The New EU Cyber Resilience Act: All You Need To Know

cyber resilience act

The impending enforcement of the New EU Cyber Resilience Act in early 2024 marks a pivotal moment in the realm of cybersecurity, introducing a comprehensive legal framework aimed at fortifying digital products against the escalating tide of cyber threats. From stringent standards to mandatory compliance measures, here’s a comprehensive guide to all you need to know about the Cyber Resilience Act and its far-reaching implications.

What is the Cyber Resilience Act?

The Cyber Resilience Act is a new EU cybersecurity legal framework that was first put forward in September 2022. Member nations agreed on its contents on 3 December 2023, and it’s expected to come into effect sometime during early 2024. It mandates common EU cybersecurity standards for products with digital elements, to ensure that by design, Internet-connected devices are made secure against increasingly common and sophisticated cyber-attacks. The Cyber Resilience Act covers many new products for sale within the EU that can create vulnerabilities by being directly or indirectly connected to a network.

 Why This and Why Now?

According to this report by Digital SME Alliance, there was a 57% increase in cyberattacks from 2022 to 2023. The report also highlights that ransomware attacks increased from 112 in 2022 to 175 in 2023, and the figures for phishing campaigns in the same time frame also went up. Some criminal attackers are motivated by profit while others may be state-sponsored actors hoping to disrupt another country by sabotaging its infrastructure. 2021’s fuel pipeline attack in the US demonstrated this vulnerability clearly.

Against this backdrop, the EU recognized the urgent need to ensure that hardware and software products are hardened against future cyber-attacks.

It also recognized that users haven’t always been able to gather enough information about the cyber resilience of some products, so they haven’t been able to make informed decisions about which ones to choose. It’s not all bad, because legislation exists for some products with digital elements, but enough hardware and software products are not currently covered by any EU legislation that the Cyber Resilience Act has become necessary.

What new rules will businesses need to start implementing in early 2024?

First off, the new legislation is only expected to affect an estimated 10% of products with digital elements. That’s because many devices, such as cars, aviation industry products, and medical equipment are already covered by existing cybersecurity legislation.

After the Cyber Resilience Act comes into effect, companies manufacturing, importing, and distributing hardware and software products will have three years to adapt to the new rules. However, manufacturers will only have 21 months to get up to speed with the requirements for reporting incidents and vulnerabilities.

Proposed fines for non-compliance could be as high as $15 million or 2.5% of the offending company’s total worldwide annual turnover during the previous financial year.

The Act won’t just affect businesses within the EU. If companies headquartered in non-EU territories want to supply devices covered by the Act within the EU, then they will need to comply.

Cyber Resilience Act: Essential Cybersecurity Requirements

Products must be designed and developed with security in mind, to mitigate known vulnerabilities and address potential risks. The Cyber Resilience Act makes manufacturers responsible for planning, designing, developing, and maintaining their products. The onus is on them to ensure that products are safe for the duration of their life cycles. This will effectively mean that they need to provide security support for at least five years. They will need to keep any security updates they offer during this time available for either 10 years or the rest of the support period, whichever is longer. 

Cyber Resilience Act: Conformity Assessments

Depending on the risk level, certain products may need to undergo independent testing and certification to ensure they meet the requirements. Compliant products will be able to feature a CE (European conformity) mark.

Businesses will generally be able to self-assess their compliance, but products considered “important” or “critical” will need to be security audited by a certified third-party.

Cyber Resilience Act: Vulnerability Reporting

If online businesses discover any vulnerabilities, then they will need to report them to relevant authorities promptly and take steps to address them.

Cyber Resilience Act: Incident Reporting

Businesses must notify authorities and affected users about serious cyber incidents and actively exploited vulnerabilities that haven’t yet been patched. For the makers of IoT devices and other connected items, this is a first-of-its-kind requirement.

What best practices or steps does the Cyber Resilience Act require of online businesses?

The Act doesn’t just set requirements, it also encourages best practices for building cyber-resilient products. These include: 

Security by Design

Integrating security considerations into the product lifecycle, from conception to development and deployment.

Threat Intelligence

Staying informed about emerging cyber threats and vulnerabilities and adapting security measures accordingly.

 Open-Source Security

Utilizing secure open-source software components and promoting responsible vulnerability disclosure practices.

Incident Response Planning

A clear plan for responding to security incidents.

Note that the specific best practices may vary depending on the particular requirements of the Cyber Resilience Act for each context.

Here are some of the ways that the Act will affect non-EU organizations:

Direct Impact

Products sold in the EU

If a non-EU company wants to sell products with digital elements in the EU market, it must comply with the Act’s requirements. This includes providing risk assessments, vulnerability reporting, and potentially undergoing conformity assessments. Failure to comply could lead to fines like those mentioned or even market bans.

Supply chains

Even if they don’t directly sell in the EU, non-EU companies might be affected if they supply components or software for products covered by the Act. They might need to adapt their practices to ensure compliance for their products if they’re going to be used in goods bound for the EU. 

Indirect Impact

Market pressure

Some commenters have suggested that the Cyber Resilience Act’s existence sets a higher bar for cybersecurity globally. Competitors within the EU market will need to be compliant, and this could pressure non-EU companies into raising their own cybersecurity standards to remain competitive.

Tech harmonization

The Act’s principles and approaches might influence other regions to implement similar regulations, leading to a more harmonized global landscape for cybersecurity standards, which can only be good!

Business reputation

Companies that gain a reputation for prioritizing cybersecurity could gain a competitive edge, potentially impacting non-EU companies’ market share.

Key factors to consider for non-EU companies:

Target market

Assess the extent to which you sell or plan to sell products covered by the Act in the EU market.

Supply chain relationships

Analyze your role in supplying components or software for products destined for the EU, understanding your potential compliance needs.

Cybersecurity practices

Evaluate your existing cybersecurity practices and policies to identify potential gaps considering the Act’s requirements.

Monitoring regulatory developments

Stay up to date on the implementation timeline and specific details of the Act to proactively adapt your strategies.

Navigating the impact

Seek legal and compliance advice

Consult with lawyers or specialists familiar with the Act to understand your specific obligations and compliance strategies.

Collaborate with EU partners

Partner with EU-based companies or consultants to navigate the requirements and market landscape.

Invest in Cybersecurity

This is an essential first step for any company to take because the Act has only recently been agreed and no firm guidance yet exists on how to implement it. Strengthening your overall cybersecurity posture is the best way of establishing a strong baseline on which to build the Act’s specific requirements.

Products With Digital Elements

As we mentioned, the Cyber Resilience Act uses the term “products with digital elements,” and this is a broad term that encompasses a wide range of devices and software that have features or functionalities that rely on digital technology and which can be connected to networks either directly or indirectly through other devices that are connected to networks. Examples of such devices include:

Hardware

Connected devices

Smart TVs, phones, refrigerators, thermostats, light bulbs, fitness trackers, toys, wearables, etc. Industrial machinery and equipment, robots, automated production lines, some medical devices, critical infrastructure components, etc. 

Software:

Operating systems, applications (mobile, web, desktop), firmware for embedded systems, cloud-based services, software components, and libraries.

It’s important to remember that the Cyber Resilience Act focuses on “high-risk” products. It places stricter cybersecurity requirements on products with greater potential for causing harm if they’re compromised, but as we mentioned already, exemptions will exist. Certain products, like low-risk medical devices or basic software components might be exempt from specific requirements based on their nature and risk profile.

Criticisms

The EU has set the pace for holding big tech companies more accountable for cybersecurity and how they use personal data with the GDPR. The Cyber Resilience Act looks set to be the next step on that road, but It’s not without its critics. For instance, the open-source community is concerned that reporting obligations may be too expensive to implement for some developers, but it’s hoped that these issues will be ironed out before the Act passes into law.

How Reflectiz can help you comply

Reflectiz is the ideal web security platform to get your business ready for the Cyber Resilience Act. It protects your web app supply chain by mapping all your connected third-party components. We designed the platform with user-friendly controls to give you clear and comprehensive oversight of all your potential points of vulnerability, and it features risk-based, around-the-clock monitoring to deliver security alerts and block threats. Sign up today!   

Third-party applications help your eCommerce site run smoothly.

Reflectiz helps it run securely.

Try for Free

Book a Demo