The European Union (EU) released their new Cyber Resilience Act which is claimed to be the first ever act put in place to ensure consumers are better protected by the manufacturers of both hardware and software products sold within the EU. This is a first since in the past the onus has been on the consumer to ensure the hardware and software were secure, through patching and proper configuration. While those are still going to be required, the manufacturers are being told they need to step up their security controls throughout their development cycle, or face sanctions or fines. The Act has four specific goals:
- To ensure manufacturers improve the cybersecurity of covered products throughout the whole life cycle;
- To create a single, coherent framework for cybersecurity compliance in the EU;
- To increase the transparency of cybersecurity practices and properties of products and their manufacturers; and
- To provide consumers and businesses with secure products ready for use.
Let’s look at each of these goals separately.
- In many cases, manufacturers have been known to focus on getting products to market as quickly as possible and their security controls have come afterwards. In some cases, like with consumer IoT devices, once in the market, the developers are gone and if a bug is found within their software, it will likely become a “forever day”, which is a 0-day that never is patched. This new act will require manufacturers to build security into the product lifecycle (security-by-design) to ensure their products are as secure as possible prior to delivering to the market. This is likely to cause manufacturers to invest in more security controls earlier in the lifecycle than they are used to, but the cybersecurity industry has been asking for this for quite a long time.
- This framework will help manufacturers understand and support compliancy of the Act. Compliance will require them to declare their products as conforming to the Act, provide technical documentation, affix a conformity mark, and draw up a written EU declaration of conformity. This will also include a 24 hour disclosure of any actively exploited vulnerability contained within their products.
- The more transparent the cybersecurity practices become, the better the manufacturers will be in supporting them. This is a goal that in the past has been difficult due to the myriad of frameworks, laws, certifications, and other regulations put on businesses.
- This is the ultimate goal of the Act to ensure EU citizens and organizations are provided the most secure products when they purchase them.
This Act is putting a lot of new burden on manufacturers, and it will be interesting to see how many end up complying with it, or if they decide to drop out of this market. There will certainly be a significant cost in improving the security-by-design model for many businesses, but hopefully they will see the benefit of doing this in the long run. Certainly less patching of bugs that will likely be discovered during the coding process by pen testing and other controls. But, any business that thinks it can bypass this, there are significant sanctions or fines for violations. For some offending businesses could be imposed the highest fine of either administrative fines of up to €15 million or 2.5 percent of their global annual turnover for the previous fiscal year, whichever is greater. Others could see fines up to €10 million or 2 percent of their global annual turnover for the previous fiscal year, whichever is greater. Lastly, misleading market surveillance authorities with incorrect, incomplete, or manipulated information will lead to a fine of €5 million or 1 percent of global annual turnover for the previous fiscal year, whichever is greater. These are significant penalties for non-compliance and likely will persuade most manufacturers to comply.
This is a big step forward for the EU and it will more than likely be a blueprint for other regions around the world. Any manufacturers who currently sell into the EU, or are looking to penetrate this market, should do a thorough dive through the Act to see if they are affected as there are some exemptions. To access all languages of the act, click here.