Digital Development a Manufacturers Dilemma – How Resilient Are Your Products?

Alarming statistics from the EU Agency for Cybersecurity (ENISA) show that every 11 seconds during 2021, a company was hit with a cyber-attack. The global annual damages as a result of such attacks exceeded 20 billion euros. 

Therefore the cyber resilience of products used within businesses is something all businesses should be monitoring and addressing. The significant increase in attacks, together with the financial damage and security threat, has prompted the EU Commission to take action and propose plans to bolster cyber security requirements with the introduction of the Cyber Resilience Act (CRA). 

The CRA aims to impose stricter obligations on manufacturers of software and hardware products which have a ‘digital element’ and are advertised and sold within the EU market.

The CRA applies to all software and hardware products that establish a direct or indirect connection to a device or network (In-scope Products), with certain In-scope Products that are deemed more susceptible to attacks coming under the category of ‘critical’, subjecting them to more onerous compliance requirements.

The CRA will not be extended to products and services that are already regulated by existing EU legislation, such as software as a service (SaaS), medical devices, products designed for military purposes and motor vehicles.

The CRA will impose obligations on a range of operators within the supply chain. However, manufacturers will be under the most onerous obligations. Amongst other things, manufacturers must:

• Ensure that In-scope Products are designed, developed, and produced in accordance with a list of essential cybersecurity requirements and will be required to undertake conformity assessments. It’s worth noting that depending on the risk classification of the In-Scope Product; different procedures will apply with stricter requirements for those products considered to be “high risk”;
• Provide a wide range of technical documents that contain user information and a cybersecurity assessment; and
• Comply with external reporting obligations similar to data protection breach notifications, ENISA must be notified without undue delay and, in any event, within 24 hours of (the manufacturer) becoming aware of any actively exploited vulnerability contained in the In-Scope Product or any incident having an impact on the security of the In-Scope Product.

The CRA will automatically apply to all In-Scope products following a 24-month grace period after its enactment. However, manufacturers are expected to comply with their reporting obligations 12 months after the CRA comes into force. The CRA includes transitional provisions for In-scope products placed on the market prior to the CRA coming into force.

The CRA will not only apply to businesses based in the EU but to any manufacturer, distributor or importer who places products on the EU market. Therefore, UK businesses will need to prepare for its implementation if supplying products to customers in the EU. Adding to the complexity of cross-border transactions will be a dual regulatory regime as the UK has announced similar plans to regulate consumer connectable products to ensure they are secure against cyber-attacks.

In its current form, the CRA is wide-ranging and onerous for all economic operators and will likely result in a significant shift in how such operators approach, manage, document and externally report on cybersecurity risks. Therefore, businesses (particularly those operating within the technology and manufacturing sector) should closely monitor the draft legislation as it progresses through the legislative process and prepare for compliance.

As a final point, it is worth noting that the CRA is intrinsically linked with the GDPR and whilst the CRA may burden software developers and hardware manufacturers with additional compliance requirements and costs, the enhanced security properties of the relevant hardware or software will certainly assist those operators further up the chain who are implementing such products (such as IT service providers) in complying with their data protection obligations under the GDPR.