EU Cyber Resilience Act: What You Need to Know

The E.U. Cyber Resilience Act was enacted on Dec. 10. This legislation impacts all manufacturers, distributors, and tech importers that connect to other devices or networks operating in the bloc.

Examples of applicable products include smart doorbells, baby monitors, alarm systems, routers, mobile apps, speakers, toys, and fitness trackers. Those that comply with the legislation will have a CE label, which indicates the device meets E.U. standards for health, safety, and environmental protection, allowing consumers to consider security in purchasing decisions.

The Act aims to clarify and cohesively enforce existing cyber security regulations so that all devices sold in the E.U. meet a baseline level of protection. It obligates tech manufacturers, importers, and distributors to provide security support and updates.

“Digital hardware and software products constitute one of the main avenues for successful cyberattacks,” the official Act website reads. “In a connected environment, a cybersecurity incident in one product can affect an entire organisation or a whole supply chain, often propagating across the borders of the internal market within a matter of minutes.”

Examples of incidents where the security of products with digital elements have been exploited include the WannaCry ransomware, Pegasus mobile phone spyware, and Kaseya VSA supply chain attack.

“Before the European Cyber Resilience Act, the various acts and initiatives taken at Union and national levels only partially addressed the identified cybersecurity related problems and risks, creating a legislative patchwork within the internal market,” the Act’s website reads.

The legislation includes security requirements for all stages of a product’s lifecycle, from its design and development to production, deployment, maintenance, and eventual disposal. While the Act has now entered force, many obligations will apply in stages, with the majority being required by Dec. 11, 2027.

SEE: NIS 2 Compliance Deadline Arrives: What You Need to Know

The Product Security and Telecommunications Infrastructure Act, which came into force in April, holds internet-of-things device manufacturers, importers, and distributors in the U.K. to a similar standard. In the country, devices must each come with a unique password, the duration of its security support, and a way of reporting security issues, at minimum.

Who must comply with the Cyber Resilience Act?

Any company that manufactures, distributes, or imports products with digital components must comply with the Act. These include:

• Security and access management systems: privileged access management software and hardware, password managers, biometric readers, etc.
• Software applications: browsers, VPNs, etc.
• Network and security systems: firewalls, security information, event management systems, etc.
• Core hardware and components: routers, modems, microprocessors, etc.
• Operating systems and virtualisation: operating systems, boot managers, hypervisors, etc.
• Public key and certificate management: public key infrastructure, digital certificate issuance software, etc.
• Smart devices and IoT products: smart assistants, smart door locks, baby monitors, alarm systems, internet-connected toys with interactive features such as location tracking or filming, wearables for children, health monitoring, etc.
• Hardware with advanced security functionalities: hardware with security boxes, smart meter gateways, smartcards, etc. These are considered “critical” products so they will be subject to more frequent security updates and enhanced vulnerability management measures. They must also have a European cybersecurity certificate at an assurance level at least “substantial.”

Exceptions may be made for devices that are subject to cybersecurity requirements in other legislation, such as medical devices, aeronautical devices, and cars. For a full list, see Annex III and IV of the Act.

SEE: Data (Use and Access) Bill: What Is It and How Does It Impact UK Businesses?

What are the requirements of the Cyber Resilience Act?

For manufacturers

• Patch vulnerabilities in the product for at least five years or its lifespan, whichever is shorter.
• Maintain technical files that prove compliance at every stage, including designs (security must be “by design and by default”), manufacturing details, and conformity assessments.
• Affix the CE mark to compliant products and ensure accurate instructions are available in the target markets’ languages.
• Exploited vulnerabilities must be reported to the European Union Agency for Cybersecurity, ENISA, and designated Incident Response Team within 24 hours of discovery. A vulnerability notification must also be sent out within 72 hours and a final report within either 14 days or a month.
• Notify users and market surveillance authorities if the company ceases operations.

For importers

• Ensure products comply with regulations by verifying the manufacturer’s documentation.
• Keep technical documentation and declarations of conformity available for at least ten years after the product’s release.
• Report non-compliant or risky products to manufacturers or relevant authorities.

For distributors

• Verify the manufacturer’s or importer’s documentation before putting products on the market to ensure compliance with regulations.
• Ensure storage and transportation conditions do not compromise product compliance.
• Maintain records of suppliers and customers to facilitate recall or other safety actions.
• Report non-compliant or risky products to the manufacturer or importer.

If the importers or distributors place the product on the market under their own name or trademark, or if an individual makes substantial modifications and then makes it available on the market, they will also be subject to manufacturer-level obligations.

How will the Cyber Resilience Act be enforced?

The E.U. Cyber Resilience Act will primarily be enforced through conformity assessments and market surveillance. Most assessments can be performed in-house, while critical products should be assessed by accredited third parties. Procedures also vary by product risk level. National Market Surveillance Authorities will monitor compliance through inspections, testing, and checking documentation.

What are the penalties for non-compliance?

Manufacturers that do not comply with the Act shall be subject to administrative fines of up to €15,000,000 or up to 2.5% of its total worldwide annual turnover for the preceding financial year, whichever is higher.

Importers and distributors that do not comply with the Act shall be subject to administrative fines of up to €10,000,000 or up to 2% of its total worldwide annual turnover for the preceding financial year, whichever is higher. Recalls and bans may also be used as corrective actions.

Criticism of the Cyber Resilience Act

Not everyone is content with the Cyber Resilience Act. In 2023, 34% of global CISOs and cyber security leaders said legislation was a top stressor for them, specifically citing the E.U. Cyber Resilience Act.

Harley Geiger, counsel and data protection law specialist at Venable LLP, says that the legislation will make the E.U. as impactful to cyber security as “the GDPR was to privacy.” However, he is concerned about the requirement that companies must disclose exploited vulnerabilities within 24 hours of their discovery.

Geiger told TechRepublic in 2023: “The concern with this is that within 24 hours, the vulnerability is not likely to be patched or mitigated at that point. What you may have then is a rolling list of software packages with unmitigated vulnerabilities being shared with potentially dozens of E.U. government agencies.”

In other words, he explained that ENISA would share it with the computer security readiness teams of the member states involved and the surveillance authorities.

“If it’s E.U.-wide software, you are looking at more than 50 government agencies that could potentially be involved. The number of reports coming in could be voluminous,” he told TechRepublic. “This is dangerous and presents risks of that information being exposed to adversaries or used for intelligence purposes.”