A snap shot on the new EU proposed regulation on Cyber Resiliency

The EU has just unveiled its proposal on Cyber Resiliency which will also capture IOT. As set out in the Communication ‘Shaping Europe’s digital future’, it is crucial for the EU to reap all the benefits of the digital age and to strengthen its industry and innovation capacity, within safe and ethical boundaries. The EU?in turn?sets?four pillars:?data protection, fundamental rights, safety and cybersecurity,?as essential pre-requisites for a society empowered by the use of data.

Following the New Legislative Framework, the?new proposal on a regulation?on?horizontal?cybersecurity requirements?for?products?with?digital?elements?and amending Regulation (EU) 2019/1020?will introduce cybersecurity requirements for ‘products with digital elements’ to be put on the EU internal market. Both hardware and software are included under the rationale that when everything is connected, everything is vulnerable.?This new proposed regulation will be called the Cyber Security Resilience Act.?

This proposed?regulation lays down (a) rules for the placing on the market of products with digital elements to ensure the cybersecurity of such products; (b) essential requirements for?the design, development and production of products with digital elements, and obligations for economic operators in relation to these products with respect to cybersecurity; (c) essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and?obligations for economic operators in relation to these processes; (d) rules on market surveillance and enforcement of the above-mentioned rules and requirements.

This proposed regulation?is coherent with the current product-related?and risk based approach in the recent?EU regulatory framework,?including the?recent legislative proposals?for a??regulation?on?Artificial Intelligence. The same elements of conformity assessments, notifying bodies and notifying authority as well as market surveillance authority also find their place in this proposed regulation.?A dedicated administrative cooperation group (ADCO)?is also being suggested?for the uniform application of the?Regulation.

The proposed regulation in turn will apply to all products with digital elements whose intended and reasonably foreseeable use includes a direct or indirect logical or physical data connection to?a device or network. The proposed regulation addresses risks in a targeted manner?similar to what we find in the proposed AI Act.?Critical products with digital elements shall be subject to specific conformity assessment procedures and shall be?divided into class I?and class II?as set out in Annex III of the regulation, reflecting?their cybersecurity risk level, with class II representing a greater risk. A product with digital elements is considered critical and therefore included in Annex III taking into account the impact of potential cybersecurity?vulnerabilities included in the product with digital elements.?

Let’s now touch briefly on some non applicability of the said proposed regulation.?The proposed regulation does not regulate services, such as Software-as-a-Service (SaaS), except for remote data processing solutions relating to a product with digital elements understood as any data processing at a distance for which the software is designed and developed by the manufacturer of the product concerned or under the responsibility?of that manufacturer, and the absence of which would prevent such a product with digital elements from performing one of its functions. The proposed?regulation will not apply to products with digital elements within the scope of Regulation (EU) 2017/745?(medical devices for human use and accessories for such devices)?and Regulation (EU) 2017/746?(in vitro diagnostic medical devices for human use and accessories for such devices).

It?will?likewise?not apply to products with digital elements that have been certified in accordance with Regulation 2018/1139?(high?uniform?level?of?civil?aviationsafety), nor?to?products?to?which?Regulation?(EU) 2019/2144 applies?(on type-approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles). It will?likewise?not apply to products with digital elements developed exclusively for national security or military purposes or to products specifically designed to process classified information.?

Products with digital elements under the proposed regulation?should?bear?the?CE?marking?to?indicate?their?conformity with this Regulation so that they can move freely within the internal market.??Under the proposed regulation there is also a strong emphasis??to avoid overlapping. As a matter of fact we find specific provisions as well to dovetail with the proposed AI Act as well as with the Cybersecurity Act which establishes?a?voluntary?European?cybersecuritycertification framework?for?ICT?products,?processes?and?services. There are also some transitionary measures which are being proposed.

So what are the next steps ??It is now up to the European Parliament and the Council to examine the proposed Cyber Resilience Act. Once the proposal is adopted and enters into force, as the current draft stands, economic operators and Member States will have two years to adapt to the new requirements. An exception to this rule is the reporting obligation on manufacturers for actively exploited vulnerabilities and incidents, which would apply one year from the entry into force, since they require fewer organisational adjustments than the other new obligations.

This article was written by?Dr?Ian Gauci.

Disclaimer: This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.