KANBrief 3/23
With the Cyber Resilience Act, the European Commission is planning to oblige manufacturers of products "with digital elements" to guarantee cybersecurity throughout their products' life cycle in the future.
Against a continued backdrop of online attacks, for example involving encryption trojans (ransomware), the European Commission is continuing to push for safeguards against IT security vulnerabilities. Following adoption of legislation such as the Cybersecurity Act (2019), which lays the groundwork for an EU-wide certification scheme for the IT security of networked equipment, systems and services, and the recent amendment of the Network and Information Security Directive (NIS2), the Commission published a draft of a Cyber Resilience Act (CRA) in September 2022. According to the planned regulation, products "with digital elements" such as hardware and software should "be placed on the market with fewer vulnerabilities“ in the future.
The draft is broad in its scope. For example, the Commission intends it to cover "any software or hardware product and its remote data processing solutions", including associated components, even where they are placed on the market separately. One focus is likely to be on the Internet of Things, or small private routers which have often been vulnerable to attack owing to numerous inherent security vulnerabilities. Products "developed exclusively for national security or military purposes" or those specifically designed to process classified information are to be excluded from the act. Sectors such as aviation, medical devices and motor vehicles are also not affected, as requirements specifically governing them already exist.
The proposal foresees affected manufacturers being required to meet basic cybersecurity requirements for the design, development and manufacturing process before placing a device on the market. They must ensure that vulnerabilities are monitored throughout the device's entire life cycle and eliminated through updates made available automatically and at no cost. The proposal also includes an obligation for manufacturers to report any incident affecting the security of a piece of hardware or software to ENISA, the EU's cybersecurity agency, by a tight, 24-hour deadline. A coordinated policy on vulnerability disclosure is to be established.
Vulnerabilities on devices covered would have to be constrained in accordance with the CRA and the impact of incidents minimized. The products covered are to ensure the confidentiality of data, for example by means of encryption. Protection of the integrity and processing of information and measurement data that are essential for the functioning of an item is to become mandatory.
Beyond these basic requirements, the European Commission has identified particularly critical high-risk areas. It divides the products concerned into two classes, for each of which a different conformity procedure is to be introduced. Class I includes identity management systems, browsers, password managers, anti-virus programs, firewalls, virtual private networks (VPNs), network management, comprehensive IT systems, physical network interfaces, routers and chips. It further covers operating systems, for example for smartphones and desktop computers, microprocessors, and the Internet of Things (IoT) in companies that are not considered particularly vulnerable.
The higher risk class II includes desktop and mobile devices, operating systems that are virtualized or integrated for example into machines, digital certificate issuers, general purpose microprocessors, smartcard readers, robot sensing components and smart meters. It also covers IoT devices, routers and firewalls for industrial use, which is generally considered a "sensitive environment." The background to this is that IT security vulnerabilities have long had large-scale impacts on machinery and systems that, increasingly, are networked and can also be accessed from outside the company premises. As a result, the vulnerabilities also impact upon occupational safety and health.
Manufacturers are to conduct conformity assessments of their products by means of an internal procedure or testing by recognized bodies. Where the manufacturer has relied upon harmonized standards or has already obtained a certificate within a European cybersecurity certification framework, it can be assumed that the hardware or software concerned complies with the regulation. Importers and distributors have an obligation to verify the manufacturer's compliance with the relevant procedures and check the CE marking of the device. For less critical products, manufacturers may prepare a declaration of conformity themselves. In risk class II, assessment by third parties is to be necessary.
The Commission considers the need for action urgent, since by 2021, growing cybercrime had already resulted in estimated annual costs of 5.5 trillion euros. In a networked environment, a cybersecurity incident involving a single product may impact upon an entire company or supply chain, often spreading within minutes across the external borders of the Single Market, as was the case for example with the WannaCry computer malware. As a result, economic and social activities are interrupted, and lives possibly even threatened.
In a statement, the German Social Accident Insurance (DGUV) criticizes that even the core term "cybersecurity" is not clearly defined. At different points in various standards and regulations, the term is used to mean a state, an activity or a product. The DGUV points out that compound terms including "cyber" but not precisely defined are often problematic. For example, depending on the source, attacks conducted across wireless or USB interfaces are not considered under the term "cyber security".
The DGUV is also critical of the obligation for manufacturers to report comprehensive details of a security vulnerability within 24 hours. In many cases, an investigation cannot realistically be conducted within such a short time. It also points out that there is not necessarily any need for details that could be exploited for attacks to be forwarded. In its statement, the DGUV advocates only communicating data actually needed by the authorities, for example for the issuing of product warnings or assessing the impact of a vulnerability. The German Social Accident Insurance also considers the planned timeframe of two years for adjustment to the new requirements to be too short for manufacturers who are dependent on other products and must await a conformity assessment, for example.
Jonas Stein, head of the DGUV's Security Working Group, also criticizes that the continual, ongoing development of operating systems prevents their being tested in a meaningful way. Furthermore, they are often dependent on open-source software, as in the case of Linux. However, no single manufacturer is responsible for the conformity procedure for "software libre". The open-source community itself fears it may fall into the liability trap, as many individual developers contribute to collaborative works and would all bear liability for potential security gaps. The Free Software Foundation Europe (FSFE) laments that "due to the lack of funding and resources to go through these procedures, some of these projects might have to stop completely".
The EU Council of Ministers and the European Parliament's lead industry committee commented on the Commission's proposal in mid-July, thereby enabling negotiations on a final compromise to begin shortly. The Member States advocate, for example, a simplified declaration of conformity, greater support for small businesses, and clarification by manufacturers of expected product lifetimes. Moreover, exploited vulnerabilities or security incidents should be reported to the relevant national authorities rather than ENISA. For their part, MEPs are calling for more precise definitions, workable timeframes and a fairer distribution of responsibilities. At the same time, they are pushing for smart home devices, smartwatches and home security cameras to be included in the high-risk category.
Dr. Stefan Krempl, Freelance journalist
sk@nexttext.de