Eu Cyber Resilience Act And Iot Cybersecurity Obligations – The National Law Review

EU Cyber Resilience Act and IoT Cybersecurity Obligations – The National Law Review

The Internet of Things (IoT) segment has grown, and with it have come many examples of vulnerable products, from babycams whose feeds could be viewed by strangers online to hackable implantable cardiac devices. There are also infamous examples of botnets (i.e., clusters of hacked devices) featuring millions of IoT devices with one common trait: weak security.
The U.S. has had in place both laws and standards designed to address data security. While there is a general obligation to secure data in the General Data Protection Regulation (GDPR), recent developments in Europe show a greater focus on security of information in general, not just personal data.
In 2020 in the United Kingdom, the British government announced that it would work on legislation to require compliance with security requirements or specific standards for consumer connected products. One of the requirements touted was, for instance, a prohibition on setting universal default passwords. This requirement, in turn, would trigger an obligation to ensure that all passwords within a connected device are unique and strong to avoid granting hackers easy access to millions of products once a default password has been cracked. The resulting Product Security and Telecommunications Infrastructure Bill, currently being considered by the House of Lords, will give the UK Secretary of State authority to impose specific security requirements for “internet-connectable” and “network-connectable” products or require compliance with a given standard.
In the European Union, the European Commission published on September 15, 2022 a proposal for a “Cyber Resilience Act,” an EU Regulation “on horizontal cybersecurity requirements for products with digital elements.” This Regulation would require any manufacturer of a “product with digital elements” (i.e., “any software or hardware product and its remote data processing solutions”) to meet minimum cybersecurity requirements to be able to place that product on the EU market.
The concept of a “product with digital elements” does not appear to be limited to hardware + software combinations, as a number of categories of products listed in an annex to the draft Cyber Resilience Act are today pure “software” products, such as a wide range of cybersecurity tools. Thus, the scope of the Cyber Resilience Act is not limited only to IoT products.
The draft Cyber Resilience Act calls in effect for security by design by requiring manufacturers to design, develop, and produce products in accordance with cybersecurity requirements. Notably, manufacturers will be required to undertake an “assessment of the cybersecurity risks associated with [the] product and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases […] with a view to minimising cybersecurity risks, preventing security incidents and minimising the impacts of such incidents.” This echoes provisions of the draft “NIS 2” Directive (a proposal for a Directive “on measures for a high common level of cybersecurity across the Union”) as well as the principle of “data protection by design and by default” found in the GDPR.
Under the provisions of the draft Cyber Resilience Act, manufacturers will have reporting obligations in relation to actively exploited vulnerabilities on the one hand and security incidents on the other. They will be required to inform ENISA, the EU Cybersecurity Agency, of (i) “any actively exploited vulnerability” contained in the product and (separately) (ii) “any incident having [an] impact on the security” of the product, in each case “within 24 hours of becoming aware of it.” In addition, manufacturers will have to inform users of the incident “without undue delay and after becoming aware” of it. Beyond information regarding the incident, they would also have to inform users, “where necessary, about corrective measures that the user can deploy to mitigate the impact of the incident.”
Moreover, the draft Cyber Resilience Act requires manufacturers to carry out conformity assessment procedures, draw up technical documentation, and ensure that the product bears a relevant CE marking. The interrelationship between this document and existing conformity assessment procedures for products must be carefully evaluated.
The draft Cyber Resilience Act does not place the regulatory burden only on manufacturers. Importers and distributors involved in placing products on the EU market are subject to specific obligations as well, notably in relation to documentation and CE markings. An importer or distributor will moreover be subject to the full obligations of a manufacturer if, for example, the product is marketed under the importer/distributor’s name or trademark, or if the importer/distributor carries out “a substantial modification” of the product already placed on the market.
The security requirements themselves appear to be future-proof and technology-neutral, for instance, the obligation to ensure products are “delivered with a secure by default configuration, including the possibility to reset the product to its original state” or that they are “designed, developed and produced to limit attack surfaces, including external interfaces”. In many ways, these requirements appear to reflect the common principles underlying information security best practices. Products belonging to a “critical” category (this includes a wide range of categories, such as identity management systems, password managers, malware detection software, microcontrollers, operating systems, routers, smart meters, etc.) are then subject to stricter rules, in particular a specific conformity assessment procedure.
The draft Cyber Resilience Act includes links to the draft AI Regulation as well (also under discussion at the Commission). If a product is classified as a “high-risk” AI system under the draft AI Regulation, compliance with the Cyber Resilience Act requirements will automatically be considered as compliance with the cybersecurity requirements under the AI Regulation.
As with other examples of recent legislation (from the GDPR to the Digital Markets Act and Digital Services Act), the draft Cyber Resilience Act includes tough penalties to ensure compliance, as non-compliance can lead to recall or withdrawal of the product from the market or another corrective action and can also lead to fines of up to 15 million EUR or 2.5% of the total worldwide turnover, whichever is higher. These fines are not the maximum risk for companies in case of non-compliance, though, as the draft Cyber Resilience Act explicitly states that it is “without prejudice to [the GDPR]” – which could lead to important questions of liability if a particular action or behaviour constitutes an infringement upon both sets of rules.
Now is the time to ensure that your information security practices are up to speed and that all levels within your organization are properly involved in the devising, rolling out, and maintaining a strong cybersecurity strategy that takes into account all applicable legislation. Companies operating globally will, of course, also need to follow the relevant national policy and guidance as it develops.
About this Author
Peter Craddock counsels clients in the areas of privacy, data protection, cybersecurity, e-commerce, and software contracting in the European Union (EU) and worldwide. Peter assists clients in understanding data and technology matters and helps them comply with complex data privacy laws and regulations. His practice covers advisory work, contract drafting and negotiation, as well as representation of clients in litigation before data protection authorities or the courts. He also provides legal analyses to determine required reporting of potential security breaches in the…
As A Woman Owned Company, The National Law Review Is A Certified Member Of The Women'S Business Enterprise National Council
You are responsible for reading, understanding and agreeing to the National Law Review’s (NLR’s) and the National Law Forum LLC’s  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  
Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 
Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.
The National Law Review – National Law Forum LLC 3 Grant Square #141 Hinsdale, IL 60521  Telephone  (708) 357-3317 or toll free (877) 357-3317.  If you would ike to contact us via email please click here.


Leave a Comment

Leave a Reply

Your email address will not be published.

Educating cybersecurity’s next generation – Security Boulevard

Four quick cybersecurity steps everyone must take right now – New York Post

Thai PM Gives Huawei Thailand Cybersecurity Excellence Award – Huawei

Matterport Partners with Technology Distributor TD SYNNEX to Integrate 3D Digital Twin Platform Across Network of 150,000 Resellers – Yahoo Finance