In recent years, many laws and regulations about cybersecurity have been set. And there are more coming, The Cyber Resilience Act amongst others. In this blog post, we will clarify what the Cyber Resilience Act is and what impact it will have.
What is the cyber resilience act?
The Cyber Resilience Act can be seen as a complement to the NIS Directive, and in the future, NIS2. The NIS Directive aims to promote security measures and boost EU member states’ level of protection of critical infrastructure. It tightens the requirements for information security in terms of confidentiality, integrity and availability.
The Cyber Resilience Act is for making sure that digital products that are on the market have sufficient cybersecurity. But, what is a product with digital elements, as stated in the act? It basically means a software or hardware product and its remote data processing solutions. By making regulations for the manufacturers, the hope is to limit the risk of cyberattacks against the user of the product.
What does the Cyber Resilience Act entail?
So far, no sectors or certain products with digital elements have been specified, but it might advance to this in the future. To mark that a product is following this regulation, it should be marked with the CE mark.
During the development of for example software, more focus is put on the design and development phase than the production phase. These points are included in the act:
- Rules for putting products with digital elements on the market
- Cybersecurity requirements for design, development, and production of products with digital elements
- Requirements for handling vulnerabilities
- Rules on market surveillance
How can you follow the Cyber Resilience Act?
When manufacturing a product, the manufacturer needs to make a cybersecurity assessment of the product. This assessment should be taken into account during the design, development and production phases, as well as for delivery and maintenance. The aim is to minimise cybersecurity risks and preventing incidents and consequences of those incidents.
It is also of importance to keep in mind that alterations can change the digital element of the product, so you must make sure that the alterations fit the requirements of the Cybersecurity Resilience Act. The product should be secure and follow the criteria both at the point of being put on the market, but also during its whole lifetime. Therefore, there must be requirements as to how vulnerabilities and cybersecurity requirements should be adapted further to the type of product that is produced.
In short, the cybersecurity element must be considered during the whole process of a product, from design to end of support and termination of the product.
Reporting and incidents
If a manufacturer of a product with digital elements finds out about an actively exploited vulnerability in the product, they must without delay report the vulnerability to The European Union Agency for Cybersecurity (ENISA). It must be reported within 24 hours of finding the vulnerability. If a manufacturer becomes aware of an incident that affects the security of the product – this should also be reported to ENISA within 24 hours. The manufacturer is also obliged to inform the users of the product of the incident and, if possible, suggest mitigating actions.
If you are not complying with the cyber resilience act, you risk large penalties – up to 15 000 000 EUR. The size of the fine is determined by the degree of non-compliance with the regulations, the severity of the consequences, the size of the manufacturer, and so on.
Do you want to know more about the NIS Directive?
Read about how to protect your digital information!