The EU Commission's proposal for a CE regulation aims to safeguard companies and consumers when purchasing digital products. In the future, manufacturers will also have to fulfill explicitly named cyber security requirements and perform a cyber risk assessment.
This brief overview explains the Commission's motives as well as some aspects of the content of this planned legal act.
A hacker attack occurs every 11 seconds. This results in costs of over 5 trillion euros. This is what the EU Commission writes in its cybersecurity strategy, underpinning the need to ensure a higher level of cybersecurity in the future. The aim is that the specified requirements should be included as a permanent component in the entire supply chain.
The published proposal for a "Cyber Resilience Act" is intended to ensure that digital products become more secure for individuals and companies. Manufacturers of such products, both hardware and software, will be required to address vulnerabilities through software updates and to inform end users of their products about potential cybersecurity risks. In addition, the draft regulation defines requirements for software development, thus underscoring the "security by design" already required by the Cyber Security Act.
The cybersecurity legislation presented by the EU Commission has the overarching goal of bringing more secure hardware and software products to the internal market. In the form of 4 measures, the Commission fleshes out the line of the legislation:
It can be seen from the proposed legislation that this scope is very broad:
"This Regulation applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network."
By loosely defining "digital elements," the regulation thus includes hardware such as machines and IoT devices as well as pure software products.
The scope also mentions exceptions; for example, medical devices under Regulation (EU) 2017/745 do not fall within the scope of the proposed act.
The legal act also regulates the future interaction with Delegated Regulation 2022/30, which already requires security requirements for Internet-ready equipment as defined in the Radio Equipment Directive 2014/53/EU. Brussels announced that in order to avoid overlaps, Regulation 2022/30 will either be repealed or merely amended.
Analogous to previous EU legal acts (e.g., the Machinery or Low Voltage Directive), the Cyber Resiliance Act also provides for a conformity assessment procedure.
The core of the procedure is the cyber risk assessment. Thus, the draft provides in Article 10, paragraph 2:
„manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing security incidents and minimising the impacts of such incidents, including in relation to the health and safety of users.“
Depending on the criticality of the products, the conformity assessment procedure distinguishes between self-certification and two procedures that require the involvement of notified bodies. Details can be found in the Cyber Resiliance Act Factsheet.
Particularly noteworthy for manufacturers, in our view, are the provisions in Annex V, paragraph 2, of the draft regulation. Here, the draft mentions different aspects (design, development, production, vulnerability analysis) as contents of the technical documentation. This means that in the software development process - if the EU Commission has its way - software architectural decisions as well as decisions regarding the development and build process must be documented accordingly in the future. This naturally means an increased documentation effort for companies. In particular, the rapid technological development of software development tools (e.g. for build processes) will certainly present companies with manageable, but nevertheless not to be underestimated organizational challenges in the future.
The proposal in wording:
„CONTENTS OF THE TECHNICAL DOCUMENTATION
(…)
a description of the design, development and production of the product and vulnerability handling processes, including:
(a) complete information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and/or a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing;
(b) complete information and specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates;
(c) complete information and specifications of the production and monitoring processes of the product with digital elements and the validation of these processes.“
Due to the current security situation and the war in Ukraine in particular, it could be assumed that increasing the resilience of cyber attacks in Europe is a high political priority and is therefore being pursued with vigour.
On 1 December 2023, the European Parliament and the Council reached an agreement on the Cyber Resilience Act proposed by the Commission in September 2022. It retains the main features of the Commission's previous proposal, but the co-legislators propose adjustments in some areas. These include, for example, the desire for a simpler methodology for the classification of digital products covered by the regulation, a definition of product lifespan by manufacturers or a reporting obligation for actively exploited vulnerabilities and incidents.
The European Parliament adopted the compromise text on 12 March 2024. Following approval by the Council, it can be published in the Official Journal of the EU, after which the Cyber Resilience Act will enter into force on the 20th day following its publication in the Official Journal.
Once the AI Regulation enters into force, manufacturers, importers and distributors of hardware and software products will have 36 months to adapt to the new requirements, with the exception (21 months) of manufacturers' incident and vulnerability reporting obligations.
Interested readers can read the proposal for a regulation on the pages of the EU Commission.
Posted on: 2024-03-13 (last amendment)
Johannes Windeler-Frick, MSc ETH Managing Director of IBF Solutions AG, the Swiss subsidiary of IBF in Zürich. Johannes is a trainer for both the Machinery Directive (MD) as well as the Low Voltage Directive (LVD). He studied electrical engineering at ETH Zürich with a specialization in energy systems.
Email: johannes.windeler-frick@ibf-solutions.com | www.ibf-solutions.com
Daniel Zacek-Gebele, MSc Product manager at IBF for additional products and data manager for updating standards data on the Safexpert Live Server. Studied economics in Passau (BSc) and Stuttgart (MSc), specialising in International Business and Economics. Email: daniel.zacek-gebele@ibf-solutions.com | www.ibf-solutions.com
You are not yet registered? Register now for the free CE InfoService and receive information by e-mail when new technical papers, important standards publications or other news from the field of machinery and electrical equipment safety or product compliance are available.
Register
CE software for systematic and professional safety engineering
Practical seminars on aspects of risk assessment and ce-marking
With the CE InfoService you stay informed about important developments in the field of product safety.