EU Commission Presents Draft For a Cyber Resilience Act

Published: 2022-10-08

The European Commision presented a draft for a cybersecurity law, the Cyber Resilience Act. The intent of the draft is to ensure that fewer products pose a cybersecurity risk by addressing vulnerabilities and keeping cybersecurity risks low throughout the lifecycle of the product or 5 years, whichever is shorter. The Act would apply to all products, except those which are already covered by other laws and are therefore excluded (such as medical devices), but is specifically aimed at the Internet of Things, such as smart home devices or toys. One part of the draft sets out requirements for consumer and buyer information with the goal of enabling informed choice of products.

The draft requires both software and hardware products designed to make data-based connections with other devices or networks to comply with certain cybersecurity standards. In order to fulfill these requirements, manufacturers need to perform an assessment to match the product to a cybersecurity risk group. For critical and highly critical products, stricter requirements will apply. When becoming aware of an actively exploited vulnerability, the manufacturer must report this to the authorities within 24 hours. When becoming aware of any vulnerability affecting any component of a product (actively exploited or not), the manufacturer must inform the entity in charge of the component about the vulnerability. Similar requirements apply to the importer of a product. The whole product cycle through design, development, production, sale, and maintenance is targeted. To check compliance, the market surveillance authorities have the right to conduct simultaneous coordinated control actions, called Sweeps, under article 49 of the draft.

[Optional: my own comments]

European legislation involves many actors and is therefore usually a slow process. However, if/once adopted, the regulation will become direct European law where, unlike EU directives, no national implementation is needed. The draft regulation fits neatly with other recent European legislation such as the recent DMA (Digital Markets Act) and DSA (Digital Services Act) as well as the directives 2019/770 and 2019/771 about consumer rights regarding digital products. As with all EU regulations and directives, this draft needs to be viewed in the context of those other pieces of legislation. As the EU is an important market for many tech companies, legislation might affect other jurisdictions as well. For example, often it is cheaper for a company to adhere to the strictest regulation and act accordingly in more than just the regulated market. Such an effect could be seen following the regulation of website cookies by the EU when some websites, instead of having a European and an international version, changed their website to meet the requirements of the EU. In other cases, however, meeting the requirements of EU legislation was deemed too complicated and companies withdrew from the European market altogether. For example, many American websites are no longer accessible from the EU since the effective date of the GDPR.

The Cyber Resilience Act might, if adopted, be able to reduce botnet attacks through IoT devices, where security is often sacrificed for a cheaper price or a faster market entry, as well as malware attacks, where vulnerabilities in software or hardware are exploited. However, in my opinion, any Act legislating cybersecurity is incomplete without a “whistleblower paragraph” granting immunity or justification to any researcher, employee, white hat hacker, or consumer who reports a vulnerability, even if the vulnerability was discovered by means of reverse engineering. If a law-abiding person can discover this vulnerability, so can others. I doubt that the requirement for manufacturers to put in place responsible disclosure mechanisms will suffice to prevent lawsuits based on copyright or even the Criminal Code.

It is not yet clear what practices the so-called Sweeps (article 49) will allow for. Special attention should also be paid to the requirement of reporting actively exploited vulnerabilities to the authorities. While I have no doubt that it will mostly be used responsibly, it does also carry the risk of law-enforcement using reported vulnerabilities for their own means – a risk specifically dangerous with some European states falling into autocracy and religious extremism.

One also needs to remember that threats generally attributed to cyberspace cannot be tackled solely in cyberspace. A company’s data is not just vulnerable to malware, but also to classic threats like social engineering, including phishing attacks. Tackling those threats is probably best done in the realm of social norms instead of laws. Although the EU says: “The Act would see inadequate security features become a thing of the past”¹, in my opinion, the recent and future EU Cyberlaws should not be advertised as fully solving the issue. Security features are not limited to the digital realm.