€15Million fines and the EU Cyber Resilience Act (CRA)

This act is ground breaking. It’s going to place the EU at the heart of driving hardware and software cybersecurity assurance world-wide.

The outline of a white shield on a blue background with the words EU Cyber Resilience Act
EU Cyber Resilience Act

On the 30th November, the EU published a press release stating that the European Parliament had reached a provisional agreement on the Cyber Resilience Act.

You can read the full press release here.

This means the act is expected to come into force in 2027 giving manufactures time to adapt their processes.

"The Regulation is expected to enter into force in early 2024. Manufacturers will have to apply the rules 36 months after their entry into force. The Commission will then periodically review the Act and report on its functioning."

You can read the Cyber Resilience Act here.

Background

Despite its name the EU Cyber Resilience Act introduces legal requirements for the design, development, production and distributing of hardware or software products.

The act has been crafted to push responsibility back to manufacturers to ensure cybersecurity vulnerabilities in their products are managed and that there is transparency for consumers both individuals and companies.

This is really very good news for consumers, it should lead to more secure and robust cybersecurity as the legal obligations and market forces take effect. Also, while the act does not appear to specifically mandate a minimum lifetime for products, 5 years is indicated. It means that products will remain viable for longer which is not only good for cybersecurity but good for the planet.

Essential cybersecurity requirements

The act defines essential cybersecurity requirements in Annex 1 of the document. Section 1 details the basic security requirements with section 2 detailing the vulnerability handling requirements.

These two sets of requirements detail the minimum cybersecurity baseline for distributing hardware or software products in the EU.

Looking through the basic security requirements item 1.2 stands out. “Products with digital elements shall be delivered without any known exploitable vulnerabilities”.  It stands out because it does not factor in the severity of exploitation. It will be interesting to see how this is or isn’t complied with in practice. 

Critical cybersecurity requirement

Critical products are defined in two classes. Class I and Class II – see below. Critical products are subject to an additional conformity assessment. With Class II products being independently assessed for conformity.

Looking at the list of Class II products most of these are probably subjected to product assurance checks of some form already.

Class I  

  • Identity management systems software and privileged access management software;
  • Standalone and embedded browsers;
  • Password managers;
  • Software that searches for, removes, or quarantines malicious software;
  • Products with digital elements with the function of virtual private network (VPN);
  • Network management systems;
  • Network configuration management tools;
  • Network traffic monitoring systems;
  • Management of network resources;
  • Security information and event management (SIEM) systems;
  • Update/patch management, including boot managers;
  • Application configuration management systems;
  • Remote access/sharing software;
  • Mobile device management software;
  • Physical network interfaces;
  • Operating systems not covered by class II;
  • Firewalls, intrusion detection and/or prevention systems not covered by class II;
  • Routers, modems intended for the connection to the internet, and switches, not covered by class II;
  • Microprocessors not covered by class II;
  • Microcontrollers;
  • Application specific integrated circuits (ASIC) and field-programmable gate arrays (FPGA) intended for the use by essential entities of the type referred to in [Annex I to the Directive XXX/XXXX (NIS2)];
  • Industrial Automation & Control Systems (IACS) not covered by class II, such as programmable logic controllers (PLC), distributed control systems (DCS), computerised numeric controllers for machine tools (CNC) and supervisory control and data acquisition systems (SCADA);
  • Industrial Internet of Things not covered by class II

Class II

  • Operating systems for servers, desktops, and mobile devices;
  • Hypervisors and container runtime systems that support virtualised execution of operating systems and similar environments;
  • Public key infrastructure and digital certificate issuers;
  • Firewalls, intrusion detection and/or prevention systems intended for industrial use;
  • General purpose microprocessors;
  • Microprocessors intended for integration in programmable logic controllers and secure elements;
  • Routers, modems intended for the connection to the internet, and switches, intended for industrial use;
  • Secure elements;
  • Hardware Security Modules (HSMs);
  • Secure cryptoprocessors;
  • Smartcards, smartcard readers and tokens;
  • Industrial Automation & Control Systems (IACS) intended for the use by essential entities of the type referred to in [Annex I to the Directive XXX/XXXX (NIS2)], such as programmable logic controllers (PLC), distributed control systems (DCS), computerised numeric controllers for machine tools (CNC) and supervisory control and data acquisition systems (SCADA);
  • Industrial Internet of Things devices intended for the use by essential entities of the type referred to in [Annex I to the Directive XXX/XXXX (NIS2)];
  • Robot sensing and actuator components and robot controllers;
  • Smart meters

Transparent reporting

The act requires manufacturers to undertake assessments of cyber security risk which needs to be included in the technical documentation issued with their product.

Manufacturers must also report new vulnerabilities identified within 24 hours to local Computer Security Incident Response Teams (CSIRT) and European Union Agency for Cybersecurity (ENISA). 24 hours is very onerous and we think most manufactures will struggle to achieve this deadline in practice.

Innovation protected

There is a carve out for free and open-sourced software as long as they are not part of a commercial agreement which means they are not in-scope.

“In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation.”

Market surveillance sweeps

The act makes provision for market surveillance to ensure conformance and will base their activities on “product categories often found to present cybersecurity risk”.

ENISA to submit proposal for categories of products for which sweeps could be undertaken based on incident reports.

Penalties

The most striking part of the act are the penalties.

Depending on the size of the company, failure to comply with the essential cybersecurity requirements is a whopping €15M, other non-compliance is just €10M and providing misleading information is merely €5M.

Article 53

The following sections are taken from Article 53 in the act.

  1. The non-compliance with the essential cybersecurity requirements laid down in Annex I and the obligations set out in Articles 10 and 11 shall be subject to administrative fines of up to 15 000 000 EUR or, if the offender is an undertaking, up to 2.5 % of the its total worldwide annual turnover for the preceding financial year, whichever is higher.
  2. The non-compliance with any other obligations under this Regulation shall be subject to administrative fines of up to 10 000 000 EUR or, if the offender is an undertaking, up to 2 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.
  3. The supply of incorrect, incomplete or misleading information to notified bodies and market surveillance authorities in reply to a request shall be subject to administrative fines of up to 5 000 000 EUR or, if the offender is an undertaking, up to 1 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.

Conclusion

Overall, we think this piece of legislation is ground breaking. It’s going to place the EU at the heart of driving software cybersecurity assurance world-wide and result in more reliable and secure technology. The EU has set the bar for entry and now it’s over the manufactures to adapt.

How IT Security Locksmith can help

IT Security Locksmith are experienced in cybersecurity and can assist with adapting to the new EU Cyber Resilience Act by:

  • Helping to design or define Cybersecurity risk assessments
  • Creation of Cyber Resilience policy
  • Assisting with cybersecurity risk mitigation and vulnerability treatment plans
  • Establishing a vulnerability reporting function
  • Introducing cybersecurity firms that undertake technical vulnerability and penetration testing

If you need help adapting to the new EU Cyber Resilience Act please email: contact@itsecuritylocksmith.co.uk.

About IT Security Locksmith

IT Security Locksmith is a cybersecurity company that specialises in board level training and consultancy.