Stefano Brusaferro, Sales & Marketing Director of HWG, explains the characteristics of the new Cyber Resilience Act and why it is a necessary provision.
The Internet of Things (IoT) market is Surely a crucial area in the development of cybersecurity. Indeed, in 2030, the number of connected IoT devices worldwide is expected to rise from 9.7 billion in 2020 to over 29 billion in 2030 (source: Statista).
Cyber Resilience Act
These will inevitably have to be as secure as possible, in order not to become the target of cyber crime. This is why the European Commission has presented the Cyber Resilience Act. A new regulation proposal that defines new and higher IT security standards for IoT devices placed on the European market and related services. By setting stricter obligations for their producers.
The characteristics of the provision
The provision applies to the software and hardware of connected devices and related remote data processing solutions. If these are essential for their functioning. The products included (art 2) are those with digital elements that provide (or may do) a direct or indirect logical or physical connection of data to a device or network. The effectiveness of standards extends throughout the product lifecycle, from design to obsolescence. The provision does not apply to connected objects already subject to sector regulations (for example medical devices or those used in civil aviation).
Cyber Resilience Act: where does it come from?
The need for a legislative intervention on the security of IoT devices arises from the observation of the market growth. The interconnection between more and more IoT devices will increase the flow of data exchanged, which is also processed by organizations other than those operating within the European Union. Among the consequences of this arrangement there is also the increase in costs to fight computer crime. The Cyber Resilience Act requires manufacturers to manage the issue of information security and technical vulnerabilities of devices by applying the “privacy-by-design” principle to production processes.
Products with digital elements, definition
The same provision defines products with digital elements. Referring them to anyone type of software or hardware product and related solutions for remote data processing. Including items related to those products (even if they are placed on the market separately). The definition is generic and is specified by the attachments to the text of the law. It should be noted that the Cyber Resilience Act also involves importers of digital products. Forcing them to distribute elements on the market that meet the essential requirements to avoid the risks of vulnerability.
What are manufacturers supposed to do?
Manufacturers are required to verify and declare that products with digital elements have an EU conformity mark (referred to in Article 20 of the Cyber Resilience Act). For distributors, on the other hand, there is only the burden of placing on the market only products that comply with the legislation. The provision also extends these obligations to substantial changes that occur over time (updates, software repairs, physical maintenance). By establishing an evaluation to evaluate whether these changes affect the compliance of the product with the standards.
The implementation times of the Cyber Resilience Act
As regards the timing of implementation of the Cyber Resilience Act, they are foreseen two stages. The first should take place within 12 months of its adoption. During which producers and developers will have to report any vulnerabilities and violations of the products. In the second phase, lasting 24 months, the Member States and the companies concerned are required to implement compliance with the new rules.
Still uncertainty
There is still uncertainty surrounding vulnerability reporting. The proposal of the European Commission foresees that it is the ENISA collect reports of all actively exploited vulnerabilities. However, there are concerns that the Agency’s workload may not be sustainable. Therefore, notification of vulnerabilities has been entrusted to CHIRT countries, promoting collaboration between stakeholders.
Therefore, if a third party reports an actively exploited vulnerability on an IoT product to a CSIRT, the CSIRT must immediately inform the affected manufacturer. If the manufacturer itself produces security updates to address vulnerabilities, it is also required to share the corresponding code with the entity responsible for the component.
Important and necessary
The Cyber Resilience Act therefore represents a valuable and necessary measure. It demonstrates the full awareness of the European legislator of the importance of the digital heritage represented by personal data. A pillar on which the European Union’s political strategy is based: placing information security and the protection of citizens at the center of its government action.