybersecurity in the context of a new Cyber Resilience Act by the European Commission ("EC"). In light of an increasing number of high profile cyberattacks with a global footprint, the annual cost of cybercrime to the global economy in 2020 was estimated to be 5.5 trillion Euros, double that of 2015.

The new Cyber Resilience Act would specifically complement the already existing baseline cybersecurity framework of the Network and Information Security Directive (“NIS”) and the 2019 Cybersecurity Act of 2019. Currently, NIS is also in the process of review undergoing the second round of trialogue negotiations. Insofar, please see the HL-Engage article of our colleague Dan Whitehead respectively.  

The EU’s cybersecurity strategy for the digital decade of 16 December  2020 announced the establishment of ‘new horizontal rules’ for connected products and associated services placed on the Internal Market. The planned cyber Resilience Act would complement the Delegated Regulation of 29 October 2021 under the Radio Equipment Directive (“RED”).

In its early stage of planning the general goal of the EC (downloadable here) is to establish cybersecurity goals for digital products and ancillary services, consulting a variety of stakeholders such as ICT industry representatives (e.g. hardware manufacturers, software developers, distributors, importers) and professional users, national competent authorities, including cybersecurity-relevant authorities, consumers and consumer associations, conformity assessment bodies, academic experts and the general public in a public consultation and feedback period between 16 March – 25 May 2022.

Challenges and Objectives

Due to its connected nature, a cybersecurity incident in one product can affect an entire organisation or supply chain. The EC initiative aims to address a number of practical challenges as well as potential gaps within the current European Cybersecurity regime:

• A lack of appropriate security in digital products and ancillary services (one of the main avenues for successful cyberattacks).
• Inadequate cybersecurity measures due to (i) time-pressure in the development stage, in particular if a supplier wants to launch a novel product as first market, (ii) a lack of qualified security professionals or (iii) cost- and/or profit-pressure combined with the lack of economic incentives.
• The current framework basically only covers certain sections of the lifecycle of a product. The EU regulatory framework on products does e.g. not address specifics on software updates that need to be done on a regular basis.
• The existing framework does also not cover all types of digital products: In particular, hardware products that are neither covered by the RED nor the Medical Devices Regulation as well as non-embedded software products are not addressed by the current framework, although they are relevant targets for cybersecurity attacks.

The initiative has three main objectives:

• Enhancing and ensuring a consistently high level of cybersecurity of digital products and ancillary services with a broad range of such products secured throughout their whole life cycle proportional to the risks.
• Aiming to enable users to match security properties of such products against their needs, especially through enhancing the transparency of cybersecurity features. This protects users from insecure products and motivates vendors to offer more secure products.
• Improving the functioning of the internal market by levelling the playing field for vendors of digital products and ancillary services.

Through these objective, the eventual new regulation could provide more transparency for consumers and vendors, to guarantee more safety and increase the trust in the digital single market.

Policy options

In practice, the EC hopes for the essential cybersecurity requirements to translate into harmonised standards for different product categories. As the framework is still in the early stages of the legislative process, it has not yet been conclusively clarified whether they will be regulated in one horizontal piece of legislation or on an ad hoc basis.

Currently, there are five potential policy approaches through which the objectives of the Directive could be reached:

• Maintaining the status quo – This would mean that the legislation as it is now would be kept, partially addressing what the EU legislative already regulates.
• Voluntary measures – i.e, an extension of the certification schemes currently used under the Cybersecurity Act.
• 'Ad-hoc' regulatory interventions – i.e., selective interventions that are limited to certain new risks as they emerge.
• A mixed approach of mandatory and soft rules – i.e., a horizontal regulatory intervention with an additional staggered approach.
• A broad-scale horizontal regulatory intervention – That introduces mandatory cybersecurity requirements for a wide range of digital products and ancillary services.

In its early stage of planning, the Directive is also taking feedback in a separate poll a.o. on what kind of policy options would be preferred.

Outlook

For better regulation, the European Commission allows comments through an exploratory and public consultation. Both procedures are open between 16 March 2022 – 25 May 2022. The EC plans to adopt the initiative in the third quarter of 2022.

The EC uses exploratory consultation to determine the scope of politically sensitive and significant legislation and policies. Anyone potentially affected by the legislation or policy is eligible to participate. Businesses and individual citizens are also covered. Individual responses are published on the linked website.

Public consolidation is a more specific feedback mechanism, despite being concurrent in time. The EC uses a questionnaire to identify stakeholders’ view on current and emerging problems related to the cyber security of digital products and associated services. Stakeholders include government agencies, businesses and consumers.

The identical scope allows participation in both procedures. Public consultation is recommended, as it is highly probable that the aspects presented will be taken into account due to the continued specification. The EC also explains in a separate report how the feedback received was taken into account. This ensures effective participation.

The consideration of the own concerns is reinforced by the fact that the possibility of public consultation has hardly been used so far.

As this initiative aims to address market needs and protect consumers from insecure products by introducing common cybersecurity rules for manufacturer and vendors of tangible and intangible digital products and ancillary services, a participation from your side is highly recommended to make sure everything important will be considered in the new regulation. To participate, you can find the consultation here.

If there any open questions or you need assistance, please do not hesitate to contact us. Like many times before, HL will work with interested clients on the drafting of statements. If you are interested in joining, please feel free to reach out to us. As always, we are happy to help. Contact details can be found in the contact section above.

Authored by Nicole Böck and Johannes Reinsberg.