Cyber Resilience Act

Last updated

Regulation 2024/2847
European Union regulation
Text with EEA relevance
Flag of Europe.svg
TitleRegulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) No 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act)
Made byEuropean Parliament, EU Council
Made underTreaty on the Functioning of the European Union, and in particular Article 114 thereof
Journal reference OJ L, 2024/2847, 20.11.2024
History
Date made23 October 2024
Entry into force12 November 2024
Applies from11 December 2027
Current legislation

The Cyber Resilience Act (CRA) is an EU regulation for improving cybersecurity and cyber resilience in the EU through common cybersecurity standards for products with digital elements in the EU, such as required incident reports and automatic security updates. [1] Products with digital elements mainly are hardware and software whose "intended and foreseeable use includes direct or indirect data connection to a device or network". [2]

Contents

After its proposal on 15 September 2022 by the European Commission, multiple open source organizations criticized CRA for creating a "chilling effect on open source software development". [3] The European Commission reached political agreement on the CRA on 1 December 2023, after a series of amendments. [4] The revised bill introduced the "open source steward", a new economic concept, and received relief from many open source organizations due to its exception for open-source software, [5] while Debian criticized its effect on small businesses and redistributors. [6] The CRA agreement received formal approval by the European Parliament in March 2024. [7] It was adopted by the Council on 10 October 2024. [8]

Purposes and motivations

The background, purposes and motivations for the proposed policy include: [9]

According to The Washington Post, the CRA could make the EU a leader on cybersecurity and "change the rules of the game globally". [16]

Implementation and mechanisms

The policy requires software that are "reasonably expected" to have automatic updates should roll out security updates automatically by default while allowing users to opt out. [18] When feasible, security updates should be separated from feature updates. [19] :Annex I.II(2) Companies need to conduct cyber risk assessments before a product is put on the market and retain its data inventory and documentation throughout the 10 years [20] after being put on market or its support period, whichever is longer. [19] Companies would have to notify EU cybersecurity agency ENISA of any incidents within 24 hours of becoming aware of them, and take measures to resolve them. [13] Products carrying the CE marking would "meet a minimum level of cybersecurity checks". [10]

About 90% of products with digital elements fall under a default category, for which manufacturers will self-assess security, write an EU declaration of conformity, and provide technical documentation. [21] The rest are either "important" or "critical". Security-important products are categorized into two classes of risks. [22] Products assessed as 'critical' will need to undergo external audits. [18] [16]

Once the law has passed, manufacturers would have two years to adapt to the new requirements and one year to implement vulnerability and incident reporting. Failure to comply could result in fines of up to €15 million or 2.5 percent of the offender's total worldwide annual turnover for the preceding financial year. [15] [12] [13] Fines do not apply to non-commercial open-source developers. [19] :64(10)

Euractiv has reported on novel drafts or draft-changes that includes changes like the "removal of time obligations for products' lifetime and limiting the scope of reporting to significant incidents". [23] [18] The first compromise amendment will be discussed on 22 May 2023 until which groups reportedly could submit written comments. Euractiv has provided a summary overview of the proposed changes. [24]

The main political groups in the European Parliament are expected to agree on the Cyber Resilience Act at a meeting on 5 July 2023. Lawmakers will discuss open source considerations, support periods, reporting obligations, and the implementation timeline. The committee vote is scheduled for 19 July 2023. [25] [26]

The Spanish presidency of the EU Council has released a revised draft that simplifies the regulatory requirements for connected devices. It would reduce the number of product categories that must comply with specific regulations, mandate reporting of cybersecurity incidents to national CSIRTs, and include provisions for determining product lifetime and easing administrative burdens for small companies. The law also clarifies that spare parts with digital elements supplied by the original manufacturer are exempt from the new requirements. [27] [26]

The Council text further stipulates that prior to seeking compulsory certification, the European Union executives must undertake an impact assessment to evaluate both the supply and demand aspects of the internal market, as well as the member states' capacity and preparedness for implementing the proposed schemes. [28] [26]

On June 25, 2024, the Czech National Office for Cyber and Information Security (NÚKIB) announced steps to implement the Cyber Resilience Act (CRA), including a regulation expected in autumn 2024, with enforcement starting in late 2027 after a three-year transition. This regulation will require manufacturers of digital products to enhance cybersecurity throughout the product lifecycle. NÚKIB will also hold consultations with manufacturers of significant and critical products from June 25 to July 17, 2024, to develop technical specifications and gather feedback. [29]

Reception

Initially, the proposed act was heavily criticized by open-source advocates. [30]

FSFE Policy Consultant Alexander Sander summarizes key concerns in March 2023. [36]

Amendments were released on 1 December 2023, as part of political agreement between co-legislators, [37] to the acclaim of many open-source advocates. [5] As Mike Milinkovich, executive director of the Eclipse foundation, [38] wrote: [37]

The revised legislation has vastly improved its exclusion of open source projects, communities, foundations, and their development and package distribution platforms. It also creates a new form of economic actor, the “open source steward,” which acknowledges the role played by foundations and platforms in the open source ecosystem. This is the first time this has appeared in a regulation, and it will be interesting to see how this evolves.

Mike Milinkovich, "Good News on the Cyber Resilience Act"

The OSI noted Debian's statement that many small businesses and solo developers would have trouble navigating the act when redistributing open source software [6] remained unaddressed. [5] Apache reviewed the changes positively while worrying about applicability of the CRA on potentially critical open-source components and stressing the importance of collaboration with international standards bodies to ease certification of software. [39]

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security is the protection of computer software, systems and networks from threats that can lead to unauthorized information disclosure, theft or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">Free software</span> Software licensed to be freely used, modified and distributed

Free software, libre software, libreware sometimes known as freedom-respecting software is computer software distributed under terms that allow users to run the software for any purpose as well as to study, change, and distribute it and any adapted versions. Free software is a matter of liberty, not price; all users are legally free to do what they want with their copies of a free software regardless of how much is paid to obtain the program. Computer programs are deemed "free" if they give end-users ultimate control over the software and, subsequently, over their devices.

<span class="mw-page-title-main">Cybercrime</span> Type of crime based in computer networks

Cybercrime encompasses a wide range of criminal activities that are carried out using digital devices and/or networks. These crimes involve the use of technology to commit fraud, identity theft, data breaches, computer viruses, scams, and expanded upon in other malicious acts. Cybercriminals exploit vulnerabilities in computer systems and networks to gain unauthorized access, steal sensitive information, disrupt services, and cause financial or reputational harm to individuals, organizations, and governments.

<span class="mw-page-title-main">Trend Micro</span> Japanese multinational cyber security company

Trend Micro Inc. is an American-Japanese cyber security software company. The company has globally dispersed R&D in 16 locations across every continent excluding Antarctica. The company develops enterprise security software for servers, containers, and cloud computing environments, networks, and end points. Its cloud and virtualization security products provide automated security for customers of VMware, Amazon AWS, Microsoft Azure, and Google Cloud Platform.

<span class="mw-page-title-main">Medical device</span> Device to be used for medical purposes

A medical device is any device intended to be used for medical purposes. Significant potential for hazards are inherent when using a device for medical purposes and thus medical devices must be proved safe and effective with reasonable assurance before regulating governments allow marketing of the device in their country. As a general rule, as the associated risk of the device increases the amount of testing required to establish safety and efficacy also increases. Further, as associated risk increases the potential benefit to the patient must also increase.

<span class="mw-page-title-main">European Union Agency for Cybersecurity</span> Agency of the European Union

The European Union Agency for Cybersecurity – self-designation ENISA from the abbreviation of its original name – is an agency of the European Union. It is fully operational since September 1, 2005. The Agency is located in Athens, Greece and has offices in Brussels, Belgium and Heraklion, Greece.      

Information security standards are techniques generally outlined in published materials that attempt to protect a user's or organization's cyber environment. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access and control system attacks. While cybersecurity regulations aim to minimize cyber risks and enhance protection, the uncertainty arising from frequent changes or new regulations can significantly impact organizational response strategies.

<span class="mw-page-title-main">Bitdefender</span> Romanian cybersecurity technology company

Bitdefender is a multinational cybersecurity technology company dual-headquartered in Bucharest, Romania and Santa Clara, California, with offices in the United States, Europe, Australia and the Middle East.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Digital supply chain security refers to efforts to enhance cyber security within the supply chain. It is a subset of supply chain security and is focused on the management of cyber security requirements for information technology systems, software and networks, which are driven by threats such as cyber-terrorism, malware, data theft and the advanced persistent threat (APT). Typical supply chain cyber security activities for minimizing risks include buying only from trusted vendors, disconnecting critical machines from outside networks, and educating users on the threats and protective measures they can take.

<span class="mw-page-title-main">Sqrrl</span> Cyber security company

Sqrrl Data, Inc. is an American company founded in 2012 that markets software for big data analytics and cyber security. The company has roots in the United States Intelligence Community and National Security Agency. Sqrrl was involved in the creation of, and actively contributes to Apache Accumulo and other related Apache projects. Sqrrl’s primary product is its threat hunting platform, designed for active detection of advanced persistent threats.

<span class="mw-page-title-main">Bill Buchanan (computer scientist)</span> Scottish computer scientist

Bill Buchanan is a Scottish computer scientist. He is a professor at Edinburgh Napier University, where he leads the Blockpass ID Lab, and the Centre for Cybersecurity, IoT and Cyberphysical. In 2017 he received an OBE for services to cyber security.

Cyber threat intelligence (CTI) is a subfield of cybersecurity that focuses on the structured collection, analysis, and dissemination of data regarding potential or existing cyber threats. It provides organizations with the insights necessary to anticipate, prevent, and respond to cyberattacks by understanding the behavior of threat actors, their tactics, and the vulnerabilities they exploit. Cyber threat intelligence sources include open source intelligence, social media intelligence, human Intelligence, technical intelligence, device log files, forensically acquired data or intelligence from the internet traffic and data derived for the deep and dark web.

SafeDNS is a cybersecurity company specializing in providing cloud-based web filtering solutions and AI-powered technology. Its headquarters is in Alexandria, Virginia.

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

Log4Shell (CVE-2021-44228) is a zero-day vulnerability reported in November 2021 in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.

<span class="mw-page-title-main">2022 Ukraine cyberattacks</span> Attack on Ukrainian government and websites

During the prelude to the Russian invasion of Ukraine and the Russian invasion of Ukraine, multiple cyberattacks against Ukraine were recorded, as well as some attacks on Russia. The first major cyberattack took place on 14 January 2022, and took down more than a dozen of Ukraine's government websites. According to Ukrainian officials, around 70 government websites, including the Ministry of Foreign Affairs, the Cabinet of Ministers, and the National and Defense Council (NSDC), were attacked. Most of the sites were restored within hours of the attack. On 15 February, another cyberattack took down multiple government and bank services.

<span class="mw-page-title-main">OpenHarmony</span> Family of open-source operating systems based on OpenHarmony

OpenHarmony is a family of open-source distributed operating systems based on HarmonyOS derived from LiteOS, donated the L0-L2 branch source code by Huawei to the OpenAtom Foundation. Similar to HarmonyOS, the open-source distributed operating system is designed with a layered architecture, consisting of four layers from the bottom to the top: the kernel layer, system service layer, framework layer, and application layer. It is also an extensive collection of free software, which can be used as an operating system or in parts with other operating systems via Kernel Abstraction Layer subsystems.

On July 17th 2024, it was announced at the State Opening of Parliament that the Labour government will introduce the Cyber Security and Resilience Bill (CS&R). The proposed legislation is intended to update the existing Network and Information Security Regulations 2018, known as UK NIS. CS&R will strengthen the UK's cyber defences and resilience to hostile attacks thus ensuring that the infrastructure and critical services relied upon by UK companies are protected by addressing vulnerabilities, while ensuring the digital economy can deliver growth.

References

  1. 1 2 "Cyber Resilience Act | Shaping Europe's digital future". digital-strategy.ec.europa.eu. 15 September 2022. Retrieved 17 May 2023.
  2. 1 2 3 4 "EU cyber-resilience act | Think Tank | European Parliament". www.europarl.europa.eu. Retrieved 17 May 2023.
  3. 1 2 Sawers, Paul (18 April 2023). "In letter to EU, open source bodies say Cyber Resilience Act could have 'chilling effect' on software development". TechCrunch. Retrieved 17 May 2023.
  4. "Commission welcomes political agreement on Cyber Resilience Act". European Commission. 1 December 2023. Retrieved 22 March 2024.
  5. 1 2 3 Phipps, Simon (2 February 2024), "The European regulators listened to the Open Source communities!", Voices of Open Source, Open Source Initiative, retrieved 21 February 2024
  6. 1 2 "Statement about the EU Cyber Resilience Act". Debian Project.
  7. "Cyber Resilience Act: MEPs adopt plans to boost security of digital products | News | European Parliament". www.europarl.europa.eu. 12 March 2024. Retrieved 23 March 2024.
  8. Council of the European Union (10 October 2024). "Cyber resilience act: Council adopts new law on security requirements for digital products)". Consilium. Retrieved 13 October 2024.
  9. Car, Polona; De Luca, Stefano (May 2023). EU cyber-resilience act — Briefing EU Legislation in Progress — PE 739.259. Strasbourg, France: European Parliamentary Research Service (EPRS), European Parliament. Retrieved 25 September 2023.
  10. 1 2 "EU pitches cyber law to fix patchy Internet of Things". POLITICO. 15 September 2022. Retrieved 17 May 2023.
  11. "Commission presents Cyber Resilience Act targeting Internet of Things products". www.euractiv.com. 15 September 2022. Retrieved 17 May 2023.
  12. 1 2 Lomas, Natasha (15 September 2022). "The EU unboxes its plan for smart device security". TechCrunch. Retrieved 17 May 2023.
  13. 1 2 3 4 Chee, Foo Yun (15 September 2022). "EU proposes rules targeting cybersecurity risks of smart devices". Reuters. Retrieved 17 May 2023.
  14. Gross, Anna (9 November 2022). "Why a clear cyber policy is critical for companies". Financial Times. Retrieved 17 May 2023.
  15. 1 2 3 Dobberstein, Laura. "EU puts manufacturers on hook for smart device security". www.theregister.com. Retrieved 17 May 2023.
  16. 1 2 3 Starks, Tim (3 January 2023). "Analysis | Europe's cybersecurity dance card is full". Washington Post. Retrieved 17 May 2023.
  17. "EU chief announces cybersecurity law for connected devices". www.euractiv.com. 16 September 2021. Retrieved 17 May 2023.
  18. 1 2 3 "Swedish Council presidency presents first full rewrite of Cyber Resilience Act". www.euractiv.com. 25 April 2023. Retrieved 17 May 2023.
  19. 1 2 3 Texts adopted - Cyber Resilience Act, European Parliament, 12 March 2024, retrieved 23 March 2024
  20. Security, Help Net (2 March 2023). "Cyber resilience in focus: EU act to set strict standards". Help Net Security. Retrieved 18 May 2023.
  21. Nuthi, Kir (26 September 2022), An Overview of the EU's Cyber Resilience Act, Center for Data Innovation, retrieved 23 March 2024
  22. "Cyber-resilience Act signals big change in commercial software development". The Irish Times. Retrieved 17 May 2023.
  23. "Cyber Resilience Act: Leading MEP proposes flexible lifetime, narrower reporting". www.euractiv.com. 31 March 2023. Retrieved 17 May 2023.
  24. "EU lawmakers kick off cybersecurity law negotiations for connected devices". www.euractiv.com. 17 May 2023. Retrieved 18 May 2023.
  25. "EU lawmakers set to close deal on cybersecurity law for connected devices". www.euractiv.com. 4 July 2023. Retrieved 6 July 2023.
  26. 1 2 3 "Cyber Resilience Act – Read the current state of play". Cyber Resilience Act. Retrieved 13 July 2023.
  27. "EU Council cuts down special product categories in cybersecurity law". www.euractiv.com. 10 July 2023. Retrieved 13 July 2023.
  28. "EU ambassadors set to endorse new cybersecurity law for connected devices". www.euractiv.com. 17 July 2023. Retrieved 20 July 2023.
  29. "Current State of Play – Cyber Resilience Act" . Retrieved 1 July 2024.
  30. 1 2 3 Vaughan-Nichols, Steven J. "EU attempts to secure software could hurt open source". www.theregister.com. Retrieved 17 May 2023.
  31. 1 2 Harris, Jacob (17 April 2023). "Open Letter to the European Commission on the Cyber Resilience Act". Eclipse News, Eclipse in the News, Eclipse Announcement. Retrieved 22 May 2023.
  32. van Gulik, Dirk-Willem (18 July 2023). "Save Open Source: The Impending Tragedy of the Cyber Resilience Act". Blog of the Apache Software Foundation. Retrieved 22 September 2023.
  33. Phipps, Simon (24 January 2023). "What is the Cyber Resilience Act and why it's dangerous for Open Source". Voices of Open Source. Open Source Initiative. Retrieved 18 May 2023.
  34. "Europe's cyber security strategy must be clear about open source | Computer Weekly". Computer Weekly . Retrieved 17 May 2023.
  35. Stampelos, Tasos (30 July 2023). "Mozilla weighs in on the EU Cyber Resilience Act". Open Policy & Advocacy. Retrieved 30 July 2023.
  36. "EU: Proposed liability rules will harm Free Software" . Retrieved 17 November 2024.
  37. 1 2 Milinkovich, Mike (19 December 2023), "Good News on the Cyber Resilience Act", Life at Eclipse, retrieved 21 February 2024
  38. The Eclipse Foundation Showcases Successful Open Source Industry Collaborations for 2023; Looks Ahead to Additional Growth in 2024, Eclipse Foundation Canada, 20 February 2024, retrieved 21 February 2024
  39. Apache Software Foundation (23 January 2024), "Update on EU Software Regulation: Lots of improvements & good news", The Apache Software Foundation Blog, retrieved 4 June 2024
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.