Cybersecurity Score – European Union (EU) Cyber Resilience Act

Table of Contents

• Summary
• Rating – cyber concerns exist
• Key Provisions
• Background
• Key Takeaways
• Cybersecurity Analysis
• Recommendations
• About the Cybersecurity Score Project

Bill Summary

European Union (EU) Cyber Resilience Act. Seeks to create conditions for the development of secure digital products and to improve cybersecurity awareness among digital product users.

Cybersecurity Score Rating

Rating: Cyber concerns exist. Requirements in this bill have the potential to create unintended cyber consequences and/or allow threat actors to capitalize off of reported cybersecurity vulnerabilities. Legislation is undergoing “trilogue” negotiations toward a second reading by the European Parliament. (Last updated: Oct. 23, 2023)

Key Provisions

• Stipulates conditions for securely developing products with digital elements (e.g., connected devices, Internet of Things devices, mobile devices) and means to address vulnerabilities that arise throughout a product’s lifecycle.
• Generates criteria that allow users to consider cybersecurity when selecting and using products with digital elements.
• Outlines specific areas for manufacturers and developers to improve cybersecurity and reduce the incidence of cyberattacks.
  • Risk assessment: Conduct risk assessments to address exploitable vulnerabilities, ensure secure-by-default configuration and limit attack surfaces
  • Documentation: Document product design, development and production; cybersecurity risk assessments; and declarations of conformity to EU standards
  • Conformity assessment: Conduct independent or self-assessments of conformance to the Act’s requirements 
  • Vulnerability reporting: Mandate reporting of cybersecurity incidents and vulnerabilities within 24 hours of discovery
• Specifies timeline to comply. (Failure to comply could result in fines or restrictions/prohibitions on product or service availability in the market.)
  • Mandates adherence to cybersecurity development standards within 40 months of the law’s passage 
  • Mandates timely security support and software updates to address vulnerabilities within one year after the law’s passage

Background

The European Commission (the EU’s executive body) proposed the Cyber Resilience Act (CRA) in September 2022 with the aim to formulate common cybersecurity standards for network-connected hardware and software products. This legislation is the EU’s attempt to stymie the proliferation of cyber incidents affecting public and private entities across Europe by improving poor cybersecurity hygiene and development practices.

The CRA attempts to shift the burden of ensuring cybersecurity from end users to the companies that develop and manufacture software and hardware. Legislators argue that developers are best suited to mitigate and address cyber vulnerabilities and that it is easier to mitigate vulnerabilities as a developer than an end user. Similar concepts have been proposed by U.S. government entities, including the Cybersecurity and Infrastructure Security Agency’s Secure by Design and Secure by Default principles and elements of the White House’s National Cybersecurity Strategy.

The CRA aims to achieve four specific objectives to improve the cybersecurity posture of digital consumers, businesses and government entities:

• Ensure that manufacturers improve the security of products with digital elements in the design and development phase and throughout the whole lifecycle.
• Ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers.
• Enhance the transparency of security properties of products with digital elements.
• Enable businesses and consumers to use products with digital elements securely.

Key Takeaways

The bill encompasses the entire lifecycle—from design to development to production—of essentially all network-connected devices and software. This expansive reach could significantly impact private industry’s ability to innovate and may disproportionately burden any individuals, nonprofits or other entities that develop or support devices and software. While the CRA has the potential to improve Europe’s cybersecurity posture, industry groups and concerned practitioners have criticized multiple aspects of the legislation including Software-as-a-Service exclusions, end-of-life software considerations, challenges associated with open-source software and guidance on software bills of materials, or SBOMs. This analysis is non-exhaustive, but is intended to provide an overview of cyber concerns, such as: 

• Vulnerability notification concerns: Requiring companies to notify the European Union Agency for Cybersecurity (ENISA) of any cyber incidents and vulnerabilities within 24 hours of becoming aware of them—and take measures to resolve them—could disproportionately burden companies and allow threat actors to target these newly reported vulnerabilities for exploitation.
• Compliance concerns: Direct compliance costs for businesses (e.g., security requirements, information obligations, documentation, testing, reporting) are expected and will vary depending on their offerings. Similarly, there will be compliance costs for public authorities to conduct enforcement and information collection and dissemination.
• Global implications: Importers and distributors of technology products will have to verify their products’ conformance to the bill’s requirements, which could hamper technology rollout in Europe. Additionally, businesses will have to ensure compliance not only with the CRA, but with other countries’ cybersecurity laws and regulations as well.