All Things Newz
Law \ Legal

EU Cyber Resilience Act: Cybersecurity Obligations For Connectable Hardware And Software Products Including IoT – Security


The Internet of Things (IoT) segment has grown, and with it have
come many examples of vulnerable products, from babycams whose
feeds could be viewed by strangers online to hackable implantable
cardiac devices. There are also infamous examples of botnets (i.e.,
clusters of hacked devices) featuring millions of IoT devices with
one common trait: weak security.

The U.S. has had in place both laws and standards designed to
address data security. While there is a general obligation to
secure data in the General Data Protection Regulation (GDPR),
recent developments in Europe show a greater focus on security of
information in general, not just personal data.

In 2020 in the United Kingdom, the British government announced
that it would work on legislation to require compliance with
security requirements or specific standards for consumer connected
products. One of the requirements touted was, for instance, a
prohibition on setting universal default passwords. This
requirement, in turn, would trigger an obligation to ensure that
all passwords within a connected device are unique and strong to
avoid granting hackers easy access to millions of products once a
default password has been cracked. The resulting Product Security and Telecommunications
Infrastructure Bill
, currently being considered by the House of
Lords, will give the UK Secretary of State authority to impose
specific security requirements for “internet-connectable”
and “network-connectable” products or require compliance
with a given standard.

In the European Union, the European Commission published on
September 15, 2022 a proposal for a “Cyber Resilience
Act,”
an EU Regulation “on horizontal cybersecurity
requirements for products with digital elements.” This
Regulation would require any manufacturer of a “product with
digital elements” (i.e., “any software or hardware
product and its remote data processing solutions”) to meet
minimum cybersecurity requirements to be able to place that product
on the EU market.

The concept of a “product with digital elements” does
not appear to be limited to hardware + software combinations, as a
number of categories of products listed in an annex to the draft
Cyber Resilience Act are today pure “software” products,
such as a wide range of cybersecurity tools. Thus, the scope of the
Cyber Resilience Act is not limited only to IoT products.

The draft Cyber Resilience Act calls in effect for security by
design by requiring manufacturers to design, develop, and produce
products in accordance with cybersecurity requirements. Notably,
manufacturers will be required to undertake an “assessment of
the cybersecurity risks associated with [the] product and take the
outcome of that assessment into account during the planning,
design, development, production, delivery and maintenance phases
[…] with a view to minimising cybersecurity risks, preventing
security incidents and minimising the impacts of such
incidents.” This echoes provisions of the draft “NIS
2” Directive (a proposal for a Directive “on measures for
a high common level of cybersecurity across the Union”) as
well as the principle of “data protection by design and by
default” found in the GDPR.

Under the provisions of the draft Cyber Resilience Act,
manufacturers will have reporting obligations in relation to
actively exploited vulnerabilities on the one hand and security
incidents on the other. They will be required to inform ENISA, the
EU Cybersecurity Agency, of (i) “any actively exploited
vulnerability” contained in the product and (separately) (ii)
“any incident having [an] impact on the security” of the
product, in each case “within 24 hours of becoming aware of
it.” In addition, manufacturers will have to inform users of
the incident “without undue delay and after becoming
aware” of it. Beyond information regarding the incident, they
would also have to inform users, “where necessary, about
corrective measures that the user can deploy to mitigate the impact
of the incident.”

Moreover, the draft Cyber Resilience Act requires manufacturers
to carry out conformity assessment procedures, draw up technical
documentation, and ensure that the product bears a relevant CE
marking. The interrelationship between this document and existing
conformity assessment procedures for products must be carefully
evaluated.

The draft Cyber Resilience Act does not place the regulatory
burden only on manufacturers. Importers and distributors involved
in placing products on the EU market are subject to specific
obligations as well, notably in relation to documentation and CE
markings. An importer or distributor will moreover be subject to
the full obligations of a manufacturer if, for example, the product
is marketed under the importer/distributor’s name or trademark,
or if the importer/distributor carries out “a substantial
modification” of the product already placed on the market.

The security requirements themselves appear to be future-proof
and technology-neutral, for instance, the obligation to ensure
products are “delivered with a secure by default
configuration, including the possibility to reset the product to
its original state” or that they are “designed, developed
and produced to limit attack surfaces, including external
interfaces”. In many ways, these requirements appear to
reflect the common principles underlying information security best
practices. Products belonging to a “critical” category
(this includes a wide range of categories, such as identity
management systems, password managers, malware detection software,
microcontrollers, operating systems, routers, smart meters, etc.)
are then subject to stricter rules, in particular a specific
conformity assessment procedure.

The draft Cyber Resilience Act includes links to the draft AI
Regulation as well (also under discussion at the Commission). If a
product is classified as a “high-risk” AI system under
the draft AI Regulation, compliance with the Cyber Resilience Act
requirements will automatically be considered as compliance with
the cybersecurity requirements under the AI Regulation.

As with other examples of recent legislation (from the GDPR to
the Digital Markets Act and Digital Services Act), the draft Cyber
Resilience Act includes tough penalties to ensure compliance, as
non-compliance can lead to recall or withdrawal of the product from
the market or another corrective action and can also lead to fines
of up to 15 million EUR or 2.5% of the total worldwide turnover,
whichever is higher. These fines are not the maximum risk for
companies in case of non-compliance, though, as the draft Cyber
Resilience Act explicitly states that it is “without prejudice
to [the GDPR]” – which could lead to important questions
of liability if a particular action or behaviour constitutes an
infringement upon both sets of rules.

Now is the time to ensure that your information security
practices are up to speed and that all levels within your
organization are properly involved in the devising, rolling out,
and maintaining a strong cybersecurity strategy that takes into
account all applicable legislation. Companies operating globally
will, of course, also need to follow the relevant national policy
and guidance as it develops.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.



Source link

Related posts

Energy & Sustainability Connections Newsletter — June 2022 – Energy Law

Horace Hayward

Incorporated associations in Queensland and their evolving legal landscape – Corporate Governance

Horace Hayward

Constructive murder via joint criminal enterprise: Complicity in crime Part 3 – Crime

Horace Hayward