In the UK, the Product Security and Telecommunications Infrastructure Act and secondary Regulations is intended to alleviate those concerns, and in late 2023, the European Commission confirmed that political agreement had been reached with the European Parliament and Council on the content of the Cyber Resilience Act to covering the European Union.
Forming part of the EU framework in terms of cybersecurity of consumer products, the Cyber Resilience Act ("CRA") will sit alongside the Cybersecurity Act and the NIS2 Directive, which itself takes effect from October of this year.
The final text of the CRA is not yet clear, with some divergence expected from the initial draft1 advanced by the Commission in 2022. The concluded text remains subject to formal approval by both the European Parliament and Council, but with approval expected in the near future, manufacturers, importers and distributors will have 36 months to comply with any new cybersecurity and reporting requirements. There will be a limited 21 month period of compliance for manufacturers in respect of their reporting obligations of manufacturers, but overall, compliance can be expected from early 2027.
What will the CRA cover?
The Cyber Resilience Act will remove substantial gaps in EU legislation which did not provide mandatory cybersecurity requirements for 'products with digital elements'. The draft Act defined 'products with digital elements' as "any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately."
The CRA covers a comprehensive range of products, and will ultimately place the following obligations2 on manufacturers:
- Cybersecurity to be taken into account in planning, design, development, production, delivery and maintenance phase.
- The documentation of cybersecurity risks.
- Manufacturers will have to report actively exploited vulnerabilities and incidents.
- Once sold, manufacturers must ensure that for the duration of the support period, vulnerabilities are handled effectively.
- Clear and understandable instructions for the use of products with digital elements.
- Security updates to be made available to users for the time the product is expected to be in use.
The initial draft text of the legislation proposed that certain products would be elevated to a new category of 'critical products with digital elements', that would subject to additional and specific conformity procedures, and assigned as 'Class I' and 'Class II'.
The draft Act (at Annex III) proposed that products such as network management systems and password managers would be considered class I, with products such as operating systems, routers, modems, smartcards and general purpose microprocessors all falling within class II. In understanding how these labels would be assigned, a "potential cyber incident involving products in class II might lead to greater negative impacts than an incident involving products in class I."
However, reporting on the negotiation of the final text indicated that there had been some discussion over these categorisations, as well as the specifics of the reporting procedures required for actively exploited vulnerabilities and incidents. Therefore, the specifics of the final text are awaited with great interest.
Open source software
Key discussions around the CRA had focused on concerns regarding the regulation of open source software and the extent to which the software will be expected to comply with the legislation. Reporting at various stages of the negotiations had suggested that there would be some form of compromise with reference to a tiered approach depending on how any open-source software is commercialised.
It is understood3 that the final text, when published, will confirm that software developed with a view to commercial activities will be covered by the CRA, but that non-profit organisations who sell open source software will be excluded, provided that any revenues are reinvested in non-for-profit activities.
Product security in the UK
The aims of, and likely measures to be introduced in, the CRA, are analogous to those being introduced in the UK via the Product Security and Telecommunications Infrastructure ("PSTI") Act and associated Regulations.
From 29 April 2024, manufacturers, distributors and importers of relevant products covered by the PTSI Act will be required to comply with security requirements such as suitable capacity for reporting vulnerabilities, a ban on universal default passwords and transparency around security updates and support periods. However, it must be noted that there has yet to be a resolution to those concerns raised by the European Scrutiny Committee in the House of Commons in April 2023. The Committee expressed concerns regarding mutual recognition between UK and EU compliance obligations for products within scope of the respective pieces of legislation.
In light of the 36 month implementation period for the majority of the CRA obligations, there are likely to be further discussions between UK and EU on issues of mutual recognition. The security requirements laid down by the PSTI are made by secondary regulations, and it remains a possibility that further obligations or amendments could be made as necessary. However, this would require discussion with appropriate industry stakeholders to minimise disruption, and we do not anticipate such moves will be made in the immediate future.
References
1https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52022PC0454
2https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act-factsheet
3https://www.euractiv.com/section/cybersecurity/news/eu-institutions-finalise-agreement-on-cybersecurity-law-for-connected-products/
