European Commission publishes draft Cyber Resilience Act – Data Matters Privacy Blog – Sidley Austin LLP




On 15 September 2022, the European Commission (“Commission” or “EC”) published a draft proposal for a Cyber Resilience Act (“CRA” ). The CRA comes in response to the increasingly common occurrence of cyberattacks, with some predicting that the global cost of cyberattacks for companies will reach $10.5 trillion annually by 2025, up from $3 trillion in 2015. The CRA promises to transform the European cybersecurity landscape by harmonizing and bolstering cybersecurity rules across all technologies with “digital elements.” The Commission is currently inviting public feedback on the CRA through 18 November 2022. The CRA will then pass through the European Parliament for debate and for amendments to be proposed.

What to do about the proposed CRA now?
Businesses that manufacture or distribute products that connect to a device or network should assess whether their products may be subject to the CRA and whether their business will be classified, for the purposes of the CRA, as a ‘manufacturer’; ‘importer’ or ‘distributor’, with the CRA imposing the largest burden on manufacturers (see further below). Furthermore, if firms determine that they may be subject to the CRA they should consider their risk exposure i.e., which category of risk their products would likely fall into under the CRA and what steps they may need to take to comply with the CRA’s requirements. Finally, firms should continue to monitor developments on cybersecurity laws, both in the EU with the CRA, and in other jurisdictions globally.
Significant Aims
On 1 March 2022, the Commission called for evidence and a public consultation on cybersecurity requirements in the EU. This exercise resulted in the Commission identifying two key risks with regard to digital products:
 
To address these concerns, the EC identified six key aims for the CRA: to (1) create conditions to produce hardware and software with fewer vulnerabilities; (2) create conditions which allow users to take cybersecurity into account when buying products; and more specifically, to (3) improve manufacturer cybersecurity; (4) ensure a coherent cybersecurity framework; (5) enhance transparency of security properties of products with digital elements; and (6) enable the secure use of digital products.
Broad Scope
The CRA would incorporate obligations for manufacturers, importers and distributors (collectively named ‘Economic operators’), but would apply primarily to manufacturers. It would apply to all products placed on the internal market of the EU with “digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network” (Article 2). This would be regardless of where the manufacturer is based, so long as the product is sold within the EU or to EU based customers. The CRA sets out that the following products would not be in scope:
Services e.g., Software-as-a-Service (“SaaS”) where a software is provided on demand or via subscription and is centrally hosted (Recital 9).
Free and open-source software developed outside the course of commercial activity (Recital 10).
Certain products which are already covered by existing EU legislation, for example, some digital medical devices which are already covered by e.g., Regulation (EU) 2017/745 on the clinical investigation and sale of medical devices for human use.
Risk-based Approach
Like the EU’s Artificial Intelligence Act (“AI Act”), the CRA would increase regulatory obligations based on the level of risk associated with the product. The categorization of products is as follows:
 
 
 
 
Key obligations
General obligations for manufacturers
Manufacturers would be required to design products (including default and critical products) in line with “essential cybersecurity requirements” (Section 1 of Annex 1). Such “essential” requirements would include secure-by-default configurations, maintenance of confidentiality, and data integrity mechanisms. Article 10(12) of the CRA also includes product recall obligations if certain vulnerabilities are detected. In addition, manufacturers would be required to undertake a cybersecurity risk assessment throughout the lifecycle of the product to minimize cybersecurity risks and mitigate against incidents (Article 10(2)). Manufacturers further must handle vulnerabilities including through “coordinated vulnerability disclosure policies” (Section 2 of Annex I). Finally, manufacturers would be required to complete a conformity assessment procedure to show their products are meeting their regulatory obligations along with a “declaration of conformity.”
Transparency obligations
Chapter II would require manufacturers to complete certain technical documentation and produce user instructions in a clear and intelligible form as set out in Annex II of the CRA.
Reporting obligations
If there is a security event, manufacturers would be required to notify to ENISA (The European Union Agency for Cybersecurity) without undue delay and in any event within 24 hours of becoming aware of: (1) any actively exploited vulnerability contained in the in-scope product; and (2) any incident having impact on the security of the in-scope product. These reporting obligations would extend to informing users where “necessary” of the incident as well as corrective measures to mitigate impact.
New national authorities
Member States would have a responsibility to create “national market surveillance authorities” to ensure the effective implementation of the CRA (Article 41). Further, Member States would be required to create “notifying authorities” for cybersecurity incidents (Article 26 – 27) and “conformity assessment bodies” which would carry out all conformity assessment tasks referred to in Annex VI.
Penalties
The CRA would set a maximum fine of up to €15 million or up to 2.5% of the total worldwide annual turnover for the preceding financial year, whichever is higher, for non-compliance with any essential cybersecurity requirements. Breaches of other obligations could result in fines of up to €10 million or 2% of global turnover in the last financial year. Providing misleading information to market surveillance authorities could also attract fines of up to €5 million or 1% of global turnover generated in the last financial year.
Penalties for infringing the regulations would be left to Member States to determine, but guidance suggests that consideration should be given to the “nature, gravity and duration of the infringement and of its consequences” and “the size and market share” of the relevant operator.
Interplay with other EU  legislation
It remains to be seen how the CRA will interact with other pieces of forthcoming EU legislation, including the AI Act (high risk systems under the AI Act which are subject to the CRA and meet essential requirements under the CRA will be deemed in compliance with cybersecurity requirements under the AI Act), the Data Act (which aims to ensure fairness in the data environment, increase data accessibility, and create a harmonized framework for industrial data sharing) and the Cybersecurity Act (which strengthens the role of  ENISA and establishes a European cybersecurity certification framework which focuses on ICT products).
Implementation period
The European Parliament and the Council will now examine the CRA and suggest any amendments as part of the next stage in the legislative process. Once adopted, the current draft CRA provides that there would be a 24 month implementation period, although manufacturers would be subject to reporting obligations one year after the CRA comes into force.
London
[email protected]
London
[email protected]
London
[email protected]
The Consumer Financial Protection Bureau (CFPB) on October 27, 2022 took the long-anticipated first step to issue a regulation implementing Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act.[1] This followed a preview by CFPB Director Rohit Chopra at the Money 20/20 conference on October 25 in which he outlined the “CFPB’s new approach to regulation,” which is designed to create “catalysts for more competition.” With respect to Section 1033, Director Chopra said that the CFPB is “exploring safeguards to prevent excessive control or monopolization by one, or even a handful of, firms”[2] and will be working toward avoiding regulations that could be “rigged in favor of some players over others.”[3] Director Chopra’s focus on competition as an essential element of consumer protection has been a hallmark of his directorship.[4]
Pursuant to legislation passed in 2021, covered entities and business associates subject to HIPAA and facing potential regulatory enforcement may receive some credit lessening to reduce enforcement penalties if they had implemented Recognized Security Practices (RSPs) within the prior 12 months.  However, what may constitute RSPs and how a covered entity or business associate can demonstrate implementation of RSPs to receive such credit had not been clear.  Now, the Department of Health and Human Services is seeking to provide clarity.
Recently, several developments have been proposed or announced to help identify and mitigate cyber risk for United States critical infrastructure operators and software in an effort to further bolster the cybersecurity posture of the federal government.
Kwaku A. Akowuah
Washington, D.C.
+1 202 736 8739
[email protected]
Sheila A.G. Armbrust
San Francisco
+1 415 772 7430
[email protected]
Colleen Theresa Brown
Washington, D.C.
+1 202 736 8465
[email protected]
John M. Casanova
Singapore
London
+65 6230 3907
[email protected]
Thomas D. Cunningham
Chicago
+1 312 853 7594
[email protected]
Tomoki Ishiara
Tokyo
+81 3 3218 5014
[email protected]
Amy P. Lally
Century City
+1 310 595 9662
[email protected]
David C. Lashway
Washington, D.C.
+1 202 736 8059
[email protected]
Linh Lieu
Hong Kong
+852 2509 7868
[email protected]
William RM Long
London
+44 20 7360 2061
[email protected]
Joan M. Loughnane
New York
+1 212 839 5567
[email protected]
Geeta Malhotra
Chicago
+1 312 853 7683
[email protected]
Alan Charles Raul
Washington, D.C.
New York
+1 202 736 8477
+1 212 839 5573
[email protected]
Sean Royall
Dallas
Washington, D.C.
+1 214 981 3330
+1 202 736 8254
[email protected]
Jennifer B. Seale
Washington, D.C.
+1 202 736 8640
[email protected]
John K. Van De Weert
Washington, D.C.
+1 202 736 8094
[email protected]
Jonathan M. Wilan
Washington, D.C.
+1 202 736 8635
[email protected]
John W. Woods Jr.
Washington, D.C.
+1 202 736 8060
[email protected]

source


CyberTelugu

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top

Adblock Detected

Please consider supporting us by disabling your ad blocker

Refresh Page