Cyber Resilience Act

From HandWiki
Short description: Proposed cybersecurity regulation in the EU
TitleCyber Resilience Act – Proposal for a regulation on cybersecurity requirements for products with digital elements
Proposed

The Cyber Resilience Act (CRA) is a cyber-security regulation for the EU proposed on 15 September 2022 by the European Commission for improving cybersecurity and cyber resilience in the EU through common cybersecurity standards for products with digital elements in the EU.[1][2] The draft legislation is available.[3][4] The European Commission reached political agreement of the CRA as of 1 December 2023.[5] The CRA agreement must now receive formal approval by European Parliament and the Council prior to being enforced.[6]

Multiple open source organizations have criticized CRA for creating a "chilling effect on open source software development".[7] Products with digital elements mainly refer to hardware and software, including products whose "intended and foreseeable use includes direct or indirect data connection to a device or network".[8]

Purposes and motivations

The background, purposes and motivations for the proposed policy include:[9]

  • Consumers increasingly become victims to security flaws of digital products (e.g. vulnerabilities), including of Internet of Things devices[8][10][11] or smart devices.[12][13]
  • Ensuring that digital products in the supply chain are secure is important for businesses,[8] and cybersecurity often is a "full company risk issue".[14]
  • Potential impacts of hacking include "severe disruption of economic and social activities across the internal market, undermining security or even becoming life-threatening".[15]
  • Cybersecurity-by-design and by-default principles would impose a duty of care for the lifecycle of products, instead of e.g. relying on consumers and volunteers to establish a basic level of security.[8][16] The new rules would "rebalance responsibility towards manufacturers".[15]
  • Cyberattacks have led "to an estimated global annual cost of cybercrime of €5.5 trillion by 2021".[1]
  • The rapid spread of digital technologies means rogue states or non-state groups could more easily disrupt critical infrastructures such as public administration and hospitals.[17]
  • The CRA could make the EU a leader on cybersecurity and "change the rules of the game globally".[opinion] [16]

Implementation and mechanisms

Once the law has passed, manufacturers would "have a grace period of two years to adapt to the new requirements" and one year for "vulnerability and incident reporting". Failure to comply "could result in fines of up to $15 million (€15 million) or 2.5 percent of the offender's total worldwide annual turnover for the preceding financial year".[15][12][13] The policy requires that products' default settings should be that security updates are rolled out automatically by-default, while allowing users to opt out.[18] Companies need to conduct cyber risk assessments before a product is put on the market and throughout its lifecycle effectively manage its vulnerabilities, regularly test it, and so on.[19] Products assessed as 'critical' will need to undergo external audits.[18][16] Companies would have to notify EU cybersecurity agency ENISA of any incidents within 24 hours of becoming aware of them, and take measures to resolve them.[13] Products are categorized via two classes of risks.[20] Products carrying the CE certifications would "meet a minimum level of cybersecurity checks".[10]

Euractiv has reported on novel drafts or draft-changes that includes changes like the "removal of time obligations for products' lifetime and limiting the scope of reporting to significant incidents".[21][18] The first compromise amendment will be discussed on 22 May 2023 until which groups reportedly could submit written comments. Euractiv has provided a summary overview of the proposed changes.[22]

The main political groups in the European Parliament are expected to agree on the Cyber Resilience Act at a meeting on 5 July 2023. Lawmakers will discuss open source considerations, support periods, reporting obligations, and the implementation timeline. The committee vote is scheduled for 19 July 2023.[23][24]

The Spanish presidency of the EU Council has released a revised draft that simplifies the regulatory requirements for connected devices. It would reduce the number of product categories that must comply with specific regulations, mandate reporting of cybersecurity incidents to national CSIRTs, and include provisions for determining product lifetime and easing administrative burdens for small companies. The law also clarifies that spare parts with digital elements supplied by the original manufacturer are exempt from the new requirements.[25][26]

The Council text further stipulates that prior to seeking compulsory certification, the European Union executives must undertake an impact assessment to evaluate both the supply and demand aspects of the internal market, as well as the member states' capacity and preparedness for implementing the proposed schemes.[27][28]

European institutions have successfully concluded negotiations on the Cyber Resilience Act (CRA), paving the way for its anticipated completion in early 2024. The finalized text, yet to be released, will be followed by a detailed summary, highlighting the EU's commitment to fortifying cybersecurity measures and ensuring a secure digital landscape.[26]

Criticism

  • Multiple open source organizations like The Eclipse Foundation and The Document Foundation have signed the open letter "Open Letter to the European Commission on the Cyber Resilience Act",[29] asking policy-makers to change the under-representation of the open source community. It finds that with the policy "more than 70% of the software in Europe [open source/FOSS] is about to be regulated without an in-depth consultation" and if implemented as written (as of April) would have a "chilling effect on open source software development as a global endeavour, with the net effect of undermining the EU's own expressed goals for innovation, digital sovereignty, and future prosperity".[7][30][29]
  • Although Mozilla "welcome[s] and support[s] the overarching goals of the CRA", it also criticised proposal for unclear text ‘commercial activity’, misalignment with other EU rules, and requirement of disclosure of the unmitigated vulnerabilities.[31]
  • The Apache Software Foundation also published a statement about the CRA on their blog titled "Save Open Source: The Impending Tragedy of the Cyber Resilience Act[32]".
  • A technology expert argued the CRA's "underlying assumption is that you can just add security to software" with "[m]any open source developers hav[ing] neither the revenue nor resources to secure their programs to a government standard".[30] Another tech journalist noted that "there's some problematic language with how the CRA draws a line between commercial and non-commercial [open source software] use, which could hurt the future of open source."[33] The OSI found that the text as of January 2023 would cause extensive problems for open source software, arising from "ambiguities in the wording and a framing which does not match the way Open Source communities actually function and their participants are motivated" and submitted information about such issues to the European Commission's request for input.[34]
  • CCIA Europe warned that "the resulting red tape from the approval process could hamper the roll-out of new technologies and services in Europe".[13]
  • Debian's statement[35] makes it clear that it is not only open source software that is at risk. They point out that many small businesses and solo developers will be put out of business by the Act.

The CRA makes no distinction between software that sells millions or tens of millions of copies each year, and software that sells tens or hundreds of copies, despite the risk of the former—based on sheer volume—being vastly greater than the latter. Nor does the CRA take any account of business size: a business with a solo developer must meet the same regulatory requirements as a business the size of Microsoft.

According to Debian's statement, the CRA “will force many small enterprises and most probably all self employed developers out of business”. This seems justified for three reasons:

  1. It is much harder for a small business to meet the requirements than a large business—and it may be impossible for older software in maintenance mode.
  2. The legal hazard is too high, since even if a small business tries to meet the requirements, mistakes or omissions could lead to ruinous fines.
  3. To avoid the risks and strictures of the CRA a small business would have to prevent sales (and reselling) into more than forty countries: all countries in the EEA (this includes all the EU countries), all EU candidate countries, plus other countries that harmonize their laws with the EU for access to the single market. For small businesses with already small sales volumes (e.g., for specialist software), even the US and rest of the world may be too small a market to make the business viable.

International Standards and European Standards

The "Regulation (EU) 2019/881 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification" does not refer directly and explicitly to any European or International standard. The same apply to the "Decision of the Management Board of the European Union Agency for Cybersecurity of 21 November 2019 on internal rules concerning restrictions of certain rights of data subjects in relation to processing of personal data in the framework of the functioning of ENISA".

Current published draft of the "COMMISSION IMPLEMENTING REGULATION (EU) …/... laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC)"[36] refers to standards in the following way:

- The scheme should be based on established international standards. Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408) is an international standard for computer security evaluation. It is based on third party evaluation and envisages seven Evaluation Assurance Levels (‘EAL’). The Common Criteria is accompanied by the Common Methodology for Information Technology Security Evaluation. - A certification body should be accredited in accordance with standard ISO/IEC 17065 by the national accreditation body for assurance level ‘substantial’ and ‘high’. In addition to the accreditation in accordance with Regulation (EC) No 765/2008, conformity assessment bodies should meet specific requirements in order to guarantee their technical competence for the evaluation of cybersecurity requirements under assurance level ‘high’ of the EUCC, which is confirmed by an ‘authorisation’. To support the authorisation process, ENISA should develop and maintain guidance and publish it after endorsement by the European Cybersecurity Certification Group. -The technical competence of an ITSEF should be assessed through the accreditation of the testing laboratory in accordance with ISO/IEC 17025 and complemented by ISO/IEC 23532-1 for the full set of evaluation activities that are relevant to the assurance level and specified in ISO/IEC 18045 in conjunction with ISO/IEC 15408. Both the certification body and the ITSEF should establish and maintain an appropriate competence management system for personnel that draws from ISO/IEC 19896-1 for the elements and levels of competence and for the appraisal of competence. For the level of knowledge, skills, experience and education, the applicable requirements for the evaluators should be drawn from ISO/IEC 19896-3. Equivalent provisions and measures dealing with deviations from such competence management systems should be demonstrated, in line with the system’s objectives. - The holder of an EUCC certificate should implement necessary vulnerability management procedures and ensure that those procedures are embedded in their organisation. When becoming aware of a potential vulnerability, the holder of the EUCC certificate should perform a vulnerability analysis. Where the vulnerability analysis confirms that the vulnerability can be exploited, the certificate holder should send a report of the assessment to the certification body which should in turn inform the national cybersecurity certification authority. The report should inform about the impact of the vulnerability, the necessary changes or remedial solutions that are required including possible broader implications of the vulnerability as well as remedial solutions for other products. Where necessary, the standard EN ISO/IEC 29147 should supplement the procedure for the vulnerability disclosure.

For the purposes of this Regulation, the following definitions shall apply: (1) ‘Common Criteria’ mean the Common Criteria for Information Technology Security Evaluation, as set out in ISO standard EN ISO/IEC 15408; (2) ‘Common Evaluation Methodology’ means the Common Methodology for Information Technology Security Evaluation, as set out in ISO standard EN ISO/IEC 18045.

Article 3 Evaluation standards The following standards shall apply to evaluations performed under the EUCC scheme: (a) the Common Criteria; (b) the Common Evaluation Methodology.

Certification of ICT products - SECTION I - SPECIFIC STANDARDS AND REQUIREMENTS FOR EVALUATION - Article 7 - Evaluation criteria and methods for ICT products 1. An ICT product submitted for certification shall, as a minimum, be evaluated in accordance with the following: (a) the applicable elements of the standards referred to in Article 3; (b) the security assurance requirements classes for vulnerability assessment, independent functional testing and flaw remediation, as set out in the evaluation standards referred to in Article 3; (c) the level of risk associated with the intended use of the ICT products concerned pursuant to Article 52 of Regulation (EU) 2019/881 and their security functions that support the security objectives set out in Article 51 of Regulation (EU) 2019/881; (d) the applicable state-of-the-art documents listed in Annex I (2).

There is no explicit reference to European Standards or ISO/IEC Standards in the documents listed in Annex I of the current draft of the proposed regulation. A list of ISO/IEC standards and CEN/CENELEC European standards on Cybersecurity are summarised and classified and automatically updated on a page for the Topic of Cybersecurity "List of Cybersecurity European and International Standards". ISO/IEC, CEN/CENELEC. https://genorma.com/en/topic/show/135. </ref> based on standardization official sources, including the following:

- Requirements for the competence of IT security testing and evaluation laboratories - Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Security techniques - IoT security and privacy - Information security management systems - New concepts and changes in iso/iec 15408:2022 and iso/iec 18045:2022 - Guidelines for information security management systems auditing - Verification of cryptographic protocols - Fixed-time cybersecurity evaluation methodology for ICT products - Security evaluation standard for IoT platforms - Supplier relationships - Health informatics - device interoperability - Road vehicles — guidelines for auditing cybersecurity engineering - Road vehicles — cybersecurity engineering - Road vehicles — safety and cybersecurity for automated driving systems - Railway applications - cybersecurity - Maritime navigation and radiocommunication equipment and systems - cybersecurity - Nuclear power plants - instrumentation, control and electrical power systems - cybersecurity requirements - Nuclear power plants - instrumentation and control systems - requirements for coordinating safety and cybersecurity.

There is no explicit reference to these Standards in the Cybersecurity Act, but these standards can be used in a voluntary way by manufacturers and other agents, to comply with cybersecurity requirements.

See also

References

  1. 1.0 1.1 "Cyber Resilience Act | Shaping Europe's digital future" (in en). 15 September 2022. https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act. 
  2. "EU Cyber Resilience Act | Shaping Europe's digital future" (in en). https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act. 
  3. European Parliament (14 September 2022). Proposal for a regulation of the European Parliament and of The Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 — COM(2022) 454 final — 2022/0272 (COD). Strasbourg, France: European Parliament. https://eur-lex.europa.eu/resource.html?uri=cellar:864f472b-34e9-11ed-9c68-01aa75ed71a1.0001.02/DOC_1&format=PDF. Retrieved 2023-07-17. 
  4. European Parliament (15 September 2022). ANNEXES to the proposal for a regulation of the European Parliament and of The Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 — COM(2022) 454. Strasbourg, France: European Parliament. https://eur-lex.europa.eu/resource.html?uri=cellar:864f472b-34e9-11ed-9c68-01aa75ed71a1.0001.02/DOC_2&format=PDF. Retrieved 2023-07-17. 
  5. "Press corner". https://ec.europa.eu/commission/presscorner/home/en. 
  6. "European Cyber Resilience Act (CRA)". https://www.european-cyber-resilience-act.com/. 
  7. 7.0 7.1 Sawers, Paul (18 April 2023). "In letter to EU, open source bodies say Cyber Resilience Act could have 'chilling effect' on software development". TechCrunch. https://techcrunch.com/2023/04/18/in-letter-to-european-commission-open-source-bodies-say-cyber-resilience-act-could-have-chilling-effect-on-software-development/. 
  8. 8.0 8.1 8.2 8.3 "EU cyber-resilience act | Think Tank | European Parliament" (in en). https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2022)739259. 
  9. Car, Polona; De Luca, Stefano (May 2023). EU cyber-resilience act — Briefing EU Legislation in Progress — PE 739.259. Strasbourg, France: European Parliamentary Research Service (EPRS), European Parliament. https://www.europarl.europa.eu/RegData/etudes/BRIE/2022/739259/EPRS_BRI%282022%29739259_EN%2Epdf. Retrieved 25 September 2023. 
  10. 10.0 10.1 "EU pitches cyber law to fix patchy Internet of Things" (in en). POLITICO. 15 September 2022. https://www.politico.eu/article/new-cyber-act-to-raise-safety-standards-across-the-bloc/. 
  11. "Commission presents Cyber Resilience Act targeting Internet of Things products". www.euractiv.com. 15 September 2022. https://www.euractiv.com/section/digital/news/commission-presents-cyber-resilience-act-targeting-internet-of-things-products/. 
  12. 12.0 12.1 Lomas, Natasha (15 September 2022). "The EU unboxes its plan for smart device security". TechCrunch. https://techcrunch.com/2022/09/15/eu-cyber-resilience-act-draft/. 
  13. 13.0 13.1 13.2 13.3 Chee, Foo Yun (15 September 2022). "EU proposes rules targeting cybersecurity risks of smart devices" (in en). Reuters. https://www.reuters.com/technology/eu-proposes-rules-targeting-smart-devices-with-cybersecurity-risks-2022-09-15/. 
  14. Gross, Anna (9 November 2022). "Why a clear cyber policy is critical for companies". Financial Times. https://www.ft.com/content/0bb6df09-7d77-4605-aac3-89443ed65a18. 
  15. 15.0 15.1 15.2 Dobberstein, Laura. "EU puts manufacturers on hook for smart device security" (in en). www.theregister.com. https://www.theregister.com/2022/09/16/eu_cyber_resilience_act/. 
  16. 16.0 16.1 16.2 Starks, Tim (3 January 2023). "Analysis | Europe's cybersecurity dance card is full". Washington Post. https://www.washingtonpost.com/politics/2023/01/03/europes-cybersecurity-dance-card-is-full/. 
  17. "EU chief announces cybersecurity law for connected devices". www.euractiv.com. 16 September 2021. https://www.euractiv.com/section/cybersecurity/news/eu-chief-announces-cybersecurity-law-for-connected-devices/. 
  18. 18.0 18.1 18.2 "Swedish Council presidency presents first full rewrite of Cyber Resilience Act". www.euractiv.com. 25 April 2023. https://www.euractiv.com/section/cybersecurity/news/swedish-council-presidency-presents-first-full-rewrite-of-cyber-resilience-act/. 
  19. Security, Help Net (2 March 2023). "Cyber resilience in focus: EU act to set strict standards". https://www.helpnetsecurity.com/2023/03/02/eu-cyber-resilience-act/. 
  20. "Cyber-resilience Act signals big change in commercial software development" (in en). The Irish Times. https://www.irishtimes.com/business/innovation/2022/12/01/cyber-resilience-act-signals-big-change-in-commercial-software-development/. 
  21. "Cyber Resilience Act: Leading MEP proposes flexible lifetime, narrower reporting". www.euractiv.com. 31 March 2023. https://www.euractiv.com/section/cybersecurity/news/cyber-resilience-act-leading-mep-proposes-flexible-lifetime-narrower-reporting/. 
  22. "EU lawmakers kick off cybersecurity law negotiations for connected devices". www.euractiv.com. 17 May 2023. https://www.euractiv.com/section/cybersecurity/news/eu-lawmakers-kick-off-cybersecurity-law-negotiations-for-connected-devices/. 
  23. "EU lawmakers set to close deal on cybersecurity law for connected devices" (in en-GB). 2023-07-04. https://www.euractiv.com/section/cybersecurity/news/eu-lawmakers-set-to-close-deal-on-cybersecurity-law-for-connected-devices/. 
  24. "Cyber Resilience Act - Current state of play". https://www.cyberresilienceact.eu/current-state-of-play/. 
  25. "EU Council cuts down special product categories in cybersecurity law" (in en-GB). 2023-07-10. https://www.euractiv.com/section/cybersecurity/news/eu-council-cuts-down-special-product-categories-in-cybersecurity-law/. 
  26. 26.0 26.1 "Cyber Resilience Act - Read the current state of play" (in en-US). https://www.cyberresilienceact.eu/current-state-of-play/. 
  27. "EU ambassadors set to endorse new cybersecurity law for connected devices" (in en-GB). 2023-07-17. https://www.euractiv.com/section/cybersecurity/news/eu-ambassadors-set-to-endorse-new-cybersecurity-law-for-connected-devices/. 
  28. "Cyber Resilience Act - Read the current state of play" (in en-US). https://www.cyberresilienceact.eu/current-state-of-play/. 
  29. 29.0 29.1 "Open Letter to the European Commission on the Cyber Resilience Act" (in en). 17 April 2023. https://newsroom.eclipse.org/news/announcements/open-letter-european-commission-cyber-resilience-act. 
  30. 30.0 30.1 Vaughan-Nichols, Steven J.. "EU attempts to secure software could hurt open source" (in en). https://www.theregister.com/2023/05/12/eu_cyber_resilience_act/. 
  31. Stampelos, Tasos (30 July 2023). "Mozilla weighs in on the EU Cyber Resilience Act". https://blog.mozilla.org/netpolicy/2023/05/15/mozilla-weighs-in-on-the-eu-cyber-resilience-act/. 
  32. van Gulik, Dirk-Willem (2023-07-18). "Save Open Source: The Impending Tragedy of the Cyber Resilience Act". https://news.apache.org/foundation/entry/save-open-source-the-impending-tragedy-of-the-cyber-resilience-act. 
  33. "Europe's cyber security strategy must be clear about open source | Computer Weekly" (in en). https://www.computerweekly.com/opinion/Europes-cyber-security-strategy-must-be-clear-about-open-source. 
  34. Phipps, Simon (24 January 2023). "What is the Cyber Resilience Act and why it's dangerous for Open Source". https://blog.opensource.org/what-is-the-cyber-resilience-act-and-why-its-important-for-open-source/. 
  35. Statement about the EU Cyber Resilience Act
  36. "COMMISSION IMPLEMENTING REGULATION (EU) …/... Laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC)". European Commission. https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=PI_COM:Ares(2023)6682079. 

External links