The Cyber Resilience Act ("CRA") regulates cyber security at the product level and, in short, sets security requirements for products with digital elements. With the CRA, the EU is the first worldwide to introduce legislation mandating a minimum level of security for such products.
We previously wrote an overview blog on the CRA, in which we discussed the purpose, nature, scope and obligations for market participants under the CRA. In this blog, we take a closer look at the provisions surrounding software and the obligations for software manufacturers.
Central to the scope of the CRA are products with digital elements. Such a product is defined as "a software or hardware product and its remote data processing solutions, including software or hardware components marketed separately" (Art. 3(1) CRA). This includes (i) marketed products whose purpose or foreseeable use involves a direct or indirect logical or physical connection to a device or network and (ii) separately marketed components.
Software, which is commercially marketed as a product, is also a product with digital elements. Examples include mobile apps, an Enterprise Resource Planning (ERP) software package that allows companies to manage business processes, and Internet-of-Things applications, where physical devices receive, collect and share data via an Internet or network connection. The requirement that a product be marketed means that software applications developed solely for internal purposes, such as a unique proprietary Customer Relationship Management (CRM) application, are not covered by the CRA.
Software-as-a-Service ("SaaS") is also not itself within the scope of the CRA, as it is a service and the CRA looks at products. For individual SaaS applications, the CRA specifically refers to the NIS2 Directive. A SaaS application that is essential to the functionality of a product with digital elements, for example to remotely adjust an industrial machine, does fall within the scope of the CRA (recital 12 CRA). Thus, a link to a product is always required before the CRA applies to SaaS.
As the reliance on products with digital elements continues to grow worldwide, so do the risks associated with the software that powers those products. Vulnerabilities in software can lead to data breaches, cyber attacks and even disruptions to critical infrastructure. The CRA therefore introduces harmonized security requirements for and sets strict rules for manufacturers, developers and distributors of products with digital elements. While harmonized standards already exist within other industries such as toys, cosmetics and medical devices, this is new for the software industry.
This blog focuses only on the manufacturer, i.e. the (legal) person who designs, develops or manufactures products with digital elements, or causes such products to be designed, developed or manufactured, and markets them under his own name or trademark in return for payment, with a revenue model or free of charge (art. 3 (13) CRA). Software suppliers may fall under the CRA as manufacturers if they develop and distribute software (or cause it to be developed) as an independent product and market it commercially under their own name or trademark.
The obligations for market participants, with the most stringent and comprehensive obligations applying to manufacturers, we already briefly discussed in our earlier blog. In short, the obligations mean that manufacturers can no longer launch a product (without regard to security) and leave its security to later updates(launch-and-forget). Instead, they must meet security requirements in advance(ex ante) before a product is allowed on the market and also continue to take security measures throughout the life cycle of a digital product(ex post).
Manufacturers may only market a product with digital elements if the product meets the essential security requirements listed in Appendix I of the CRA. Products, including certain types of software, must be designed, developed and manufactured so as to ensure an appropriate level of cyber security(security by design). For example, software must be shipped with the highest possible security settings as default settings, without the user having to take (additional) steps to enable them himself(security by default), and automatic security updates must always be turned on. The CRA thus forces manufacturers to incorporate cybersecurity into digital products from the design phase, mitigate cyber risks and only market software without known, exploitable vulnerabilities (art. 13 (1) and (2) CRA).
Products with digital elements must further include adequate secure authentication and authorization, especially so that unauthorized access is restricted. In addition, the availability of essential and basic functions must be properly guaranteed, especially against DDoS attacks in which a server, network or website is flooded with traffic so that it becomes inaccessible to users. (Personal) data must be well protected by using encryption, for example, and data minimization is applied for sensitive (personal) data. Furthermore, users must have the ability to safely and easily delete and transfer certain (personal) data and settings to other products or systems.
A manufacturer's obligations do not stop once a product with digital elements is placed on the market in compliance with security requirements. The manufacturer must assess cyber risks, test and evaluate the security of products, provide security updates, and address vulnerabilities during the expected useful life of a product (the "support period") (Art. 13(8) and 19 CRA).
This duty of care also applies to manufacturers who integrate third-party components into their software (Art. 13 (5) and (6) CRA). For example, a manufacturer must verify that a component (i) is already CE marked, (ii) receives regular security updates, (iii) is free of vulnerabilities based on public databases, and (iv) requires additional security testing. The duty of care also applies with respect to open source software components, whose source code is publicly available for modification by third parties (Art. 13(5) CRA). Manufacturers integrating such components into their software are responsible for the security of these components and for implementing security updates.
Manufacturers must further keep documentation on cyber security risks for at least 10 years to demonstrate compliance with the CRA (art. 13 paragraphs 3, 7 and 13 CRA). In addition, contact information must be included on products (Art. 13(16) CRA) and in user instructions, which include information for secure installation (Art. 13(18) CRA). Compliance with the CRA must be demonstrated by CE marking (art. 13 para. 12 CRA). Importers and distributors may only market products with digital elements that contain the CE mark and if the manufacturer has complied with other obligations of the CRA.
Software may not be released with known exploited vulnerabilities (Art. 13(6) CRA). A vulnerability is defined in the CRA as ''a weakness, susceptibility or defect of a product with digital elements that can be exploited by a cyber threat'' (Art. 13(40) CRA).
Manufacturers should have a policy on disclosure of (potential) vulnerabilities in the product with digital elements so that vulnerabilities can be addressed and remedied. Both vulnerabilities and serious incidents are also subject to strict reporting requirements. Manufacturers must report any actively exploited vulnerability in a product with digital elements and any serious incident to the Cyber Security Incident Response Team (CSIRT) and to the European Network and Information Security Agency (ENISA). An early warning must follow within 24 hours of knowledge, a detailed report within 72 hours, and a final report within 14 days to one month (art. 14 paragraphs 2, 3 and 4 CRA).
The CRA requires long-term responsibility for the cybersecurity of products with digital elements, including commercially marketed software. Commercializing software "as is," without any maintenance obligations, is no longer possible for software vendors. Responsibility for the security of products with digital elements applies throughout their life cycle, with strict requirements for maintenance and updates.
It is clear that software vendors, regardless of size, will face significant obligations to comply with the new regulations. Non-compliance could subject manufacturers to fines of up to €15 million or 2.5% of their total global annual sales, as we mentioned in our earlier blog. Do you have questions or need support navigating these complex regulations? If so, please contact us.
