Attacks and Vulnerabilities
Critical infrastructure
News
Regulation, Standards and Compliance
Secure Remote Access
Secure-by-Design
System Design & Architecture
Threat Landscape
Vulnerabilities

EU Parliament approves Cyber Resilience Act, as MEPs adopt plans to boost security of digital products

March 14, 2024
EU Parliament approves Cyber Resilience Act, as MEPs adopt plans to boost security of digital products

The European Union (EU) Parliament approved Tuesday new cyber resilience standards to protect all digital products in the EU from cyber threats. Already agreed with the Council last December, the regulation aims to ensure that products with digital features are secure to use, resilient against cyber threats, and provide enough information about their security properties.

The regulation aims to ensure high cybersecurity for products with digital elements and their integrated remote data processing solutions. This includes defining remote data processing as processing is done away from the user’s device, ensuring manufacturers secure products regardless of data location. This covers situations like mobile apps accessing manufacturer-provided services, falling under the regulation’s scope.

The legislation was approved with 517 votes in favor, 12 against and 78 abstentions. It will now have to be formally adopted by Council, too, in order to come into law.

“The Cyber Resilience Act will strengthen the cybersecurity of connected products, tackling vulnerabilities in hardware and software alike, making the EU a safer and more resilient continent,” Nicola Danti, lead MEP said in a media statement. “Parliament has protected supply chains ensuring that key products such as routers and antiviruses are a priority for cybersecurity. We have ensured support for micro and small enterprises, better involvement of stakeholders, and addressed the concerns of the open-source community while staying ambitious. Only together will we be able to tackle successfully the cybersecurity emergency that awaits us in the coming years.”

New technologies come with new risks, and the impact of cyber-attacks through digital products has increased dramatically in recent years. For businesses, the importance of ensuring that digital products in the supply chain are secure has become pivotal, considering three in five vendors have already lost money due to product security gaps.

Important and critical products will be put into different lists based on their criticality and the level of cybersecurity risk they pose. The two lists will be proposed and updated by the European Commission. Products deemed to pose a higher cybersecurity risk will be examined more stringently by a notified body, while others may go through a lighter conformity assessment process, often managed internally by the manufacturers.

During the negotiations, MEPs made sure that products such as identity management systems software, password managers, biometric readers, smart home assistants and private security cameras were covered by the new rules. Products should also have security updates installed automatically and separately from functionality updates.

MEPs also pushed for the European Union Agency for Cybersecurity (ENISA) to be more closely involved when vulnerabilities are found and incidents occur. The agency will be notified by the member state concerned and receive information so it can assess the situation and, if it identifies a systemic risk, will inform other member states so they can take the necessary steps.

To emphasize the importance of professional skills in the cybersecurity field, MEPs also introduced education and training programs, collaborative initiatives, and strategies to enhance workforce mobility in the regulation.

“This Regulation aims to set the boundary conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufacturers take security seriously throughout a product’s lifecycle,” the text of the Act outlined. “It also aims to create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements, for example by improving transparency with regard to the support period for products with digital elements made available on the market.”

It added that the various acts and initiatives taken thus far at Union and national levels only partially address the identified cybersecurity-related problems and risks, creating a legislative patchwork within the internal market, increasing legal uncertainty for both manufacturers and users of those products and adding an unnecessary burden on businesses and organizations to comply with several requirements and obligations for similar types of products. 

The cybersecurity of those products has a particularly strong cross-border dimension, as products with digital elements manufactured in one country are often used by organizations and consumers across the entire internal market. This makes it necessary to regulate the field at the Union level to ensure a harmonized regulatory framework and legal certainty for users, organizations and businesses, including microenterprises and small and medium-sized enterprises. 

The Act detailed that to increase the overall level of cybersecurity of all products with digital elements placed on the internal market, it is necessary to introduce objective-oriented and technology-neutral essential cybersecurity requirements for those products that apply horizontally.

“Under certain conditions, all products with digital elements integrated in or connected to a larger electronic information system can serve as an attack vector for malicious actors,” the Act stipulated. “As a result, even hardware and software considered to be less critical can facilitate the initial compromise of a device or network, enabling malicious actors to gain privileged access to a system or to move laterally across systems. Manufacturers should therefore ensure that all products with digital elements are designed and developed in accordance with the essential requirements laid down in this Regulation.”

By laying down cybersecurity requirements for placing on the market products with digital elements, it is intended that the cybersecurity of those products for consumers and businesses alike be enhanced. Those requirements will also ensure that cybersecurity is taken into account throughout supply chains, making final products with digital elements and their components more secure. 

Market surveillance authorities should be able to request manufacturers of categories of products with digital elements established by ADCO (administrative cooperation group) to submit the software bills of materials (SBOMs) that they have generated according to this regulation. To protect the confidentiality of SBOMs, market surveillance authorities should submit relevant information about dependencies to ADCO in an anonymized and aggregated manner.

Another key factor highlighted in the regulation is that the effectiveness of the implementation of this Regulation will also depend on the availability of adequate cybersecurity skills. “At Union level, various programmatic and political documents, including the Commission communication of 18 April 2023 on Closing the cybersecurity talent gap to boost the EU’s competitiveness, growth, and resilience and the Council Conclusions of 22 May 2023 on the EU Policy on Cyber Defence acknowledged the cybersecurity skills gap in the Union and the need to address such challenges as a matter of priority, in both the public and private sectors,” it added. 

To ensure effective implementation of the regulation, member states should ensure that adequate resources are available for the appropriate staffing of the market surveillance authorities and conformity assessment bodies to perform their tasks laid down in this Regulation. Those measures should enhance workforce mobility in the cybersecurity field and their associated career pathways. They should also contribute to making the cybersecurity workforce more resilient and inclusive, also in terms of gender. 

Also, member states should therefore take measures to ensure that those tasks are carried out by adequately trained professionals, with the necessary cybersecurity skills. 

Similarly, manufacturers should ensure that their staff has the necessary skills to comply with their obligations laid down in this Regulation.

The regulation highlighted that secure internet is indispensable for the functioning of critical infrastructures and for society as a whole. “Directive (EU) 2022/2555 aims at ensuring a high level of cybersecurity of services provided by essential and important entities referred to in Article 3 of that Directive, including digital infrastructure providers that support core functions of the open internet, ensure internet access and internet services.” 

It is therefore important that the products with digital elements necessary for digital infrastructure providers to ensure the functioning of the internet are developed securely and that they comply with well-established internet security standards. 

The regulation, which applies to connectable hardware and software products, also aims at facilitating the compliance of digital infrastructure providers with the supply chain requirements under Directive (EU) 2022/2555 by ensuring that the products with digital elements that they use for the provision of their services are developed securely and that they have access to timely security updates for such products.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation