The recent global IT outage caused by CrowdStrike's Falcon Sensor software update has put cybersecurity in the spotlight. CrowdStrike, a company whose services aim to protect customers against cyber threats, inadvertently caused massive disruption on a global scale, affecting over 8.5 million computers worldwide (primarily those running Microsoft operating systems) across various sectors including banking, air travel and healthcare, highlighting the complex nature of cybersecurity, where tools meant to protect can become sources of vulnerability.
Such a significant high-profile outage will inevitably attract attention from lawmakers and regulators, and is likely to lead to increased focus on cybersecurity practices and software update procedures. The UK’s new Labour government recently announced a Cyber Security and Resilience Bill as part of its legislative agenda, intended to strengthen the UK's cyber defences, with a renewed focus on critical infrastructure and digital services as well as putting regulators on a stronger footing, whilst in March 2024, the European Parliament approved the text of a new Cyber Resilience Act (CRA) which aims to establish common standards for digital products across the EU market.
European Union Cyber Resilience Act
The CRA is expected to come into effect in the second half of 2024 following publication in the Official Journal of the European Union. Manufacturers, importers and distributors will have a 36-month grace period to adapt to the new requirements, although there is a shorter 21-month period for the reporting obligation of manufacturers regarding incidents and vulnerabilities. This means that full compliance will likely be required by late 2027 or early 2028, depending on the exact date the CRA enters into force.
Who is affected by the CRA?
The CRA has a broad scope, affecting various stakeholders in the digital product ecosystem. including:
- Manufacturers - companies that produce hardware and software products with digital elements.
- Importers - entities bringing digital products into the EU market from non-EU countries.
- Distributors - businesses involved in the supply chain of digital products within the EU.
- Software developers - including those creating operating systems, applications and firmware.
- Hardware manufacturers - producers of connected devices, industrial machinery and other physical products with digital components.
- Cloud service providers - especially those offering Software as a Service (SaaS) solutions.
- Open-source software developers - although there are exceptions for non-commercial open-source development.
Products covered by the CRA
The CRA applies to "products with digital elements," which encompasses a wide range of devices and software, such as:
- Connected devices including smart TVs, phones, refrigerators, thermostats, light bulbs, fitness trackers, toys and wearables.
- Industrial equipment such as machinery, robots and automated production lines.
- Medical devices i.e. types of connected medical equipment.
- Critical infrastructure components
- Software including operating systems, applications (mobile, web, desktop), firmware, cloud-based services, software components and software libraries.
- Hardware components with digital elements.
Risk-based approach
The CRA focuses particularly on "high-risk" products, imposing stricter requirements on items with greater potential for harm if compromised.
Key requirements and obligations include:
- Security by design - implementing cybersecurity measures from the earliest stages of product development.
- Cyber risk assessments - to be carried out before market release and throughout the product's lifecycle.
- Vulnerability management - establishing processes to identify and address vulnerabilities, providing automatic security updates by default, with user opt-out options, and separating security updates from feature updates when feasible.
- Incident reporting - notifying the EU cybersecurity agency (ENISA) of significant incidents within 24 hours of awareness, and taking measures to resolve reported incidents promptly.
- Conformity assessment - CE marking to demonstrate compliance, with "important" or "critical" products likely to require certification by a third party.
- Documentation and transparency - providing an EU declaration of conformity, preparing and maintaining technical documentation, and providing transparency on security features for consumers and business users.
- Ongoing compliance - maintaining cybersecurity measures throughout the product lifecycle and co-operating with competent authorities as required.
- Supply chain security - ensuring security of components and third-party elements used in products.
Enforcement and penalties
The CRA includes significant penalties for non-compliance, with fines of up to €15 million or 2.5% of global annual turnover (whichever is higher) for serious violations. Market surveillance authorities will be responsible for enforcing the CRA, with powers to investigate and take action in relation to non-compliant products.
Global impact
While the CRA is an EU regulation, its impact will be felt globally. Non-EU companies will need to comply with its requirements to sell products in the EU market, which is a significant economic bloc. This extraterritorial effect, often referred to as the "Brussels Effect," may lead to CRA compliance becoming a de facto global standard for cybersecurity in digital products. Many companies may find it more efficient to apply CRA standards across their entire product lines rather than maintaining separate versions for different markets. This could result in improved cybersecurity for digital products worldwide, even in regions not directly caught by the CRA, with potential for a ripple effect in improving global supply chain security.
Concluding thoughts
The CRA represents a significant shift in the regulatory landscape for digital products. Its broad scope and comprehensive requirements will have far-reaching impacts on manufacturers, developers and distributors across various sectors. As with any major regulatory change, the CRA presents several challenges and considerations including the complexity of implementation, cost of compliance, concerns about the impact on innovation in fast-moving tech sectors, as well as the problem regulators face keeping abreast of fast-evolving technology and addressing emerging technologies not explicitly covered, whilst trying to balance security and usability.
There will also be challenges in attempting to ensure compliance throughout complex global supply chains, with the potential for increased costs and delays in product development and distribution, as well as the need to navigate the interplay with other laws and regulations such as the AI Act, DORA, GDPR and NISD2 as well as applicable sector-specific rules, especially in the financial services industry. For businesses operating in or selling to the EU market, early preparation and a proactive approach to cybersecurity will be key to successful compliance. This may involve significant changes to product development processes, supply chain management, and ongoing product support strategies.
If you would like to discuss the Act in more detail, please contact Tim Wright.
