Manufacturers of products “with digital elements” must guarantee cyber security during the full life cycle, for example through vulnerability management.
Table of Contents
With a law “on cyber resilience”, the EU Commission wants to prevent major cyber security debacles in the future. Products “with digital elements” such as hardware and software should “come onto the market with fewer weak points”, the Brussels government institution states as a goal in the draft available online. In the future, manufacturers would have to “take cyber security seriously throughout the entire life cycle of a product”.
Scope of the “Cyber Resilience Act”
The intended scope of the “Cyber Resilience Act” is broad. By articles with digital elements, the Commission understands “any software or hardware product and its remote computing solutions” including associated components “intended to be placed on the market separately”. One focus is likely to be on the Internet of Things or on “plastic routers”, which have so far often been easily vulnerable due to many built-in security gaps.
Products “that were developed exclusively for national security or for military purposes” or that are specifically intended for the processing of classified information should be left out.
Full lifecycle cybersecurity requirements
According to the draft, the manufacturers of the items covered must in future meet basic cyber security requirements for the design, development and manufacturing process before they are allowed to place a device on the market. They should be encouraged to monitor vulnerabilities throughout the lifecycle of the device and fix them through automatic and free updates.
Furthermore, the producers should report every incident that affects the security of hardware and software to the EU cyber security authority Enisa. It envisages a requirement to adopt a “coordinated vulnerability disclosure policy” to facilitate the reporting of security vulnerabilities by individuals or companies. The planned amendment to the Directive on Network and Information Security (NIS2) also provides for basic reporting requirements. The draft does not contain an obligation for government agencies to report any vulnerabilities found.
Ban on the market introduction of products with known vulnerabilities
For all relevant economic actors, from manufacturers to dealers and importers, requirements for the placing on the market of products with digital elements are to be set “that are appropriate to their role and responsibility in the supply chain,” emphasizes the Commission. The list of essential requirements, detailed in an appendix to the 80-plus-page draft itself, includes an “adequate” level of cybersecurity and a ban on bringing products with known vulnerabilities to market
Security by design, i.e. the integration of cyber security directly into the products, as well as protection against unauthorized access, should also be guaranteed. Attack surfaces would have to be limited and the effects of incidents minimized. The recorded articles are intended to ensure the confidentiality of the data, for example through encryption. The protection of the integrity and processing of information and measured values that are absolutely necessary for the functioning of the product should become mandatory.
