The European Cyber Resilience Act – Silver bullet to sustainably increase cyber security or deservedly dreaded regulation to hinder digital product innovation?Datum: 09.12.2022
Autor: Michael Brunner, Head of Security Engineering
The final proposal of the European Cyber Resilience Act is publicly available since September 2022 and so are the results of the EU's impact assessment of the planned regulation. While the overall need for the European Cyber Resilience Act or a similarly targeted regulation is out of question so is the fact that it will impact enterprises throughout Europe in the market of digital product development and sales.
In this article we will offer a high-level analysis of the regulation itself, provide some clarification regarding its scope and the potential impact as well as immediate remediation steps enterprises can take to address the requirements. This article will mostly focus on issues relevant for digital product developers and manufacturers.
SPOILER ALERT: You will most certainly have to assess and probably adopt your development process, your product documentation and support processes.
And if you are still unsure whether to read any further: Non-compliance can be fined with up to € 15 million or 2.5 % of an companies' total worldwide annual turnover.
Overview of the European Cyber Resilience Act
The European Union addresses two major goals with the European Cyber Resilience Act:
- Ensure that hardware and software products are placed on the market with fewer vulnerabilities and that manufacturers take security seriously throughout a product’s life cycle
- Allow users to take cybersecurity into account when selecting and using products with digital elements
By means of this new regulation the overall current cyber security posture should be enhanced by taking a stronger stance on non-embedded software which at the moment is not adequately covered by any EU legislation. Furthermore, by means of this geographically wide-spread and generally applicable regulation the European Union member state's and society's overall cyber resiliency should be significantly enhanced. In that sense the European Cyber Resilience Act will offer additional assurance in areas where other efforts like the NIS and NIS2 Directive or the Cybersecurity Act are not immediately applicable.
True to the outset goals, the European Cyber Resilience Act will enforce a range of requirements on manufacturers of products with digital elements (in fact on any entity placing said products on the union's market) regarding their development process, their capabilities concerning vulnerability management and the provisioning of relevant cyber security documentation.
Scope and Boundaries
Regarding the scope of the EU Cyber Resilience Act two dimensions need to be considered. The first one being the kind of products that are covered by this regulation and the second one being the organizations required to comply with it.
The regulation itself provides a straight-forward definition for the products being subject to its demands. Although the regulation contains 40 different definitions, the two most important ones set the stage for what kinds of products will be covered.
Definition Product with Digital Elements: Any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately. (Source: European Cyber Resilience Act, Chapter 1, Article 3 (1))
Definition Remote Data Processing: Any data processing at a distance for which the software is designed and developed by the manufacturer or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions. (Source: European Cyber Resilience Act, Chapter 1, Article 3 (2))
Upon closer inspection, one will immediately recognize how broad these definitions are formulated. By doing so it is ensured that any kind of software or hardware as well as any relevant remote computing elements are covered when placed on the European market.
Considering the affected organizations the definition for placing on the market and related subsequent definitions clearly state that any market participant who operates in a commercial fashion – independent of whether the product with digital elements is offered in return for payment or free of charge – is subject to the regulation.
The bottom line here is: If your organization develops or manufactures any kind of product with digital elements or has them designed, developed or manufactured you will have to assess your current state and ensure that you are prepared for when the European Cyber Resilience Act will be implemented - with initial actions by European member states being expected as soon as 2023.
Requirements
The requirements placed on manufacturers of products with digital elements are primarily laid out in Articles 10 and 11 of the European Cyber Resilience Act. The major takeaway is the enforcement of an adequate cybersecurity risk assessment that shall steer the whole product lifecycle throughout design, delivery and maintenance phases.
The two major sets of requirements directly targeting the security of digital products are rooted in the implementation of a secure development regiment and the provision of an adequate vulnerability management. These essential cyber security requirements are stated in Sections 1 and 2 of the European Cyber Resilience Act in Annex I.
SECURITY REQUIREMENTS RELATING TO THE PROPERTIES OF PRODUCTS WITH DIGITAL ELEMENTS
- Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks;
- Products with digital elements shall be delivered without any known exploitable vulnerabilities;
- On the basis of the risk assessment referred to in Article 10(2) and where applicable, products with digital elements shall: [..]
Source: European Cyber Resilience Act, Annex 1, Section 1
The conclusion here is that companies are required to establish a cyber security risk management framework that will help them to identify and analyze potential security issues and act upon them throughout the whole development process and subsequent maintenance activities. Another aspect to be considered here is the demand to deliver products without any known exploitable vulnerabilities, which will require major efforts for many a company who right at the moment follows a more if-it-hasn't-been-hacked-it's-fine approach in cyber security. The actual requirements for the regulated risk assessment process will be covered in a subsequent CERTAINITY blog post. Follow us on LinkedIn to receive updates!
The second set of essential cyber security requirements demands manufacturers of products with digital elements to develop and maintain a thorough vulnerability management process.
VULNERABILITY HANDLING REQUIREMENTS
Manufacturers of the products with digital elements shall:
- identify and document vulnerabilities and components contained in the product, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the product;
- in relation to the risks posed to the products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates;
- apply effective and regular tests and reviews of the security of the product with digital elements;
- once a security update has been made available, publically disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and information helping users to remediate the vulnerabilities;
- put in place and enforce a policy on coordinated vulnerability disclosure;
- take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements;
- provide for mechanisms to securely distribute updates for products with digital elements to ensure that exploitable vulnerabilities are fixed or mitigated in a timely manner;
- ensure that, where security patches or updates are available to address identified security issues, they are disseminated without delay and free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.
Source: European Cyber Resilience Act, Annex 1, Section 1
These requirements set out the mandatory tasks and processes to be established. While certain ones will not be that difficult to achieve for most enterprises and products like the rather watered-down SBOM only covering the top-level dependencies. Others, like conducting regular security tests and providing security patches and updated free of charge, might pose an additional financial strain and in some cases require even a wholesome adjustment of the underlying business case.
Apart from these essential cyber security requirements, a total of 7 additional documentation requirements concerned with the contents of the technical documentation for products with digital elements are demanded in Annex V of the European Cyber Resilience Act. These basically enforce the transparent documentation of how all above mentioned obligations have been met and the respective results of required tasks like the cyber security risk assessment or the software bill of materials.
Overall, the complete set of requirements for manufacturers of products with digital elements are not to be underestimated - especially for organizations that have not been investing in their own cyber security posture and that of their products in recent years.
To ensure that the European Cyber Resilience Act can be enforced, any entity placing products with digital elements on the European market is required to undergo a conformity assessment for each product. Depending on the actual product category these assessments can take on different forms from self assessments to full-fledged third-party assessments for critical products. The distinguishing product characteristics and associated assessment demands will be covered in a subsequent CERTAINITY blog post. Follow us on LinkedIn to receive updates!
How to Prepare for the European Cyber Resilience Act
As outlined in the previous section Scope and Boundaries most companies offering soft- and hardware products in the European market will have to adopt the regulatory demands of to the European Cyber Resilience Act. Many of those will now question how to best proceed and which timeline to follow.
After the final version of the EU Commission's proposal of the European Cyber Resilience Act has been published in September 2022, the next step will be for the European Parliament to enforce the corresponding legislation (after discussions and potential amendments). The actual implementation will be conducted in two phases:
- Within twelve months, manufacturers and developers of products with digital elements will be obligated to report cybersecurity incidents.
- Within twenty-four months, companies will have to adapt to the complete set of requirements proposed by the European Cyber Resilience Act.
As of today, date X when the European Parliament will enact this new legislation is an unknown. However, it is to be expected that (i) the EU will act decisively in 2023 due to the increasing importance of cyber security with regard to current geo-political developments (ii) only minor changes will be made to the requirements and processes demanded by the European Cyber Resilience Act. Ultimately, one can expect that companies will be required to achieve compliance within the next two years until mid-2025 at latest.
These two to two-and-a-half years should be utilized to assess the current state and to build additional capabilities where needed as well as to provision required resources. As a first step enterprises will need to identify affected products and conduct a tailored assessment of the current state of secure development practices will be required. Furthermore, they should assess whether they can provide the required documentation artifacts - which, naturally, should be provided through means of the mandated processes already being implemented.
In any case, enterprises will have to implement proper cyber risk assessment methodologies for their product development and maintenance. The European Cyber Resilience Act does not mandate a specific methodology and leaves the decision to chose an appropriate one to the product manufacturer. Depending on the nature of the product various approaches from utilizing STRIDE, CORAS or Attack Trees are possible options. The results of theses assessments must be further integrated in subsequent steps which must follow secure design and development procedures. A major second aspect will then be the establishment of a compliant vulnerability management process - if not already present and sufficient. Both processes (risk assessment and vulnerability management) will require specific education of personell and the provision of additional tools depending on the nature of the actual product and the manufacturing enterprise. Finally, enterprises must ensure that their processes are capable of providing the demanded documentation for conformity assessments.
Depending on the current cyber security state of organizations these steps might require substantial financial investments and time to foster needed cultural change in product development teams.
In a future blog post we will elaborate on the potential utilization of cyber insurance offerings regarding the European Cyber Resilience Act and how this new legislation might influence cyber insurance premiums. Follow us on LinkedIn to receive updates!
Conclusion
Finally, circling back to the question stated in the title of this article: The European Cyber Resilience Act – Silver bullet to sustainably increase cyber security or deservedly dreaded regulation to hinder digital product innovation? As always such a regulation and its implications will swing in both directions. To a certain extent it will require additional investments and resources, which will certainly affect smaller companies in a greater manner (cf. Executive Summary of the Impact Assessment Report accompanying the European Cyber Resilience Act, Section C: "What are the impacts on SMEs and competitiveness?"). The major benefit for smaller enterprises will be the fact that not only they, but also their suppliers will fall under the same regulation. Thereby giving SMEs greater assurance of adequate cyber security properties of any third-party components they rely upon - and at least indirect means to enforce them. Organizations with an already strong cyber security posture will have to deal only with minor adjustments as they will most certainly have required processes in place and already built the required capabilities to address necessary changes directly and head-on. Furthermore, any company gets the chance to distinguish their products from competitors based on an unilaterally agreed upon framework where every market participant will have to openly present their endeavors for securing their products. By compliance to this legislation companies can achieve a CE certification for their products.
The European Cyber Resilience Act will most definitely strengthen the cyber security of soft- and hardware-products and thereby improve the overall cyber resilience of organizations and our society. When this legislation will be enforced, we will be better prepared to efficiently deal with security issues and have the means to make informed decisions regarding the security of products we intend to buy or use. Companies will have to plan for this new regulation and depending on the current state of their cyber security processes start with making smaller or greater adjustments and investments.
As cyber security experts with long-standing experience in security engineering and supporting customers to meet various legislative demands we give a simple advice: Start early, build required capabilities, provision the necessary resources and seek support from cyber security professionals where your organization can't cover the demands stated in the European Cyber Resilience Act in due time.
CERTAINITY has developed an assessment methodology and tool to aid organizations during initial steps preparing for the European Cyber Resilience Act. Ask for CERTAINITY's cyber security experts and request a quote for our Initial European Cyber Resilience Act Workshop including a readiness assessment for your organization and products.
Ask for CERTAINITY's Security Engineering consulting services at ping@certainity.com for guidance and support to sustainably prepare your organization for the European Cyber Resilience Act and to get your products CE-certified - before your competition does.
Contact: Michael Brunner, PhD. (Head of Security Engineering)