EU Cyber Resilience Act: What You Need to Know

EU Cyber Resilience Act: What you need to know 

How many connected or “smart” devices do you have in your home? From Amazon Alexa to the Ring doorbell, to smart refrigerators, to smart lightbulbs, connected devices don’t just help us manage our households, they also introduce serious cybersecurity risks. In fact, there were over 112 million Internet of Things (IoT) cyber attacks worldwide in 2022. These attacks can range from the hacking of baby monitors to watch a mother breastfeed her child to hacking a doorbell camera to see who is at home. With these risks in mind, the Council of the European Union adopted the EU Cyber Resilience Act, a new law establishing cybersecurity requirements for products with digital elements. In this article, we will explore this new law, including who it applies to, its requirements, and how to comply. 

Who does the EU Cyber Resilience Act apply to? 

The EU Cyber Resilience Act applies to economic operators related to products with digital elements that are available in the European Union. Thus, anyone supplying these products for distribution or use in the European Union will need to comply with the Act. This Act specifically applies to products with digital elements. The following are examples of products that will be covered under the Act: laptops, mobile devices, smartphones, routers, smart home devices, identity, privileged access and mobile device software, firewalls, mobile apps, video games, and desktop applications. It is important to note that products such as medical devices, cars, and aeronautical products are exempt from this Act as they are already covered by existing EU rules. Products will have to be labeled with “CE” to signify that they have met the requirements of the Cyber Resilience Act to ensure that consumers can easily identify products that comply. 

Management of vulnerabilities 

Connected devices are subject to multiple vulnerabilities that can make them cyber security risks. For example, issues such as the lack of encryption, authentication issues, software vulnerabilities, and ransomware can cause these devices to present risks. The EU Cyber Resilience Act requires organizations  to meet the following requirements: 

1. Products will need to be delivered without any known exploitable vulnerabilities and the default configuration of such products must be secure; 
2. Vulnerabilities will need to be addressed through security updates; 
3. Manufacturers of products will have to identify and document the vulnerabilities and components contained in their products; 
4. Manufacturers will need to address and remediate vulnerabilities without delay and provide security updates free of charge; 
5. Manufacturers will need to publicly disclose information about fixed vulnerabilities. 

Information and instructions to users 

Products with digital elements will also need to provide the following information to their users to ensure that users obtain the appropriate information that will aid them in the secure use of the product: 

1. The name, registered trade name, or registered trademark of the manufacturer, and the postal address, email address, or other digital contact (as well as the website) where the manufacturer can be contacted; 
2. The single point of contact where information about vulnerabilities of the product can be reported and received and where the manufacturer’s policy on coordinated vulnerability disclosure can be found; 
3. Name and type and any additional information enabling the unique identification of the product with digital elements; 
4. The intended purpose of the product with digital elements, including the security environment, as well as the product’s essential functionalities and information about the security properties; 
5. Any known or foreseeable circumstance that may lead to cybersecurity risks; 
6. The internet address at which the EU declaration of conformity can be accessed;
7. The type of technical support offered; 
8. Additional information such as how security updates can be installed, how changes to the product may affect the security of data and integration requirements; 
9. Information on where the software bill of materials may be accessed, if applicable. 

Critical products with digital elements

The EU Cyber Resilience Act also establishes additional requirements for undergoing specific conformity assessment procedures for critical products. These critical products perform functions essential to the cybersecurity of other products such as securing authentication and access, intrusion prevention and detection, endpoint security, or network protection. These products include hardware devices with security boxes, smart meter gateways, or smartcards. Products such as password managers, network management systems, browsers, and identity management systems will also be subject to additional conformity assessment procedures. 

Reporting 

Manufacturers will also be required to inform the European Union Agency for Cybersecurity of any actively exploited vulnerability or severe incidents within 24 hours of awareness of such vulnerability or incident. Follow-up notices will also be required to be sent within 72 hours and then again within 14 days of the vulnerability or the incident. 

Next steps 

Failure to comply with the Act can subject a company to a fine of up to 15 million Euros or 2.5% of the global annual turnover of the preceding year, whichever is higher. The Act will go into effect 20 days after the publication of the Official Journal of the EU and reporting obligations will go into effect 21 months after the Act’s effective date so organizations that manufacture products with digital elements should start preparing for compliance now.