On 15 September 2022, the European Commission (“Commission” or “EC”) published a draft proposal for a Cyber Resilience Act (“CRA” ). The CRA comes in response to the increasingly common occurrence of cyberattacks, with some predicting that the global cost of cyberattacks for companies will reach $10.5 trillion annually by 2025, up from $3 trillion in 2015. The CRA promises to transform the European cybersecurity landscape by harmonizing and bolstering cybersecurity rules across all technologies with “digital elements.” The Commission is currently inviting public feedback on the CRA through 18 November 2022. The CRA will then pass through the European Parliament for debate and for amendments to be proposed.
What to do about the proposed CRA now?
Businesses that manufacture or distribute products that connect to a device or network should assess whether their products may be subject to the CRA and whether their business will be classified, for the purposes of the CRA, as a ‘manufacturer’; ‘importer’ or ‘distributor’, with the CRA imposing the largest burden on manufacturers (see further below). Furthermore, if firms determine that they may be subject to the CRA they should consider their risk exposure i.e., which category of risk their products would likely fall into under the CRA and what steps they may need to take to comply with the CRA’s requirements. Finally, firms should continue to monitor developments on cybersecurity laws, both in the EU with the CRA, and in other jurisdictions globally.
On 1 March 2022, the Commission called for evidence and a public consultation on cybersecurity requirements in the EU. This exercise resulted in the Commission identifying two key risks with regard to digital products:
To address these concerns, the EC identified six key aims for the CRA: to (1) create conditions to produce hardware and software with fewer vulnerabilities; (2) create conditions which allow users to take cybersecurity into account when buying products; and more specifically, to (3) improve manufacturer cybersecurity; (4) ensure a coherent cybersecurity framework; (5) enhance transparency of security properties of products with digital elements; and (6) enable the secure use of digital products.
The CRA would incorporate obligations for manufacturers, importers and distributors (collectively named ‘Economic operators’), but would apply primarily to manufacturers. It would apply to all products placed on the internal market of the EU with “digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network” (Article 2). This would be regardless of where the manufacturer is based, so long as the product is sold within the EU or to EU based customers. The CRA sets out that the following products would not be in scope:
Services e.g., Software-as-a-Service (“SaaS”) where a software is provided on demand or via subscription and is centrally hosted (Recital 9).
Free and open-source software developed outside the course of commercial activity (Recital 10).
Certain products which are already covered by existing EU legislation, for example, some digital medical devices which are already covered by e.g., Regulation (EU) 2017/745 on the clinical investigation and sale of medical devices for human use.
Like the EU’s Artificial Intelligence Act (“AI Act”), the CRA would increase regulatory obligations based on the level of risk associated with the product. The categorization of products is as follows:
General obligations for manufacturers
Manufacturers would be required to design products (including default and critical products) in line with “essential cybersecurity requirements” (Section 1 of Annex 1). Such “essential” requirements would include secure-by-default configurations, maintenance of confidentiality, and data integrity mechanisms. Article 10(12) of the CRA also includes product recall obligations if certain vulnerabilities are detected. In addition, manufacturers would be required to undertake a cybersecurity risk assessment throughout the lifecycle of the product to minimize cybersecurity risks and mitigate against incidents (Article 10(2)). Manufacturers further must handle vulnerabilities including through “coordinated vulnerability disclosure policies” (Section 2 of Annex I). Finally, manufacturers would be required to complete a conformity assessment procedure to show their products are meeting their regulatory obligations along with a “declaration of conformity.”
Chapter II would require manufacturers to complete certain technical documentation and produce user instructions in a clear and intelligible form as set out in Annex II of the CRA.
If there is a security event, manufacturers would be required to notify to ENISA (The European Union Agency for Cybersecurity) without undue delay and in any event within 24 hours of becoming aware of: (1) any actively exploited vulnerability contained in the in-scope product; and (2) any incident having impact on the security of the in-scope product. These reporting obligations would extend to informing users where “necessary” of the incident as well as corrective measures to mitigate impact.
New national authorities
Member States would have a responsibility to create “national market surveillance authorities” to ensure the effective implementation of the CRA (Article 41). Further, Member States would be required to create “notifying authorities” for cybersecurity incidents (Article 26 – 27) and “conformity assessment bodies” which would carry out all conformity assessment tasks referred to in Annex VI.
The CRA would set a maximum fine of up to €15 million or up to 2.5% of the total worldwide annual turnover for the preceding financial year, whichever is higher, for non-compliance with any essential cybersecurity requirements. Breaches of other obligations could result in fines of up to €10 million or 2% of global turnover in the last financial year. Providing misleading information to market surveillance authorities could also attract fines of up to €5 million or 1% of global turnover generated in the last financial year.
Penalties for infringing the regulations would be left to Member States to determine, but guidance suggests that consideration should be given to the “nature, gravity and duration of the infringement and of its consequences” and “the size and market share” of the relevant operator.
Interplay with other EU legislation
It remains to be seen how the CRA will interact with other pieces of forthcoming EU legislation, including the AI Act (high risk systems under the AI Act which are subject to the CRA and meet essential requirements under the CRA will be deemed in compliance with cybersecurity requirements under the AI Act), the Data Act (which aims to ensure fairness in the data environment, increase data accessibility, and create a harmonized framework for industrial data sharing) and the Cybersecurity Act (which strengthens the role of ENISA and establishes a European cybersecurity certification framework which focuses on ICT products).
The European Parliament and the Council will now examine the CRA and suggest any amendments as part of the next stage in the legislative process. Once adopted, the current draft CRA provides that there would be a 24 month implementation period, although manufacturers would be subject to reporting obligations one year after the CRA comes into force.
The Consumer Financial Protection Bureau (CFPB) on October 27, 2022 took the long-anticipated first step to issue a regulation implementing Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. This followed a preview by CFPB Director Rohit Chopra at the Money 20/20 conference on October 25 in which he outlined the “CFPB’s new approach to regulation,” which is designed to create “catalysts for more competition.” With respect to Section 1033, Director Chopra said that the CFPB is “exploring safeguards to prevent excessive control or monopolization by one, or even a handful of, firms” and will be working toward avoiding regulations that could be “rigged in favor of some players over others.” Director Chopra’s focus on competition as an essential element of consumer protection has been a hallmark of his directorship.
Pursuant to legislation passed in 2021, covered entities and business associates subject to HIPAA and facing potential regulatory enforcement may receive some credit lessening to reduce enforcement penalties if they had implemented Recognized Security Practices (RSPs) within the prior 12 months. However, what may constitute RSPs and how a covered entity or business associate can demonstrate implementation of RSPs to receive such credit had not been clear. Now, the Department of Health and Human Services is seeking to provide clarity.
Recently, several developments have been proposed or announced to help identify and mitigate cyber risk for United States critical infrastructure operators and software in an effort to further bolster the cybersecurity posture of the federal government.
Kwaku A. Akowuah
+1 202 736 8739
Sheila A.G. Armbrust
+1 415 772 7430
Colleen Theresa Brown
+1 202 736 8465
John M. Casanova
+65 6230 3907
Thomas D. Cunningham
+1 312 853 7594
+81 3 3218 5014
Amy P. Lally
+1 310 595 9662
David C. Lashway
+1 202 736 8059
+852 2509 7868
William RM Long
+44 20 7360 2061
Joan M. Loughnane
+1 212 839 5567
+1 312 853 7683
Alan Charles Raul
+1 202 736 8477
+1 212 839 5573
+1 214 981 3330
+1 202 736 8254
Jennifer B. Seale
+1 202 736 8640
John K. Van De Weert
+1 202 736 8094
Jonathan M. Wilan
+1 202 736 8635
John W. Woods Jr.
+1 202 736 8060