Products with digital elements (internet of things – IoT) have become a large part of our everyday lives, both privately and in business. Countless companies are now incorporating IoT into their products and developing services for the things. These products process large amounts of information, and high levels of security is therefore crucial. With an explosion in ransomware and other security breaches over the past few years, many companies have had to pay the price for poor security.
In response to the growing threat to the IoT, the European Parliament passed the new Cyber Resilience Act on 12 March this year. The regulation imposes security requirements for products with digital elements. The products could be anything from smart watches and ventilation systems to firewalls and other software. The purpose is to increase security for the end-user, while manufacturers, importers and distributors must comply with several new requirements.
The regulation will have particularly severe consequences for those who supply physical products and software in the EEA. Cybersecurity is a priority area for the EU these days, and companies in breach of the new regulation are risking huge fines: a manufacturer could be fined 2.5% of annual turnover or 15 million euros, depending on which is greater. Most other violations have set 2% and €10 million as the upper limit for violation fees.
What products are covered?
The regulation covers a wide range of products, but divides them into different categories based on risk. In the category “important products” we find browsers, password protectors, doorbells, baby monitors, WIFI routers, ID systems, biometric readers, smart home assistants, private security cameras, robot vacuum cleaners, alarm systems, microprocessors and controllers with security functions and some internet-connected toys. In the category of “critical products” we find safety boxes, smart meters and smart card devices.
Suppliers should know these six key points:
1. Product safety must be adjusted based on the risk. Manufacturers, importers and distributors (collectively, suppliers) who put their own name on the products must comply with essential requirements – i.e. basic safety requirements. The main requirement is that the safety measures must be adjusted to the risk level. Among other things, the product must not have known vulnerabilities open to exploitation, the default settings must be secure, and the product must be secured against unauthorized access.
2. Updates must take place continuously. A practically important requirement is that the software in products must be updated so that they stay (or become) secure. There are examples of criminals entering computer networks through, for example, ventilation systems due to poorly secured control systems. Suppliers of such systems are now obliged to update software to patch security holes.
3. Support for 10 years. The support of the products must have a lifetime perspective. The products must therefore be kept secure over time – for 10 years – with updates as mentioned in point 2.
4. New reporting requirements. To enable coordinated response and oversight, the manufacturer must report vulnerabilities and serious incidents to the ENISA and CSIRT security agencies within 24 hours. Suppliers must then follow up with reporting to these bodies. In the event of incidents and exploited vulnerabilities, the manufacturer shall report to those affected by the incident. In some cases, it will be necessary to report to all users of the product. The deadlines for such reporting are short .
5. Declaration of Conformity. Importers and distributors are responsible for checking and controlling that the manufacturer complies with the requirements and must provide a declaration of conformity. If an importer or distributor markets the product (or software) under their own name, they are treated as manufacturers. In order to comply with the requirements, it is important for the importer and distributor to have solid agreements with subcontractors in addition to carrying out actual controls of the manufacturer.
6. The products shall be CE marked. The Cyber Resilience Act is more or less a pure product safety law (as opposed to a bill of rights, such as the General Data Protection Regulation (GDPR)). Therefore, the regulation includes a requirement that the products covered must be certified and bear the CE mark. Requirements for the CE marking are regulated. The same applies to technical documentation, which should always accompany the product.
Risk assessment requirements
To ensure compliance with the essential requirements, the manufacturer shall carry out a cybersecurity risk assessment. The risk assessment shall be documented, kept up-to-date and included in the documentation for the product. The more critical the product, the more stringent the requirements are for which procedures may be utilized. Detailed requirements have been laid out for how the assessment is to be made and what is to be emphasised.
How should the new security requirements be addressed?
Our experience is that it takes time to ensure compliance with new requirements and regulations. The increased number of cybersecurity breaches and ransomware attacks in recent years suggests that this will also be the case with the introduction of the Cyber Resilience Act. Therefore, all manufacturers, importers and distributors of products with digital elements should begin to prepare for when the requirements enter into force in Norway. Examples of measures include:
- find out whether you will be considered a manufacturer, importer or distributor;
- map out which requirements will apply to your business;
- carry out a cybersecurity risk assessment;
- ensure technical security, including adequate routines for updating;
- update the agreements with your subcontractors so that the requirements of the regulation are included and reflected in the agreements;
- prepare documentation for the products you sell and the assessments you have made.
The process ahead in the EU and Norway
The Cyber Resilience Act has been passed by the European Parliament. However, the regulation will not enter into force until it is adopted by the Committee of Ministers of the EU Council. It is most likely that the regulation will be approved without major changes. It is not known exactly when this will happen, but there is reason to expect that the act will be given priority in the EU. The regulation is relevant to the EEA, so the regulation will be incorporated into the EEA Agreement and adopted as Norwegian law after it has been finally adopted by the EU.
