The European Commission did last month announce a ‘Cyber Resilience Act’ (CRA), with proposed regulation for cyber security of electrical/electronic products (with digital elements).
Such products have generally low cyber security and have users with insufficient understanding and little access to information.
Cyber-attacks on connected products are estimated to cost annually >EUR 5 trillion. And, as cyber security sees no geographical borders, establishing international regulations is essential.
The CRA will not become an EU Directive, but be a horizontal regulation with cyber security requirements for a broad scope of tangible and non-tangible products. The rules will be as for the current CE-marking directives, such as LVD and RED.
The objective of the CRA is to ensure:
- that manufacturers improve the security of products throughout the whole life cycle,
- that there is a clear cybersecurity framework to help both hardware and software producers to comply,
- more openness about the products’ security properties,
- that businesses and consumers are able to use the products.
Some types of products are out of scope, such as equipment related to the medical area, aviation and vehicles
Since the proposed regulation will cover the essential cyber security requirements in the European Radio Equipment Directive (RED), the latter is expected to be modified to avoid overlapping requirements.
The requirements shall secure products and be proportional to the risks faced and not result in undue costs.
For the whole EU, it is estimated that cost reductions from incidents affecting companies may be in the range of EUR 200-300 billion annually.
Like for other CE-marking regulations, products complying with harmonized standards as listed in the European Official Journal (OJ) are presumed to be compliant. If relevant standards do not yet exist, the commission may adopt common specifications.
National authorities in the member states are responsible for designating Notified Bodies to be used for certification of products classified as being of high risk, and in cases where there is not an applicable standard or official specification. The national authorities are also responsible for carrying out market surveillance.
The European Commission’s press release about the CRA may be seen here.
For more information and/or assistance with assessment of products for cyber security, please contact Geir.Horthe@nemko.com (Recording from Nemko’s webinar 1 Nov. about the CRA will be available on request).
(Article is based on text provided by Geir Hørthe, edited by T.Sollie)