Products with digital elements (Internet of Things – IoT) have become a big part of our daily lives, both personal and business. Countless companies are integrating IoT into their products and developing services for these things. These products process large amounts of information, so a high level of security is essential. With the proliferation of ransomware and other security breaches in the past few years, many companies have had to pay the price for inadequate security.
In response to growing threats to the IoT, the European Parliament passed a new Cyber Resilience Act on March 12th of this year. The regulation imposes security requirements on products with digital elements. These products can be anything from smart watches and ventilation systems to firewalls and other software. The aim is to increase security for end users, but manufacturers, importers and distributors will need to comply with several new requirements.
The regulation will have particularly tough consequences for companies that supply physical products or software in the EEA. Cybersecurity has been a priority area for the EU lately, and companies that violate the new regulations risk huge fines. Manufacturers could be fined 2.5% of their annual turnover or €15 million, depending on which is greater. For most other violations, fines are capped at 2% and €10 million.
Which products are covered?
The regulation covers a wide range of products, but categorizes them into different categories based on risk. The “critical products” category includes browsers, password protectors, doorbells, baby monitors, Wi-Fi routers, ID systems, biometric readers, smart home assistants, private security cameras, robot vacuums, alarm systems, microprocessors and controllers with security features, and some internet-connected toys. The “critical products” category includes safes, smart meters, and smart card devices.
Suppliers need to know six key points:
1. Product safety must be risk-adjusted. Manufacturers, importers and distributors (collectively suppliers) who give their products their own name must comply with mandatory requirements, i.e. basic safety requirements. The main requirement is that safety measures must be adapted to the risk level. In particular, products must be free of known vulnerabilities that can be exploited, default settings must be secure and products must be protected against unauthorized access.
2. Updates must be made continuously. A key requirement in practice is to update the software of a product to maintain (or improve) its security. For example, insufficient security in a control system has allowed criminals to gain access to computer networks through ventilation systems. Suppliers of such systems are obliged to update their software to fix security holes.
3. 10 Years of Support. Support for the product must be life-long. So, as mentioned in point 2, the product must be kept secure with updates for 10 years.
4. New reporting requirements. To enable coordinated response and monitoring, manufacturers must report vulnerabilities and major incidents to ENISA and CSIRT security agencies within 24 hours. Suppliers must then report to these agencies. In the event of an incident or exploitation of a vulnerability, manufacturers must report it to those affected by the incident, and in some cases to all users of the product. The deadlines for such reporting are short.
5. Declaration of Conformity. Importers and distributors are responsible for checking and controlling whether the manufacturer complies with the requirements and must submit a Declaration of Conformity. If an importer or distributor sells the product (or software) under their own name, they are treated as the manufacturer. To comply with the requirements, it is important that the importer/distributor not only has actual control over the manufacturer, but also has solid contracts with subcontractors.
6. Products must be CE marked. The Cyber Resilience Act is almost purely a product safety law (unlike a bill of rights such as the General Data Protection Regulation (GDPR)). As such, the regulation includes the requirement that products covered must be certified and CE marked. The requirements for the CE mark are regulated. The same applies to technical documentation, which must always be attached to the product.
Risk Assessment Requirements
To ensure compliance with the mandatory requirements, manufacturers must conduct a cybersecurity risk assessment. The risk assessment must be documented, kept up to date, and included in the product documentation. The more critical the product, the more stringent the requirements are regarding what procedures are utilized. There are detailed requirements on how the assessment should be conducted and what should be emphasized.
How do we address new security requirements?
Experience shows that ensuring compliance with new requirements and regulations takes time. The recent increase in cybersecurity breaches and ransomware attacks suggests that the introduction of the Cyber Resilience Act will have a similar outcome. Therefore, all manufacturers, importers and distributors of products with digital elements should start preparing for the requirements to come into force in Norway. Examples of measures include:
Find out whether you are a manufacturer, importer or distributor, map out the requirements that apply to your business, conduct a cybersecurity risk assessment, ensure technical security including proper update procedures, update contracts with subcontractors to ensure regulatory requirements are included and reflected in the contracts, and prepare documentation of the products you sell and the assessments you have carried out.
Future process between the EU and Norway
The Cyber Resilience Act has been passed by the European Parliament. However, the regulation will not come into force until it has been adopted by the Committee of Ministers of the Council of the EU. The regulation is likely to be approved without significant changes. It is not clear exactly when it will be approved, but it is expected that the law will take precedence in the EU. As the regulation is relevant to the EEA, once it is finally adopted by the EU, it will be incorporated into the EEA Agreement and adopted into Norwegian law.
