The recent Cyber Resilience Act provides groundbreaking regulation for companies in the EU manufacturing any sort of digital product, mirroring recent calls for more secure-by-design practices in the US.
While the United States has had the highest cost of a data breach for over a decade, sitting at over $5 million in 2023, it still isn’t the top target for cyberattacks. Cybercrime is an increasingly global issue, especially as geopolitical conflicts turn to new digital warfronts. The price of cybercrime is expected to reach $10.5 trillion a year in 2025, so it’s no surprise that many countries are taking action to reduce the risk and damage of cyberattacks.
The new rule requires that any digital product in the EU market meets specific cybersecurity standards, according to the associated level of security risk. Companies who make these products will also need to keep them safe throughout their whole lifetime, not just when they're new. The compliant devices (involving hardware and/or software) will have a CE mark to show that they can be sold in the EU. Non-compliant products will not be allowed onto the market unless the risk is eliminated, and products that are already on the market but are found to be non-compliant will then be recalled. The market surveillance authorities (appointed by Member States) will be allowed to fine companies who break the laws mandated by the CRA.
Software provided as a service is not covered by the CRA, but companies that sell it as a service will still have cybersecurity requirements to meet under the 2022 NIS 2 Directive. That directive established standards for supply chain security measures and streamlined rules for incident reporting, which complemented the CRA.
The CRA fact sheet outlines the cyber-based obligations that manufacturers in the EU will now need to take into account, including:
Incorporating cybersecurity practices in the planning, design, development, production, delivery, and maintenance of any device on the marker
Documentation of all cybersecurity risks
Reporting actively exploited vulnerabilities and incidents
Handling vulnerabilities effectively during the duration of the device’s support period
Releasing clear and understandable instructions for the device or digital product
Making security updates available to users when the product can be expected to be used
The Cyber Resilience Act needs to be formally approved before it enters into force, which will likely occur in 2024. After that, manufacturers still have 3 years to apply the rules before the rule is enforced.
While the United States does not yet have any similar laws on a national scale, there has been a lot of conversation about shifting more cybersecurity responsibility onto software developers. Jen Easterly, the director of the Cybersecurity Infrastructure and Security Agency (CISA), has long pushed for “secure by design and secure by default principles”, saying that “ensuring that software manufacturers integrate security into the earliest phases of design for their products is critical to building a secure and resilient technology ecosystem”. CISA’s new ‘Secure by Design Alert Series’ is proof that the agency is putting more onus on software manufacturers to improve their security practices. The alerts will point out any “vulnerability or intrusion campaigns that could have been reasonably avoided if the software manufacturer had aligned to secure by design principles.”
It’s not clear if the US will soon pattern the EU regulations, but it does seem to align well with CISA’s goals. Collaboration and alignment of global cybersecurity efforts are crucial to building a secure and resilient technology ecosystem that can effectively combat cyber threats.