The European Commission proposed its first draft of the cybersecurity legislation, the Cyber Resilience Act (“CRA“), on 15 September 2022.  The CRA is one part of a range of EU legislative measures aimed at increasing the overall cyber security and cyber resilience of the EU and businesses operating within it. 

The CRA will create a new regulatory framework and set of rules for software and hardware products falling under the definition of “products with digital elements” (“PDE“) that connect to another device or network.  This is a broad definition encompassing a range of products, including both hardware and software, such as network devices, operating systems, identity and access management software, network management products, firewalls, routers, fitness trackers, smart home devices, and much more.  While the current draft carves out from the CRA PDEs falling under existing EU laws, where such laws already provide an equivalent level of protection, for example some medical devices, motor vehicles, digital aviation instruments and military equipment, amongst others, the scope of the current proposal is very wide-ranging and would have a significant impact on security requirements. 

At a high level, the CRA places a variety of initial and ongoing cybersecurity obligations on any manufacturer of PDEs that are within the EU’s market, irrespective of where the manufacturer themselves are located.  These obligations span the full lifespan of a PDE, requiring manufacturers to meet a specified set of essential requirements when designing, developing and producing PDEs.  If these PDEs are considered “critical”, as defined by a set list of products laid out in the CRA, then they will be subject to additional conformity assessment procedures, including third party assessment for class II critical products.  For any third-party components used in their PDEs manufacturers must also carry out additional checks to ensure cybersecurity protection is not compromised, which reflects current significant concern about supply chain risk management.

Importers and distributors of PDEs within the EU market are also caught by the proposed CRA.  This imposes various responsibilities including ensuring conformity procedures have been followed, and that the right technical and non-technical information is provided to end-users.

Information Provision and Audit Rights

When placing PDEs on the EU market, manufacturers will have to conduct a cybersecurity risk assessment that takes into account risks during multiple successive phases of a PDE’s lifecycle, ultimately to ensure that supply chain security is maintained from start to finish.  These risk assessments are likely to be a complex task; a manufacturer whose PDE is used in a multitude of settings may need to understand its different uses and risks depending on the end-user – for example, a software package for guest registration may be used in a small town sports centre as well as in a large city hospital, yet the sensitive nature of a hospital is likely to bring additional risks.  Manufacturers are then obliged to make available the risk assessment, amongst other information, instructions and technical documentation.  End-users are likely to try and push for manufacturers to provide as much information on risks as possible, while manufacturers will likely want to make availability the minimum possible to manage information flow and what information is available to the customer in the event of a future dispute.

Local authorities responsible for enforcing the CRA in member states have powers to request information from manufacturers relating to the PDE’s essential requirements and other technical specifications that is necessary for them to fulfil their tasks of monitoring compliance.  This includes more detailed data and internal documentation relating to a PDE’s design, development and production. In the event of any identification of significant risk the local authority can request the manufacturer take corrective actions. The obligation to cooperate in any investigations of PDEs presenting significant cybersecurity risks extends to manufacturers, importers and distributors. Provision of support, resources, and information by these different supply chain operators may become heavily negotiated depending on their respective roles.

Significantly, the draft CRA envisages a product recall scheme which is similar to that currently in effect in relation to product liability.  This is a significant development in that it may allow for the removal of products which are (for example) found to be vulnerable part way through their lifecycle.  Manufacturers will need to develop processes for complying with withdrawal or recall orders, although we expect that existing product liability recall processes can form the basis of these processes.

Reporting Obligations

In the CRA’s current draft, a manufacturer will have to notify ENISA (European Union Agency for Cybersecurity) within 24 hours where it becomes aware of a vulnerability in a PDE that has been exploited, or where an incident occurs impacting on a PDE’s cybersecurity. This also includes requirements on manufacturers to notify an entity maintaining a component in its PDE of any vulnerability, and inform users of any incidents. These echo GDPR-style obligations relating to data breaches and it is possible that businesses will begin to develop contractual provisions that allocate responsibilities for notifying of vulnerabilities depending on where they sit in the supply chain, and their respective bargaining powers.

Businesses must be able to understand the different entities and regulators that need to be reported to in the event of an incident, or generally, depending on who the end-user is and their industry. This will create a complex web of reporting obligations and contractual provisions on reporting will need to be tailored depending on the these factors.

Future Considerations and How To Prepare

The current draft CRA is at the proposal stage, and there is some way to go before it becomes law.  There will doubtless be some changes, but the draft is indicative of a clear direction of travel in EU legislation aimed at increasing overall cyber resilience. 

The CRA has high proposed fines for non-compliance, up to €15 million or 2.5% of annual turnover.  Dealing with allocation of risk for these fines under the CRA contractually in the form of indemnities for losses, and warranties relating to a company’s processes for compliance under the CRA, are going to become a key part of negotiation for future businesses.

Even more difficult is likely to be the ongoing monitoring for vulnerabilities in PDEs that exist in the market, particularly so when product lifespans run for extended years.  Additional monitoring resource is going to be needed for businesses, and those without these pre-existing capabilities may need to outsource this work, requiring additional service agreements and allocations of contractual risk depending on which side of the PDE a business faces.

Identifying and mapping processes, both internally and externally, and understanding supply chains and end-users will be crucial for PDE manufacturers, importers and distributors that are within the scope of the CRA when the time comes to consider how to address the CRA contractually.  While there is a degree of “watch this space” as it is only a proposal at this stage, the CRA will have a significant effect on compliance for all PDEs, and in particular on supply chain management.  As the proposal comes closer to fruition, businesses should review their supply chain contracts to ensure that they will be able to comply with the requirements of the CRA. 

(Co-authored with Leo Hutchings – Trainee, London)

Author

Paul is head of cybersecurity in the UK and a key member of our wider data protection team. For 15 years, Paul has guided clients through all types of major data security incidents as well as complex technology and data disputes. Paul pioneered an award-winning data breach and dark web scanning tool which was the first product of its kind in the legal market.