EU’s proposed legislation for regulating smart Internet of Things (IoT) devices
On 15th September 2022, the European Union Commission presented a proposal for a regulation on horizontal cybersecurity requirements for products with digital elements, also titled as Cyber Resilience Act (“CRA”). The purpose of CRA has been provided by the EU Commission in the explanatory memorandum of the proposal. Hardware and Software are increasingly exposed to cyberattacks which led to an estimated global cost of cybercrime of EUR 5.5 trillion by 2021. There seem to be two major problems faced by these products that are recognized by EU Commission. Firstly, the products with digital elements have a low level of cybersecurity which is reflected by large number of vulnerabilities and insufficient provisions of security updates to address them. Secondly, users have insufficient understanding and access to information which makes it difficult for them to choose a product that has higher cybersecurity properties. It is noticed by the EU Commission that most of the hardware and software products are not covered by any EU legislation with respect to their cybersecurity. CRA introduces regulations to safeguard products with digital elements that were not previously protected by any legislation, therefore, it can be considered as first Internet of Things (IoT) law ever passed.
The main elements of the CRA are namely- a new set of obligations for economic operators (include, manufacturers, importers, and distributors), the conformity assessment procedures, market surveillance framework, and interaction with other EU legislations. Product safety legislations have been enacted or amended to include cybersecurity requirements, some of these legislations are- Regulation (EU) 2017/745 (MDR),[1] Commission Delegated Regulation (EU) 2022/30 (Radio Equipment Directive Delegated Act)[2], the Machinery Regulation proposal (MR)[3] and the General Product Safety Regulation proposal (GPSR)[4]. This has the potential to create discrepancies and uncertainties for manufacturers as well as the users since it adds an additional burden on market operators to comply with overlapping regulations with regard to similar products.
Obligation of economic operators
Chapter II of CRA sets down the obligations of manufacturers, distributors, and importers. These obligations mandate that all products with digital elements shall only be available in the market, if they are duly supplied, properly installed, maintained, and used for their intended purposes. The obligations also mandate manufacturers, while designing or developing the product, to ensure that there is an appropriate level of cybersecurity based on the risks. The users shall be informed about the cybersecurity aspects of the digital products. Along with these obligations, the manufacturers also have some reporting obligations. These obligations ensure that upon detecting any incident having an impact on the cybersecurity of the digital product, it must be notified to the European Union Agency for Cybersecurity within 24 hours of the manufacturer becoming aware of it. Further, the user also shall be informed without undue delay, of the corrective measures to mitigate the impact of the vulnerability suggested.
Conformity of the products with the essential requirements
European Standards are guidelines that shall have to be complied with by products, services and processes. These standards are developed by private European Standardisation Organisations (ESO). Harmonised Standards are a specific category of European Standards developed by an ESO following a request, known as a ‘mandate’, provided by the European Commission. Chapter III of CRA provides for the requirement which states that, “the products with digital elements, which is in conformity with harmonized standards, the references to which have been published in Official Journal of the European Union, shall be presumed to be in conformity with the essential requirements of this proposed Regulation (CRA). Article 19 under Chapter III of CRA specifies that where harmonized standards do not exist or where the commission believes that the relevant harmonized standards are insufficient to satisfy the requirements of this regulation, the Commission is empowered to adopt common specifications in respect of the essential requirements provided in Annex I of CRA.
Furthermore, the manufacturers are also obligated to perform a conformity assessment of the product with the digital elements and also the vulnerability handling processes that the manufacturer has put in place to comply with the essential requirements set out in Annex I by following one of the procedures set out in Annex IV.
Market Surveillance and Enforcement
With regards to the Regulation (EU) 2019/1020, national market surveillance authorities carry out market surveillance in the territory of the Member State. Member States are also free to choose to appoint either existing or new market surveillance authority for the purpose of effective implementation of CRA. The products with digital elements, which are classified as high-risk AI systems according to the Artificial Intelligence Act (“AIA”), the Market Surveillance and Enforcements authorities appointed for the purposes of AIA shall be the sole authority responsible for market surveillance activities required under CRA.
Interplay between the CRA and other EU legislations
CRA plays a huge role in removing the gap in EU legislations with regards to cybersecurity requirements for products. CRA would create an interface between all the legal acts that deal with cybersecurity of products with digital elements, for instance, the AIA, the Cybersecurity Act (“CSA”), the delegated legislation (EU) 2022/30 and Network and Information System (NIS2). Article 2(4) of CRA provides for the regulation of the interaction between the CRA and other Union acts that deal with imposing cybersecurity requirements on the products containing digital element. The article addresses that criteria by which other Union rules laying down requirements that address all or some of the risks covered by the essential requirements set out in Annex I of CRA would prevail over the CRA. Therefore, if there are overlapping requirements to be fulfilled by the sectoral rules and the CRA for the products with digital elements, the application of CRA would be limited or excluded.
Our Observations
The primary focus of EU commission is cybersecurity which is also the keystone of digital Europe. During COVID-19 pandemic, cyberattacks have been witnessed in large number which makes it more important to safeguard hospitals, research centers and other infrastructure. In December 2020, Cybersecurity Strategy has been proposed in the EU which addressed to integrate cybersecurity into every element of supply chain to make EU a cyber resilient union. The Cyber Resilience Act is designed to work complementary with the EU cybersecurity framework that involves the Directive on the security of Network and Information Systems (NIS Directive), the Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) and the EU’s Cybersecurity Act.
[1] Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC
[2] Commission Delegated Regulation (EU) 2022/30 of 29 October 2021 supplementing Directive 2014/53/EU of the European Parliament and of the Council with regard to the application of the essential requirements referred to in Article 3(3), points (d), (e) and (f), of that Directive.
[3] Proposal for a Regulation of the European Parliament and of the Council on machinery products, COM(2021) 202 final.
[4] Proposal for a Regulation of the European Parliament and of the Council on general product safety, amending Regulation (EU) No 1025/2012 of the European Parliament and of the Council, and repealing Council Directive 87/357/EEC and Directive 2001/95/EC of the European Parliament and of the Council, COM(2021) 346 final.
