The EU Commission's proposal for a CE regulation aims to safeguard companies and consumers when purchasing digital products. In the future, manufacturers will also have to fulfill explicitly named cyber security requirements and perform a cyber risk assessment.
This brief overview explains the Commission's motives as well as some aspects of the content of this planned legal act.
Considerations of the Commission
A hacker attack occurs every 11 seconds. This results in costs of over 5 trillion euros. This is what the EU Commission writes in its cybersecurity strategy, underpinning the need to ensure a higher level of cybersecurity in the future. The aim is that the specified requirements should be included as a permanent component in the entire supply chain.
The published proposal for a "Cyber Resilience Act" is intended to ensure that digital products become more secure for individuals and companies. Manufacturers of such products, both hardware and software, will be required to address vulnerabilities through software updates and to inform end users of their products about potential cybersecurity risks. In addition, the draft regulation defines requirements for software development, thus underscoring the "security by design" already required by the Cyber Security Act.
Objectives of the legal act
The cybersecurity legislation presented by the EU Commission has the overarching goal of bringing more secure hardware and software products to the internal market. In the form of 4 measures, the Commission fleshes out the line of the legislation:
- ensuring that manufacturers improve the security of products with digital elements from the design and development phase and throughout their lifecycle.
- ensuring a coherent cybersecurity framework that facilitates compliance for hardware and software manufacturers.
- transparency of security features of products with digital elements will be improved.
- businesses and consumers will be enabled to safely use products with digital elements.
It can be seen from the proposed legislation that this scope is very broad:
"This Regulation applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network."
By loosely defining "digital elements," the regulation thus includes hardware such as machines and IoT devices as well as pure software products.
The scope also mentions exceptions; for example, medical devices under Regulation (EU) 2017/745 do not fall within the scope of the proposed act.
The legal act also regulates the future interaction with Delegated Regulation 2022/30, which already requires security requirements for Internet-ready equipment as defined in the Radio Equipment Directive 2014/53/EU. Brussels announced that in order to avoid overlaps, Regulation 2022/30 will either be repealed or merely amended.
Conformity assessment procedure and cyber risk assessment
Analogous to previous EU legal acts (e.g., the Machinery or Low Voltage Directive), the Cyber Resiliance Act also provides for a conformity assessment procedure.
The core of the procedure is the cyber risk assessment. Thus, the draft provides in Article 10, paragraph 2:
„manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing security incidents and minimising the impacts of such incidents, including in relation to the health and safety of users.“
Depending on the criticality of the products, the conformity assessment procedure distinguishes between self-certification and two procedures that require the involvement of notified bodies. Details can be found in the Cyber Resiliance Act Factsheet.
Particularly noteworthy for manufacturers, in our view, are the provisions in Annex V, paragraph 2, of the draft regulation. Here, the draft mentions different aspects (design, development, production, vulnerability analysis) as contents of the technical documentation. This means that in the software development process - if the EU Commission has its way - software architectural decisions as well as decisions regarding the development and build process must be documented accordingly in the future. This naturally means an increased documentation effort for companies. In particular, the rapid technological development of software development tools (e.g. for build processes) will certainly present companies with manageable, but nevertheless not to be underestimated organizational challenges in the future.
The proposal in wording:
„CONTENTS OF THE TECHNICAL DOCUMENTATION
a description of the design, development and production of the product and vulnerability handling processes, including:
(a) complete information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and/or a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing;
(b) complete information and specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates;
(c) complete information and specifications of the production and monitoring processes of the product with digital elements and the validation of these processes.“
Effective date and further information
The Commission's proposal will subsequently be examined in the European Parliament. If the proposal is adopted, manufacturers will have a transition period of 2 years to implement the new requirements. Since the political process is only just beginning with the Commission's proposal, it can be assumed that some time will pass before it comes into force. Nevertheless, due to the current security situation and in particular the Ukraine war, it can be assumed that increasing the resilience of cyber attacks in Europe is a high political priority and will be pursued accordingly with vigor. "Cyber Resiliance Act" - nomen est omen, the name says it all.
Interested readers can read the proposal for a regulation on the pages of the EU Commission.
- Through our newsletter, the CE-InfoService, we inform you when we have interesting news about harmonization legislation of the Union.
Posted on: 2022-09-20
Johannes Windeler-Frick, MSc ETH
Managing Director of IBF Solutions AG, the Swiss subsidiary of IBF in Zürich. Johannes is a trainer for both the Machinery Directive (MD) as well as the Low Voltage Directive (LVD). He studied electrical engineering at ETH Zürich with a specialization in energy systems.
You are not yet registered? Register now for the free CE InfoService and receive information by e-mail when new technical papers, important standards publications or other news from the field of machinery and electrical equipment safety or product compliance are available.