The European Cyber Resilience Act explained – how it impacts your business
Posted on September 5, 2023 by Louise Howland
On the 15th of September 2022, the European Commission published its proposal for new regulation regarding cybersecurity requirements for products with digital elements (such as smart fridges, cameras, TVs and toys) placed on the market across the EU. As of July 2023, it was approved. It aims to ensure greater security around hardware and software products. But, how does this impact businesses across the UK? Read on to discover exactly what the EU Cyber Resilience Act means for your business.
European Cyber Resilience Act
What is the EU Cyber Resilience Act?
Ensuring digital products meet cybersecurity requirements, the European Cyber Resilience Act impacts “products with digital elements” that are placed and sold on the EU market. It also covers any non-embedded software or hardware components that are sold separately.
Essentially, the Act details the approach manufacturers must take when creating products with digital elements, including both hardware and software. Products affected by these changes range from digital refrigerators to baby monitors and are typically the objects everyday consumers may use. It’s designed to protect those who could be most vulnerable to a cybersecurity risk.
This legislation was proposed on the 15th of September 2022 by the European Commission and was approved in July 2023.
What does this Act cover?
The legislation will apply to those companies that manufacture or place products with digital elements on the EU market. In the case of UK companies, it can apply to both manufacturers and importers or resellers of such hardware and software, especially those with operations within the European Union. Different rules will apply to specific sectors such as defence, motor vehicle and medical sectors.
Beverley Flynn, Head of Data Protection and Cybersecurity at law firm Stevens & Bolton, commented, “Whilst this legislation stems from the EU it is indicative of the more regulatory approach to ensuring that Cyber security remains firmly on the agenda when manufacturing, designing and selling products. It will be interesting to see what the UK brings to the arena on this point.”
Cyber resiliency describes an organisation’s ability to both protect and recover from cyberattacks and the EU’s Cyber Resilience Act looks to support businesses. The Act strives to equip businesses for the life of the product from inception design production and maintenance to reduce cyber risks.
The four key objectives set out by the European Commission are to:
- Enable manufacturers to improve the security of products with digital elements. These must follow from the design stage into development and throughout the product’s entire lifecycle.
- Guarantee a cybersecurity framework that’s coherent and can facilitate compliance for both hardware and software creators and producers.
- Provide enhanced transparency around security properties for products that feature digital elements.
- Ensure both businesses and consumers can securely use products with digital elements.
The EU Cyber Resilience Act aims to address potential weaknesses in the ongoing life cycle of a product. It should cover hardware or software updates as well as new releases to market. Manufacturers will need to consider cybersecurity requirements from the commencement of the product development phase through to when the customer receives the product or service.
Beverley Flynn, a legal expert on the issue, suggests “that the legislation is not prescriptive in its detail, but more resolution focused with requirements in respect of items not dissimilar to those anticipated by the General Data Protection regime for personal data. Including:
- Cyber security risk assessments,
- Due diligence
- Conformity assessments of vulnerability handling requirements product,
- Mandatory recall obligations
- Incident reporting to the EU Agency for Cybersecurity (ENISA)
- Appointment of authorised representatives”
Why has this Act come into place?
Cybercrime is continuing to rise across the globe, and cyber resiliency is offering both governments and organisations a way to strengthen their defence against ever-evolving threats.
This Act is also reflective of the European Commission’s movement Shaping Europe’s Digital Future. The aim is to ensure that Europe ‘seizes the opportunity and gives its citizens, businesses and governments control over the digital transformation.’
The EU Cyber Resilience Act cements this vision by providing a foundation for safe use in the digital space, acting as building blocks to ensure that all digital opportunities for businesses and beyond can be utilised.
How does the EU Cyber Resilience Act impact UK businesses?
Now that we know what the EU Cyber Resilience Act is, you may be asking the question: How does it impact UK businesses?
UK’s cybersecurity laws
As it stands, there are three prominent laws in the UK to be aware of when it comes to cybersecurity:
UK Computer Misuse Act 1990
First passed over 30 years ago, the Computer Misuse Act 1990, together with the Data Protection Act 1984, was one of the first laws in the UK that sought to make malicious attacks or offences against computers, such as malware and hacking, illegal.
UK General Data Protection Regulations and the Data Protection Act 2018
Whilst not strictly cybersecurity-focused, our current UK GDPR and Data Protection Act undoubtedly have a bearing on our cybercrime law here in the UK. Currently, it is the predominant data protection law present in the country. The DPA derives from the European Union law, the General Data Protection Regulation, acting as our overseas equivalent.
The Network & Information Systems (NIS) Regulations
These create a common level of security for network and information systems, aiming to address the threats posed to them from a range of areas, most notably cyber-attacks. Although NIS primarily concerns cybersecurity measures, it also covers physical and environmental factors.
NIS applies to two groups of organisations: ‘operators of essential services’ (OES) and ‘relevant digital service providers’ (RDSPs). This guide provides details about the requirements NIS places on RDSPs. Although aimed at RDSPs, it may also be useful for OES.
UK Cybersecurity Laws – The verdict
Businesses trading overseas will need to be sure that all product requirements, data collection and protection in place are compliant with the country they are trading in.
Similarly, when dealing with supply chains in the EU, UK organisations will need to ensure that any products placed on the market are handled appropriately in line with both UK and EU law.
The future of UK cybersecurity law
The UK’s Cyber Misuse Act was put in place over three decades ago, with the Network & Information Systems (NIS) Regulations following in 2018. Both technology and cybercriminal behaviour have continued to adapt and advance, something cybersecurity laws are continually trying to keep up with.
Both the Shaping Europe’s Digital Future and Cyber Resilience Act are symbolic of a global movement towards cyber resiliency. As it stands, the UK’s Computer Misuse Act 1990 doesn’t account for these subtleties and the fast-changing world of cybersecurity continues to throw challenges its way.
Take ethical hacking, for example. Like penetration testing, ethical hacking is undertaken to understand weak points in a network where a cybercriminal might take the opportunity to attack. An ethical hacker and an unethical hacker would technically use the same techniques and processes, but there is a big difference in the intent of their act.
The Cyber Misuse Act doesn’t currently take this into account, but with the CyberUP campaign putting pressure on the government to update UK cybersecurity legislation to include statutory defence, we might see a change here.
Perhaps the UK’s cybersecurity law needs to be reassessed in light of this Cyber Resilience Act. In fact, if it proves successful across the EU, there’s a chance it could be considered for the UK market. It might also be more cost-effective for manufacturers to produce UK and EU-based products to these cybersecurity requirements.
If you want to stay ahead when it comes to cybersecurity, ramsac’s Cyber Resilience Certification will assess your organisation’s position against cybercrime, proving to your customers and stakeholders just how seriously you take their data protection. Contact us today to get started.