This article needs to be updated.(October 2024) |
Title | Cyber Resilience Act – Proposal for a regulation on horizontal cybersecurity requirements for products with digital elements |
---|---|
Pending legislation |
The Cyber Resilience Act (CRA) is an EU regulation proposed on 15 September 2022 by the European Commission for improving cybersecurity and cyber resilience in the EU through common cybersecurity standards for products with digital elements in the EU, such as required incident reports and automatic security updates. [1] Products with digital elements mainly are hardware and software whose "intended and foreseeable use includes direct or indirect data connection to a device or network". [2]
After publication of the draft proposal, multiple open source organizations criticized CRA for creating a "chilling effect on open source software development". [3] The European Commission reached political agreement on the CRA on 1 December 2023, after a series of amendments. [4] The revised bill introduced the "open source steward", a new economic concept, and received relief from many open source organizations due to its exception for open-source software, [5] while Debian criticized its effect on small businesses and redistributors. [6] The CRA agreement received formal approval by the European Parliament in March 2024. [7] It has been adopted by the Council on 10 October 2024. [8]
The background, purposes and motivations for the proposed policy include: [9]
According to The Washington Post, the CRA could make the EU a leader on cybersecurity and "change the rules of the game globally". [16]
This section needs to be updated. The reason given is: Copyedit and remove "will" for things that have happened. Also add the newer amendment that only applies this to commercial distribution.(February 2024) |
The policy requires software that are "reasonably expected" to have automatic updates should roll out security updates automatically by default while allowing users to opt out. [18] When feasible, security updates should be separated from feature updates. [19] : Annex I.II(2) Companies need to conduct cyber risk assessments before a product is put on the market and retain its data inventory and documentation throughout the 10 years [20] after being put on market or its support period, whichever is longer. [19] Companies would have to notify EU cybersecurity agency ENISA of any incidents within 24 hours of becoming aware of them, and take measures to resolve them. [13] Products carrying the CE marking would "meet a minimum level of cybersecurity checks". [10]
About 90% of products with digital elements fall under a default category, for which manufacturers will self-assess security, write an EU declaration of conformity, and provide technical documentation. [21] The rest are either "important" or "critical". Security-important products are categorized into two classes of risks. [22] Products assessed as 'critical' will need to undergo external audits. [18] [16]
Once the law has passed, manufacturers would have two years to adapt to the new requirements and one year to implement vulnerability and incident reporting. Failure to comply could result in fines of up to €15 million or 2.5 percent of the offender's total worldwide annual turnover for the preceding financial year. [15] [12] [13] Fines do not apply to non-commercial open-source developers. [19] : 64(10)
Euractiv has reported on novel drafts or draft-changes that includes changes like the "removal of time obligations for products' lifetime and limiting the scope of reporting to significant incidents". [23] [18] The first compromise amendment will be discussed on 22 May 2023 until which groups reportedly could submit written comments. Euractiv has provided a summary overview of the proposed changes. [24]
The main political groups in the European Parliament are expected to agree on the Cyber Resilience Act at a meeting on 5 July 2023. Lawmakers will discuss open source considerations, support periods, reporting obligations, and the implementation timeline. The committee vote is scheduled for 19 July 2023. [25] [26]
The Spanish presidency of the EU Council has released a revised draft that simplifies the regulatory requirements for connected devices. It would reduce the number of product categories that must comply with specific regulations, mandate reporting of cybersecurity incidents to national CSIRTs, and include provisions for determining product lifetime and easing administrative burdens for small companies. The law also clarifies that spare parts with digital elements supplied by the original manufacturer are exempt from the new requirements. [27] [26]
The Council text further stipulates that prior to seeking compulsory certification, the European Union executives must undertake an impact assessment to evaluate both the supply and demand aspects of the internal market, as well as the member states' capacity and preparedness for implementing the proposed schemes. [28] [26]
On June 25, 2024, the Czech National Office for Cyber and Information Security (NÚKIB) announced steps to implement the Cyber Resilience Act (CRA), including a regulation expected in autumn 2024, with enforcement starting in late 2027 after a three-year transition. This regulation will require manufacturers of digital products to enhance cybersecurity throughout the product lifecycle. NÚKIB will also hold consultations with manufacturers of significant and critical products from June 25 to July 17, 2024, to develop technical specifications and gather feedback. [29]
Initially, the proposed act was heavily criticized by open-source advocates. [30]
Amendments were released on 1 December 2023, as part of political agreement between co-legislators, [37] to the acclaim of many open-source advocates. [5] As Mike Milinkovich, executive director of the Eclipse foundation, [38] wrote: [37]
The revised legislation has vastly improved its exclusion of open source projects, communities, foundations, and their development and package distribution platforms. It also creates a new form of economic actor, the “open source steward,” which acknowledges the role played by foundations and platforms in the open source ecosystem. This is the first time this has appeared in a regulation, and it will be interesting to see how this evolves.
— Mike Milinkovich, "Good News on the Cyber Resilience Act"
The OSI noted Debian's statement that many small businesses and solo developers would have trouble navigating the act when redistributing open source software [6] remained unaddressed. [5] Apache reviewed the changes positively while worrying about applicability of the CRA on potentially critical open-source components and stressing the importance of collaboration with international standards bodies to ease certification of software. [39]
Computer security is the protection of computer software, systems and networks from threats that can lead to unauthorized information disclosure, theft or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.
Cybercrime encompasses a wide range of criminal activities that are carried out using digital devices and/or networks. These crimes involve the use of technology to commit fraud, identity theft, data breaches, computer viruses, scams, and expanded upon in other malicious acts. Cybercriminals exploit vulnerabilities in computer systems and networks to gain unauthorized access, steal sensitive information, disrupt services, and cause financial or reputational harm to individuals, organizations, and governments.
Trend Micro Inc. is an American-Japanese cyber security software company. The company has globally dispersed R&D in 16 locations across every continent excluding Antarctica. The company develops enterprise security software for servers, containers, and cloud computing environments, networks, and end points. Its cloud and virtualization security products provide automated security for customers of VMware, Amazon AWS, Microsoft Azure, and Google Cloud Platform.
A medical device is any device intended to be used for medical purposes. Significant potential for hazards are inherent when using a device for medical purposes and thus medical devices must be proved safe and effective with reasonable assurance before regulating governments allow marketing of the device in their country. As a general rule, as the associated risk of the device increases the amount of testing required to establish safety and efficacy also increases. Further, as associated risk increases the potential benefit to the patient must also increase.
The European Union Agency for Cybersecurity – self-designation ENISA from the abbreviation of its original name – is an agency of the European Union. It is fully operational since September 1, 2005. The Agency is located in Athens, Greece and has offices in Brussels, Belgium and Heraklion, Greece.
Information security standards are techniques generally outlined in published materials that attempt to protect a user's or organization's cyber environment. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.
A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access and control system attacks. While cybersecurity regulations aim to minimize cyber risks and enhance protection, the uncertainty arising from frequent changes or new regulations can significantly impact organizational response strategies.
The Center for Devices and Radiological Health (CDRH) is one of six product centers of the U.S. Food and Drug Administration (FDA), an agency that is part of the U.S. Department of Health and Human Services (HHS). CDRH is responsible for ensuring that patients and providers in the U.S. have timely and continued access to safe, effective, and high-quality medical devices and safe radiation-emitting products.
Bitdefender is a multinational cybersecurity technology company dual-headquartered in Bucharest, Romania and Santa Clara, California, with offices in the United States, Europe, Australia and the Middle East.
Digital supply chain security refers to efforts to enhance cyber security within the supply chain. It is a subset of supply chain security and is focused on the management of cyber security requirements for information technology systems, software and networks, which are driven by threats such as cyber-terrorism, malware, data theft and the advanced persistent threat (APT). Typical supply chain cyber security activities for minimizing risks include buying only from trusted vendors, disconnecting critical machines from outside networks, and educating users on the threats and protective measures they can take.
A cyberattack occurs when there is an unauthorized action against computer infrastructure that compromises the confidentiality, integrity, or availability of its content.
A software supply chain is the components, libraries, tools, and processes used to develop, build, and publish a software artifact.
SafeDNS is a cybersecurity company specializing in providing cloud-based web filtering solutions and AI-powered technology. Its headquarters is in Alexandria, Virginia.
Damian Hieronymus Johannes Freiherr von Boeselager is a German business consultant, journalist and politician of Volt Europa. He is member of European Parliament in The Greens/EFA Group since his election in 2019.
The Digital Services Act (DSA) is an EU regulation adopted in 2022 that addresses illegal content, transparent advertising and disinformation. It updates the Electronic Commerce Directive 2000 in EU law, and was proposed alongside the Digital Markets Act (DMA).
The Digital Markets Act (DMA) is an EU regulation that aims to make the digital economy fairer and more contestable. The regulation entered into force on 1 November 2022 and became applicable, for the most part, on 2 May 2023.
Alin Cristian Mituța is a Romanian politician of REPER who has been serving as Member of the European Parliament since 2020.
The Data Act is a European Union regulation which aims to facilitate and promote the exchange and use of data within the European Economic Area.
The Artificial Intelligence Act is a European Union regulation concerning artificial intelligence (AI). It establishes a common regulatory and legal framework for AI within the European Union (EU). It came into force on 1 August 2024, with provisions that shall come into operation gradually over the following 6 to 36 months.
On July 17th 2024, it was announced at the State Opening of Parliament that the Labour government will introduce the Cyber Security and Resilience Bill (CS&R). The proposed legislation is intended to update the existing Network and Information Security Regulations 2018, known as UK NIS. CS&R will strengthen the UK's cyber defences and resilience to hostile attacks thus ensuring that the infrastructure and critical services relied upon by UK companies are protected by addressing vulnerabilities, while ensuring the digital economy can deliver growth.