With the Cyber Resilience Act, or CRA for short, the EU Commission provides for new mandatory security requirements for products with digital elements. We spoke with Ferdinand Grieger, Chief Legal Officer (CLO) of DGC and Chairman of the Supervisory Board of DGC Germany AG, about the changes that manufacturers of hardware and software will face and why companies should focus on increased cyber resilience, regardless of industry or size.
What does Cyber Resilience mean and why is it important for companies?
There is no legal definition of cyber resilience, i.e., no meaning specified by law. Freely interpreted, the term can be understood as a company’s ability to withstand hacker attacks and to prepare for the failure of systemically important components. Business associations, insurance companies, policymakers, law enforcement and other serious opinion leaders agree that cybercrime poses the greatest threat to businesses. Therefore, it is critical for the success and survival of companies to be prepared for these threats and to build up appropriate cyber resilience.
The Cyber Resilience Act is intended to further enshrine IT security in law. What exactly is it about?
Behind the name Cyber Resilience Act is the draft regulation of the EU Commission: “CRA – Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020”.
The CRA is intended to complement existing legislation in the EU area, such as the NIS Directive or the European Cyber Security Act. The aim of the new regulation is to protect companies and consumers who buy or use products or software with a digital component. Published on September 15, 2022, the draft is currently before the Council of Ministers and the European Parliament for consideration. Once adopted and published in the Official Journal of the European Union, the Cyber Resilience Act will enter into force with transition periods of 12 and 24 months respectively.
Which companies are affected by the Cyber Resilience Act?
The Cyber Resilience Act addresses manufacturers of products with digital elements that are placed on the EU market and is intended to define binding cybersecurity requirements. It therefore affects manufacturers of hardware products, such as mobile devices and network equipment, as well as companies that develop software products. The draft law, however, not only takes the “classic” manufacturer in the sense of a producer, but also the importers of products with digital elements, who, for example, provide and distribute “white-label goods” with their own label. By contrast, manufacturers of medical devices and vehicle safety systems are exempt from the CRA.
What new legal obligations will these companies face?
The above-mentioned addressees of the regulation must observe certain requirements when offering products with digital elements. The requirements are different for manufacturers and importers. The most important new obligations are as follows:
Compliance with obligations throughout the value chain
Manufacturers are required by the CRA to comply with the cybersecurity requirements of the CRA during the planning, design, development, production and distribution phases of a product with digital elements. This is intended to mitigate security risks, prevent security incidents, and minimize the impact of security incidents, including those related to user health and safety, throughout the value creation process.
Continuous monitoring, provision of free updates & mandatory reporting.
In addition, manufacturers must monitor their products throughout their lifecycle (the CRA talks about five years) and provide free updates if vulnerabilities occur. If an incident occurs that affects the security of a product with digital content, the manufacturer must report it to the EU cybersecurity authority ENISA.
Cyber Resilience Act: change for companies with “critical products”
Further obligations apply to manufacturers of “critical products” for which a special conformity procedure is provided. According to Annex III of the CRA, critical products include two classes: Class 1 includes, among others, Internet browsers, antivirus programs, password managers, and VPNs. Class 2 includes, for example, card readers, desktops and mobile terminals, as well as all devices that rely on the Internet of Things (IoT).
Importers and distributors, on the other hand, must check whether or not the manufacturer complies with the requirements of the regulation. The obligation to check also includes a CE marking carried out by the manufacturer.
Do you want to know how the cyber resilience of your company can be optimized in a targeted manner?
What legal consequences must companies be prepared for in the event of violations?
Addressed companies must expect far-reaching legal consequences in the event of violations. The responsible regulatory authorities are authorized to impose fines of up to 15 million euros or 2.5 percent of the infringing company’s global sales. In addition, they can order inadequately protected products to be withdrawn from the market.
Decision-makers should generally keep an eye on possible liability risks – even beyond the CRA. If their own company falls victim to a cyber attack, senior management can be held liable with their private assets if they are not adequately protected.
What are the arguments for or even against the CRA bill?
The fact that attention is being paid to the topic of cyber security throughout the life cycle of a product with digital elements and thus with potential attack vectors for cyber criminals is to be welcomed. Manufacturers are thus forced to address this issue. In the best case scenario, it is to be expected that more resistant and more secure products will come onto the market in the future. Users of these products, with the best possible effect of the CRA, will have a higher cybersecurity level even while using the purchased products.
It remains to be seen, however, what the actual implementation of the Cyber Resilience Act will look like and whether the effects that can be achieved with it are suitable for making cyber risks a controllable factor in the long term.
Cyber resilience is generally a mission-critical task – what should companies pay attention to here?
Companies, regardless of industry, size, or any regulation that applies to them, should take action on cybersecurity themselves and comprehensively. To put it bluntly, companies must be ahead of regulation by legislators in terms of time and quality. This is the only way to effectively avoid existence-destroying attacks and liability risks.
Companies need to make cybersecurity a top priority. The first step is to clarify the status quo of cyber security in the company, develop a coherent IT security concept and have the company protected by a kind of “digital watchdog”. Ideally, this is done through regular internal and external vulnerability scans with the help of a powerful IT security tool and emergency simulations through penetration tests. The human risk factor, i.e., the trend toward social engineering, must also be countered with security awareness training.
Why is it worthwhile to involve external expertise – and how does DGC support the strengthening of cyber resilience?
IT security managers should emphatically raise the issue of cybersecurity with company management and insist on sufficient budgeting. The fact that this is more necessary than ever is illustrated, among other things, by the current BSI Situation Report. When developing an individual IT security concept, it is always important to involve an external auditing body. Such outsourcing makes sense simply to avoid operational blindness. In the area of taxes and auditing, this system has been in place and proven for decades. No tax advisor is allowed to audit and certify his own financial statements.
Cooperation with external, experienced and competent service providers like DGC raises the cybersecurity level to a new level. Already the multiplication of the manpower with which the company, after the engagement of DGC, provides cyber security, is hardly economically feasible to achieve on its own. The know-how thus called upon and constantly expanded through practical experience is also an important factor towards greater cyber security.
Thank you very much for the interview.