Mattis van ’t Schip, PhD candidate, Radboud University
Image credit: Grafiker61, via Wikicommons Media
In our homes and across industries, the use of Internet of Things (IoT) devices is increasing. These devices integrate hardware and software elements (e.g., a ‘smart’ watch, a WiFi-connected security camera). The cybersecurity of these connected devices is a growing issue. In the ‘Mirai botnet’, hackers accessed thousands of devices and, together, used them to bring down websites and companies, while other attackers accessed the cash registers of Target supermarkets by hacking into their network-connected air-conditioning systems. As evident from the Target hack, attackers can easily access these devices as they are always connected, through WiFi or BlueTooth. Companies and consumers now use billions of IoT devices, which thus creates an expanding cybersecurity threat. The European legislator struggled with this cybersecurity issue for a long time, as existing legislation (e.g., product safety law) did not sufficiently cover the cybersecurity of IoT devices. A recent legislative proposal, however, now intends to address this legal gap.
On 15 September 2022, the European Commission published the proposal for the Cyber Resilience Act (CRA). The Cyber Resilience Act intends to protect the European Union’s market from insecure products. The Act addresses four central themes, according to Article 1:
1) rules for placing products with digital elements on the European Union’s market to ensure the cybersecurity of such products;
2) essential requirements for the design, development, and production of products with digital elements;
3) requirements for vulnerability handling processes by manufacturers to ensure cybersecurity throughout the whole lifecycle of products with digital elements; and
4) market surveillance and enforcement.
This blog post gives a short overview of the new rules on the cybersecurity of products with digital elements (points 1-3). First, I address the framework of the Act by focusing on its scope and cybersecurity provisions. Second, I shortly examine how the Act fits within and adapts the existing regulatory landscape for the cybersecurity of products with digital elements, especially Internet of Things devices.
Products with digital elements
The Cyber Resilience Act will apply to ‘products with digital elements’. Article 3(1) clarifies that such products can be software, hardware, and remote data processing solutions. The Act does thus not only apply to software applications, but also applies to certain hardware objects that are not traditionally digital (e.g., routers, microcontrollers). A connected security camera is an example of a product with digital elements. The camera integrates a traditional camera system (the hardware) with software that, for instance, allows users to access the device’s camera from anywhere in the world.
The European Commission mainly hints at IoT devices as the main focus of the Act, but these devices are not the only products in scope. The Commission includes two additional categories of products with digital elements. These categories are based on the ‘criticality’ of the products. All ‘critical products with digital elements’ are listed in Annex III and mainly include products which have privileged access to networks or security. For example, Annex III includes password managers, identity management software, and network monitoring systems. Such critical systems present a cybersecurity risk, according to Article 3(3), and therefore must adhere to stricter cybersecurity requirements, which I discuss below. An additional category exists for ‘highly critical products with digital elements’, which present even more serious cybersecurity risks (e.g., network management software used by energy providers).
The Commission can amend the list of critical and highly critical products based on the cybersecurity risks those products pose, according to Article 6(2) and 6(5). Criteria for the assessment of those risks include whether the products have privileged access, control access to data, or perform critical trust-based functions in networks or security. The Commission uses additional criteria for highly critical products (e.g., the use of the product within critical sectors). (See also the NIS2 proposal for the cybersecurity requirements of devices employed in those sectors: Proposal for a Directive for a high common level of cybersecurity, which is about to be adopted)
For all products with digital elements, the Cyber Resilience Act prescribes baseline cybersecurity requirements. Only products with digital elements that adhere to those requirements can be placed on the European market, similar to earlier IoT related product rules, such as the Radio Equipment Directive.
The cybersecurity requirements are listed in Annex I Section 1. The requirements must be met on the condition that devices are properly installed, maintained, used, and updated, according to Article 5(1). The provision is not clear on who should actually ensure these pre-conditions. The responsibility could shift between the manufacturer and user based on the action; for example, proper use is most likely a condition for the user, while proper maintenance is a condition for the manufacturer. Article 10(10) seems to indicate that the manufacturer must document the conditions under which the user can ensure proper installation, operation, and use. In a broader sense, these conditions could also indicate that the user, for instance as part of proper installation, should change the default password of their device before using it.
Next to the cybersecurity requirements, manufacturers must comply with certain vulnerability handling requirements, listed in Annex I Section 2. These vulnerability handling requirements address the large number of devices which do not receive sufficient updates during their lifecycle. Without sufficient updates, devices become security threats, as the manufacturers do not ‘patch’ the latest security issues.
Manufacturers must now provide regular security updates which address any vulnerabilities in their products. This obligation exists for the expected lifetime of the product, or up to five years, according to Article 10(6). In addition, the vulnerability handling processes are meant to ensure transparency about the vulnerabilities that manufacturers discover and patch. Here, the Commission aims to solve two problems: a lack of security updates for devices that manufacturers disregard (e.g., because they brought a newer device to the market) and a lack of transparency on any vulnerabilities the manufacturer or third parties find in their products. The latter can put devices from other manufacturers at risk. For example, if company Eppla finds a vulnerability in their BlueTooth protocol and patch it, this patch could help other companies, such as Geeglo, who use the same protocol. If Eppla is not transparent about the vulnerability, they might put Geeglo at risk of security breaches too.
Through the cybersecurity requirements and vulnerability handling processes, the Cyber Resilience Act thus addresses quite a broad range of cybersecurity related issues.
The Cyber Resilience Act introduces product requirements to protect the European Union’s market. Therefore, most of its rules apply to manufacturers that bring devices to the Union’s market. In addition, the rules apply to any other actors, including importers and distributors, that place a product with digital elements on the market with their name or trademark on it, or if they carry out a substantial modification of a product which is already on the market (Article 15). The same condition of a substantial modification applies to any natural or legal person (Article 16). The scope of the Act is thus broad: any entity that brings the product to the market or modifies a product on the market to the extent that it can be considered a ‘new’ product, falls within the scope of the Act.
The rules of the Cyber Resilience Act mostly apply to manufacturers. Article 10 lists several of the most important obligations for the manufacturers. Most of these obligations also apply to importers and distributors. Manufacturers must primarily ensure security-by-design (Article 10(2)). They must ensure this secure design by conducting a risk assessment for their device. Subsequently, the manufacturers must implement the results of that assessment throughout the entire production process of the device, from planning to delivery and maintenance. Manufacturers must include certain information in the technical documentation, including this risk assessment (Article 10(3)). The rules for technical documentation are part of a set of obligations for manufacturers to provide clear and intelligible information to users about different aspects of the device (Article 10(10)).
Finally, Article 10(14) includes an obligation for manufacturers to notify market surveillance authorities (a type of regulatory agencies) and users of their product when they cease operations. This obligation might help mitigate a problem in the IoT industry where manufacturers who, for instance, go bankrupt or sell their company to a competitor, disregard their existing devices on the market. As a result, consumers are left with devices that no longer receive regular updates or stop working entirely. In some cases, consumers are not aware of this problem. This new obligation can help mitigate this problem as manufacturers must inform market surveillance authorities and users of this situation, which can lead to a more secure end of service for existing devices on the market.
A new approach
The Cyber Resilience Act will contain the most important cybersecurity requirements for Internet of Things devices. Existing legislation does apply to the cybersecurity of Internet of Things, but only through particular criteria.
The closest piece of legislation to the Act is the Radio Equipment Directive (RED), a type of product safety legislation. The Directive establishes requirements for radio equipment before it can be placed on the Union’s market. The approach is thus quite similar to the Cyber Resilience Act: economic operators must comply with specific requirements before they can place their products on the market of the EU.
In terms of cybersecurity requirements, the Radio Equipment Directive, however, is much more limited than the Cyber Resilience Act. The Directive contains two main cybersecurity requirements in Article 3(3): 1) radio equipment must ‘not harm the network or its functioning nor misuse network resources’ (3(3)(d)); and 2) radio equipment must contain safeguards to protect the personal data and privacy of its users (3(3)(e)). These cybersecurity requirements also apply to Internet of Things devices, pursuant to a recent Delegated Act from the Commission. These general cybersecurity requirements are much more limited than the list of requirements in the Cyber Resilience Act, which, crucially, also includes requirements for vulnerability handling processes. Recital 15 of the Act notes on these differences: ‘The essential requirements laid down by [the Cyber Resilience Act] include all the elements of the essential requirements referred to in [the Radio Equipment Directive].’ The Cyber Resilience Act, therefore, will be much more in the forefront concerning cybersecurity requirements for Internet of Things devices than the Radio Equipment Directive.
The Radio Equipment Directive is quite similar in its product safety provisions; it includes, for example, rules on technical documentation. However, the Cyber Resilience Act includes broader obligations for the manufacturer that focus on cybersecurity, for instance with the requirement to notify the market surveillance authorities when they cease their operations. While, from the outset, the Directive might seem partially redundant due to its similarities with the Act, the approach of both pieces of legislation is different. The Radio Equipment Directive focuses on rules that ensure radio equipment is safe, broadly speaking, when placed on the European Union’s market. These safety requirements are different from cybersecurity requirements. For instance, the Radio Equipment Directive requires devices to ensure access to emergency services, to facilitate users with certain disabilities, and to work with commonly used chargers. The Cyber Resilience Act, instead, fully focuses on the cybersecurity of devices.
The foundation of the Cyber Resilience Act also differs from the General Data Protection Regulation, another relevant piece of legislation in the context of cybersecurity for Internet of Things devices. The GDPR applies to processing of personal data, which only partially covers the security requirements of the Act. The GDPR, foundationally, focuses on protecting people against misuse of their personal data. The Cyber Resilience Act, therefore, as with the Radio Equipment Directive, supports the aim of the GDPR with its cybersecurity requirements. The Cyber Resilience Act notes, in Recital 17, that ‘the essential cybersecurity requirements laid down in this Regulation, are also to contribute to enhancing the protection of personal data and privacy of individuals.’
The Cyber Resilience Act will provide a comprehensive framework for cybersecurity requirements, which supports the aims of similar legislation, such as the Radio Equipment Directive and the General Data Protection Regulation. Therefore, the Act gives substance to the growing number of cybersecurity requirements for Internet of Things devices in currently scattered pieces of legislation.
The Cyber Resilience Act offers a more comprehensive set of cybersecurity requirements for Internet of Things devices than existing legislation. Furthermore, its rules offer answers to many lingering questions on the security of IoT, such as what should happen when manufacturers cease their operations or when new vulnerabilities require updates from the manufacturer.
In relation to existing legislation, the Cyber Resilience Act will provide a comprehensive overview of cybersecurity requirements. Existing cybersecurity-related legislation often contained open norms and required specific operations (e.g., personal data processing in the General Data Protection Regulation). The Cyber Resilience Act will support the aims of this related set of legislation, while offering the primary set of cybersecurity requirements modern software and hardware must adhere to.