With the proliferation of digital products, cyberattacks against hardware and software products are on the rise. Said cyberattacks have a wide-ranging impact not only on those attacked but also on their supply chains. To mitigate the harm caused by these attacks, distributed products are required to have cyber-security measures installed.
In response to these issues, legislative procedures have been conducted in the EU. On 12 March 2024, Parliament approved new cyber resilience standards to protect all digital products in the EU from cyber threats. Now, to become law, these standards will have to be formally adopted by the European Council.
The regulation will have a significant impact on those who trade digital products in the EU market, particularly manufacturers. For this reason, the following is a description of the Proposal for a Regulation of the European Parliament and of The Council on horizontal cybersecurity requirements for products with digital elements, which amends Regulation (EU) 2019/1020 (hereinafter referred to as the “Act”), and which has been made public.
I.-Scope of Applicability
Article 2.1 of the Act stipulates that this Act shall apply to products with digital elements whose intended, or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.
Article 3 (1) of the Act provides that “product with digital elements” means any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately.
II- Essential Cybersecurity Requirements
Article 10.1 of the Act states that, when placing a product with digital elements on the market, manufacturers shall ensure that it has been designed, developed and produced in accordance with the essential requirements set out in Section 1 of Annex I of the Act.
Section 1 of ANNEX I of the Act sets forth the following requirements:
1) Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on existing risks;
2) Products with digital elements shall be delivered without any known exploitable vulnerabilities;
3) On the basis of the risk assessment referred to in Article 10(2), and where applicable, products with digital elements shall:
a) be delivered with a secure default configuration, including the possibility to reset the product to its original state;
b) ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems;
c) protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant idle data or in transit by more advanced mechanisms;
d) protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, as well as report on data corruption;
e) process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended use of the product (‘minimisation of data’);
f) protect the availability of essential functions, including the resilience against and mitigation of denial-of-service attacks (DoS attacks);
g) minimise their own negative impact on the availability of services provided by other devices or networks;
h) be designed, developed and produced to limit attack surfaces, including external interfaces;
i) be designed, developed and produced to reduce the impact of an incident using appropriate mechanisms and techniques to mitigate the exploitation of vulnerabilities;
j) provide security related information by recording and/or monitoring relevant internal activity, including the access to or modification of data, services or functions;
k) ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic updates and the notification of available updates to users.
III. Vulnerability Handling Requirements
Article 10.6 of the Act states that, when placing a product with digital elements on the market, and for the expected product lifetime, or for a period of five years from the placing of the product on the market, whichever is shorter, manufacturers shall ensure that vulnerabilities of that product are handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I of the Act.
Section 2 of ANNEX I of the Act sets forth the following requirements;
1) identify and document vulnerabilities and components contained in the product, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the product;
2) in relation to the risks posed to the products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates;
3) apply effective and regular tests and reviews of the security of the product with digital elements;
4) once a security update has been made available, disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and information helping users to remediate the vulnerabilities;
5) put in place and enforce a policy on coordinated vulnerability disclosure;
6) take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements, as well as in third party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements;
7) provide for mechanisms to securely distribute updates for products with digital elements to ensure that exploitable vulnerabilities are fixed or mitigated in a timely manner;
8) ensure that, where security patches or updates are available to address identified security issues, they are disseminated without delay and free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.
IV.-Technical Documentation
Before placing a product with digital elements on the market, manufacturers shall draw up the technical documentation (Art. 10.7 of the Act).
The technical documentation shall contain all relevant data or details of the means used by the manufacturer to ensure that the product with digital elements and the processes put in place by the manufacturer comply with the essential requirements set out in Annex I of the Act. Likewise, said documentation shall at least contain the elements set out in Annex V (Art. 23.1 of the Act).
Furthermore, the technical documentation shall be drawn up before the product with digital elements is placed on the market and shall be continuously updated, where appropriate, during the expected product lifetime or during a period of five years after the placing on the market of a product with digital elements, whichever is shorter (Art. 23.2 of the Act).
V.-Conformity Assessment Procedure
The manufacturer shall perform a conformity assessment of the product with digital elements (Art. 24.1 of the Act.)
This could be done via self-assessment or a third-party conformity assessment, depending on the level of risk associated with the product in question.
Third-party conformity assessment is required for critical products with digital elements listed in the Annex III of the Act.
On the other hand, when products with digital elements do not fall under the above categories, manufacturers may choose the less burdensome self-assessment in addition to third-party conformity assessment.
When such conformity has been demonstrated, manufacturers shall affix the CE marking (Art. 10.7 of the Act).
This Act is set to enter into force in the second half of 2024 and manufacturers will have to place compliant products on the EU market by 2027.
Essential Cybersecurity Requirements and Vulnerability Handling Requirements must be considered from the planning and design stages of the product, so manufacturers targeting the EU market are urged to take action to comply with this regulation as soon as possible.
Satoshi Minami
Vilá Abogados
For more information, please contact:
12 July 2024
