Reductions proposed to product categories affected by EU Cyber Resilience Act
The Cyber Resilience Act (CRA), which is designed to bolster the cybersecurity of digital products in the European Union, is being circulated in its latest form with reductions in the product categories that will have to comply with the rules.
The changes come under the Spanish presidency of the EU Council with the European Parliament having stated its reasons for the CRA explaining: “For businesses, the importance of ensuring that digital products in the supply chain are secure has become pivotal, considering three in five vendors have already lost money owing to product security gaps.”
The CRA is designed to ensure manufacturers improve the cybersecurity of covered products throughout the whole life cycle; create a single, coherent framework for cybersecurity compliance in the EU; increase the transparency of cybersecurity practices and properties of products and their manufacturers; and provide consumers and businesses with secure products ready for use.
The legislation requires product manufacturers to self-assess to ensure they comply with the regulation’s requirement, except for specific categories of products that must undergo external vetting by authorised auditors.
The special categories are Class I and II products with the semi-final criteria significantly amended to cover categories that primarily perform functions critical to the cybersecurity of other products or entail a significant risk of adverse effects to other products if manipulated.
Class I products would only need to fulfil one of the criteria, whereas Class II products would have to meet both. Class I is predicted to only include anti-virus software, general-purpose boot managers, digital certificate issuance software, operating systems, network interfaces, internet routers, microprocessors and microcontrollers.
In Class II only Virtual Private Networks (VPNs), runtime systems that support virtualised execution of operating systems, and firewalls are included.
The Commission will have the power to require mandatory EU cybersecurity certification for a highly critical products category which now includes hardware devices with security boxes, smart metering systems for advanced security purposes, including secure crypto-processing and smartcards.
The Commission will first have to conduct an impact assessment on the mandatory certification’s effect on the internal market, as well as the implementation capabilities of the member states. The Commission will need to specify the level of assurance required as either ‘substantial’ or ‘high’.
The draft law mandates product manufacturers to report cybersecurity incidents and actively exploited vulnerabilities to the national Computer Security Incident Response Team (CSIRT).
The Council text also requires manufacturers to determine the expected product lifetime with surveillance authorities empowered to request manufacturers to justify this period. An amendment clarified that the regulation “does not apply to components that are exclusively manufactured as spare parts to replace identical components and are supplied by the manufacturer of the original product with digital elements.”
Once adopted, the regulation will be implemented in two phases. Within the first twelve months, manufacturers and developers of connected devices will be obligated to report exploited cybersecurity vulnerabilities and breaches. Within twenty-four months, member states and affected businesses will have two years to adapt to the new requirements proposed by the CRA as it enters into force.
W Denis Europe arranges comprehensive insurance for EEA based businesses, large and small, including, Data Protection Infringement Cover, Cyber, Errors & Omissions, Directors & Officers Liability and much more. If you wish to discuss your insurance requirements, please visit www.wdenis.eu or contact Vida Jarašiūnaitė email@example.com or Mark Dutton firstname.lastname@example.org