Mattis van ’t Schip, PhD candidate, Radboud University

Image credit: Grafiker61, via Wikicommons Media

The Internet of Things (IoT), encompassing devices with integrated hardware and software like smartwatches and WiFi security cameras, is becoming increasingly prevalent in homes and industries. However, the cybersecurity of these connected devices is a growing concern. Hackers have exploited vulnerabilities in these devices, as demonstrated by the Mirai botnet attack, where thousands of devices were compromised to disrupt websites and businesses. Similarly, the Target supermarket hack, where attackers gained access to cash registers through their network-connected air-conditioning systems, highlights the vulnerability of always-connected devices. With billions of IoT devices in use, the potential for cyberattacks is vast, making enhanced cybersecurity crucial. While existing legislation like product safety law inadequately addressed this issue, a new legislative proposal aims to bridge this legal gap.

On September 15, 2022, the European Commission proposed the Cyber Resilience Act (CRA) to safeguard the European Union market from insecure products. Article 1 of the Act outlines four key areas:

1. Regulations for introducing digitally-enabled products to the EU market, ensuring cybersecurity.
2. Essential requirements for the design, development, and production of products with digital components.
3. Manufacturer requirements for vulnerability management to guarantee cybersecurity throughout the lifecycle of digital products.
4. Market surveillance and enforcement.

This blog post provides a concise overview of the new regulations concerning the cybersecurity of products with digital elements, specifically points 1-3. It first examines the framework of the Act, focusing on its scope and cybersecurity provisions. Subsequently, it explores how the Act integrates into and modifies the existing regulatory framework for the cybersecurity of products with digital elements, particularly IoT devices.

Products with digital elements

The Cyber Resilience Act will apply to “products with digital elements,” which, according to Article 3(1), encompass software, hardware, and remote data processing solutions. Therefore, the Act covers not only software applications but also specific hardware items not traditionally considered digital, such as routers and microcontrollers. A connected security camera exemplifies a product with digital elements, integrating a traditional camera system (hardware) with software that enables remote access to the camera.

While the European Commission primarily emphasizes IoT devices as the Act’s central focus, they are not the sole products within its scope. The Commission incorporates two additional categories of products with digital elements based on their “criticality.” Annex III lists all “critical products with digital elements,” primarily encompassing products with privileged network or security access, such as password managers, identity management software, and network monitoring systems. These critical systems, as per Article 3(3), pose a cybersecurity risk and must adhere to more stringent cybersecurity requirements discussed later. Furthermore, an additional category encompasses “highly critical products with digital elements” that present even greater cybersecurity risks, such as network management software utilized by energy providers.

According to Articles 6(2) and 6(5), the Commission can modify the list of critical and highly critical products based on their cybersecurity risks. Criteria for evaluating these risks include whether the products possess privileged access, control data access, or perform crucial trust-based functions within networks or security systems. The Commission employs supplementary criteria for highly critical products, including their utilization within critical sectors. (For cybersecurity requirements of devices employed in these sectors, refer to the NIS2 proposal: Proposal for a Directive for a high common level of cybersecurity, which is nearing adoption).

Cybersecurity requirements

The Cyber Resilience Act establishes baseline cybersecurity requirements for all products with digital elements, allowing only compliant products to enter the European market, similar to previous IoT-related product regulations like the Radio Equipment Directive.

Annex I Section 1 lists these cybersecurity requirements, which are contingent on the devices being appropriately installed, maintained, used, and updated, as per Article 5(1). However, the provision does not explicitly state who bears the responsibility for ensuring these preconditions. While proper use likely falls under the user’s purview, and proper maintenance is the manufacturer’s responsibility, the accountability could shift between them depending on the action. Article 10(10) suggests that manufacturers must document the conditions under which users can ensure proper installation, operation, and use. Broadly, these conditions could imply that the user, as part of proper installation, should change the default password before using the device.

In addition to cybersecurity requirements, manufacturers must comply with specific vulnerability handling requirements outlined in Annex I Section 2. These requirements address the issue of numerous devices not receiving adequate updates throughout their lifespan. Without sufficient updates, these devices become security risks, as manufacturers fail to address the latest security vulnerabilities.

Manufacturers are now obligated to provide regular security updates for their products, addressing any vulnerabilities throughout the product’s expected lifespan or for a minimum of five years, according to Article 10(6). Furthermore, vulnerability handling processes must ensure transparency regarding vulnerabilities discovered and patched by manufacturers. This aims to address two issues: the lack of security updates for neglected devices (e.g., due to newer models being released) and the lack of transparency regarding vulnerabilities identified by manufacturers or third parties. This lack of transparency can endanger devices from other manufacturers using similar protocols or components.

The Cyber Resilience Act, through its cybersecurity requirements and vulnerability handling processes, addresses a wide spectrum of cybersecurity-related concerns.

Economic operators

The Cyber Resilience Act implements product requirements to protect the European Union market. Therefore, most rules apply to manufacturers introducing devices to the EU market. Additionally, the rules extend to other actors, including importers and distributors, who place a product with digital elements on the market under their name or trademark or substantially modify an existing product already on the market (Article 15). The same substantial modification condition applies to any individual or legal entity (Article 16). The Act’s scope is broad: any entity introducing or modifying a product to the extent that it qualifies as “new” falls under its purview.

The Cyber Resilience Act primarily targets manufacturers, with Article 10 outlining their key obligations, many of which also apply to importers and distributors. Manufacturers must prioritize security-by-design (Article 10(2)), conducting a risk assessment for their device and implementing its findings throughout the entire production process, from planning to delivery and maintenance. They must include specific information, including the risk assessment, in the technical documentation (Article 10(3)). The technical documentation rules are part of a set of obligations for manufacturers to provide clear and understandable information to users regarding various aspects of the device (Article 10(10)).

Finally, Article 10(14) mandates manufacturers to notify market surveillance authorities and users when they cease operations. This obligation aims to address the issue of manufacturers neglecting existing devices in the market due to bankruptcy, acquisition, or other reasons, leaving consumers with unsupported devices that no longer receive updates or become inoperable. This new obligation promotes a more secure end-of-service process for existing devices on the market.

A new approach

The Cyber Resilience Act will establish the most crucial cybersecurity requirements for IoT devices. Existing legislation applies to IoT cybersecurity but only through specific criteria.

The Radio Equipment Directive (RED), a product safety legislation, closely resembles the Act. It establishes requirements for radio equipment before entering the EU market, similar to the Cyber Resilience Act, where economic operators must comply with specific requirements before placing their products on the EU market.

However, concerning cybersecurity requirements, the Radio Equipment Directive is far more limited than the Cyber Resilience Act. Article 3(3) of the Directive outlines two primary cybersecurity requirements: 1) radio equipment must not “harm the network or its functioning nor misuse network resources” (3(3)(d)); and 2) radio equipment must incorporate safeguards to protect users’ personal data and privacy (3(3)(e)). These cybersecurity requirements also extend to IoT devices, according to a recent Commission Delegated Act. These general cybersecurity requirements are less comprehensive than those listed in the Cyber Resilience Act, which crucially includes requirements for vulnerability handling processes. Recital 15 of the Act acknowledges these differences: “The essential requirements laid down by [the Cyber Resilience Act] include all elements of the essential requirements referred to in [the Radio Equipment Directive].” Consequently, the Cyber Resilience Act will supersede the Radio Equipment Directive in establishing cybersecurity requirements for IoT devices.

The Radio Equipment Directive’s product safety provisions are quite similar, including rules on technical documentation. However, the Cyber Resilience Act imposes broader cybersecurity-focused obligations on manufacturers, such as notifying market surveillance authorities when ceasing operations. Although the Directive might initially appear partially redundant due to its similarities with the Act, their approaches differ. The Radio Equipment Directive focuses on ensuring the overall safety of radio equipment placed on the EU market, which differs from cybersecurity requirements. For instance, the Radio Equipment Directive mandates that devices ensure access to emergency services, accommodate users with disabilities, and function with commonly used chargers. In contrast, the Cyber Resilience Act exclusively focuses on the cybersecurity of devices.

Furthermore, the General Data Protection Regulation (GDPR), another relevant legislation in the context of IoT cybersecurity, differs from the Cyber Resilience Act in its foundation. The GDPR governs personal data processing, which only partially overlaps with the Act’s security requirements. The GDPR fundamentally aims to protect individuals against the misuse of their personal data. Consequently, the Cyber Resilience Act, like the Radio Equipment Directive, supports the GDPR’s objective through its cybersecurity requirements. Recital 17 of the Act states that “the essential cybersecurity requirements laid down in this Regulation are also to contribute to enhancing the protection of personal data and privacy of individuals.”

The Cyber Resilience Act will provide a comprehensive framework for cybersecurity requirements, complementing existing legislation such as the Radio Equipment Directive and the General Data Protection Regulation. By doing so, the Act consolidates the growing number of cybersecurity requirements for IoT devices currently dispersed across various legislative instruments.

Conclusion

The Cyber Resilience Act presents a more comprehensive set of cybersecurity requirements for IoT devices compared to existing legislation. Moreover, its provisions address longstanding concerns regarding IoT security, such as the procedures when manufacturers cease operations or when new vulnerabilities necessitate manufacturer updates.

Concerning existing legislation, the Cyber Resilience Act will provide a consolidated overview of cybersecurity requirements. Previously, cybersecurity-related legislation often contained open norms and addressed specific operations (e.g., personal data processing in the GDPR). The Cyber Resilience Act will support the objectives of this related legislation while establishing the primary set of cybersecurity requirements that modern software and hardware must meet.