ENCRYPT Blog Series #3: Cyber Resilience Act

A Proposal for a Cyber Resilience Act: the missing puzzle for a comprehensive EU cybersecurity framework?
Dr. Irene Kamara, Assistant professor at Tilburg Institute for Law, Technology, and Society (TILT)

The past years, the European Union has been strengthening the regulatory toolbox in cybersecurity. One of the first major efforts was the Network and Information Security Directive, back in 2016. The NIS1 Directive focused on providing high common level of security of network and information systems across the Union. The NIS1 targeted specific type of entities active in the energy sector, transport, backing etc., as well as online marketplaces, search engines, and cloud computer service providers. The NIS1 was revised last year, and the new Network and Information Security Directive 2022/2555 (NIS2) is expected to strengthen the information security of essential and vital service providers, by imposing risk management obligations, introducing Coordinated Vulnerability Disclosure (CVD) policies and strengthening the cross-border collaboration of incident response teams. Next to NIS2, the Cybersecurity Act (CSA), adopted in 2019, establishes the rules and processes for a cybersecurity conformity assessment framework. The CSA to create a digital single market for ICT products, ICT services and ICT processes, via the creation of EU cybercertification schemes. Later, the European Commission published its new EU Cybersecurity Strategy, which set the agenda in the field of cybersecurity in the Union and prioritised inter alia, supply chain resilience, securing communication and other infrastructures. In the meantime, in 2021, the first EU cybersecurity certification scheme, the adaptation of the well-known Common Criteria, was already developed by ENISA and submitted to the European Commission. Other cybersecurity schemes focus on 5G and cloud computing.

Next to all those initiatives, the Proposal for a Cyber Resilience Act (CRA), published in September 2022, aims to fill in a missing puzzle piece, by providing cybersecurity requirements for products with digital elements. Unlike the other cybersecurity acts in the EU, the CRA is a proposed Regulation that will provide essential substantive requirements for products. The CRA is additionally expected to lay down rules for placing in the market products with digital elements and surveillance and enforcement of those rules.

The rationale for proposing the CRA is simple: there has been an absence of horizontal cybersecurity safeguards for “digital products and ancillary services.”

In specific, the scope of application of the proposed CRA is “all products with digital elements whose intended and reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.”

According to Art. 3 of the proposed CRA:

“product with digital elements’ means any software or hardware product and its
remote data processing solutions, including software or hardware components to be
placed on the market separately.”

The definition does not exclude interaction with other existing or forthcoming laws, such as the Radio Equipment Directive or the Proposal for an Artificial Intelligence Act.

The CRA will essentially materialise security by design, by establishing essential requirements for the design, development, and production of products with digital elements and requirements for the vulnerability handling processes by manufacturers. Examples of those proposed essential requirements are provided in the Annex of the Proposal and include:

– Products with digital elements shall be:
* delivered without any known exploitable vulnerabilities
* ensure an appropriate level of cybersecurity based on the risks, identified in a risk-assessment (see Art. 10(2) CRA proposal).
* be secure by default configuration, including the possibility to reset the product to its original state.
* protect the availability of essential functions, including the resilience against and mitigation of denial of service attacks

It is also worthwhile to note, that the CRA proposal is relying on the development of technical standards to flesh out the specific technical measures that will be required to conform to the essential requirements, similarly to safety product legislation and the proposed AI Act Proposal.

While the legislative process is still in its initial steps, it is important to closely monitor the CRA proposal and its evolution. ENCRYPT keeps an eye on the legislative developments in the area of cybersecurity and incorporates requirements, to ensure ENCRYPT solutions are up to date with the latest state of the art in EU cybersecurity legal and policy developments.

*** In April, Irene will present her related paper at the 38th BILETA conference in Amsterdam. Information on the conference here: https://alti.amsterdam/bileta23/