CyberItalia: Proposed Cyber Resilience Act for greater information security of digital products
The passage of the Cyber Resilience Act is still under discussion. If passed, hardware and software companies will have to adopt enhanced cybersecurity requirements on their products.
The seventh article in the CyberItalia column provides a brief overview of the proposed Cyber Resilience Act and the main obligations the regulation would introduce for producers of digital products.
The Cyber Resilience Act (CRA) is a proposal for a European Commission regulation to introduce common cybersecurity requirements for products with digital elements, both hardware and software.
When?
The proposal was presented on 14 September 2022. Both the EU Council and the Parliament have reached a compromise text on the Commission's proposal, so trialogues are now expected to lead to the approval of the final text (expected by 2023).
Who is it addressed to?
The CRA's forecasts are aimed at the chain of economic operators involved in the development, production and distribution of products with digital elements, so essentially:
- manufacturers (developers and producers)
- importers
- distributors
The Regulation focuses on products with “digital elements”, especially the world of IoT and connected devices. SaaS services are not covered by the Regulation. Instead they fall under NIS2. Some specific digital products covered by sectoral regulations and in general “non-commercial activities” are also not covered. A large part of the CRA debate is focused on this last term. Restrictive application would have a significant impact on the sustainability of numerous ongoing open source software projects.
These projects, if developed by companies, but also in some cases by nonprofit foundations, would lose their “non-commercial” status and would have to comply with all the obligations provided for by the CRA, many of which – as pointed out by several members of the OSS community – would not be compatible with the characteristics of open source.
What does it involve?
The primary objective of the CRA is to address the poor level of cybersecurity and vulnerabilities in many software and hardware products on the market. The CRA also aims to address the lack of comprehensive information on the cybersecurity properties of digital products to enable consumers to make more informed choices when buying products.
- Minimum security requirements – With respect to the first point, the CRA proposal aims to ensure that software and hardware made available on the market meet certain essential cybersecurity requirements. For each product with digital elements, a cybersecurity risk assessment will be required that assesses the vulnerability level of the product and documents its management process. Even more stringent provisions are introduced for products deemed “critical”, such as web browsers, firewalls, password managers (designated class I) and operating systems, CPUs (designated class II). These products will have to undergo specific conformity assessment procedures carried out by notified third-party bodies.
- Cybersecurity by design – The CRA proposal requires manufacturers to take into account the cybersecurity of products from the design stage (cybersecurity by design), based on a risk assessment, and to ensure it during the entire life cycle of the marketed product.
- Incident reporting – It also introduces obligations for manufacturers to report and notify the competent authorities if they become aware of a security incident or vulnerabilities exploited in their products.
- Transparency – In relation to the information asymmetry between businesses and consumers, the CRA proposal aims to introduce measures to improve transparency on the security of hardware and software products.