In Cybersecurity

New EU Regulation Requires Cybersecurity for Software and Smart Devices

November 20, 2024 by Vinod Bange, Magalie Dansac Le Clerc, Elisabeth Dehareng, Dr Lukas Feiler, Francesca Gaudino, Silvia Grohmann, Jose María Méndez, Dr Michaela Nebel, Prof. Dr. Michael Schmidl, Eva-Maria Strobel, Florian Tannen and Dr. Csaba Vári 7 Mins Read

The new Cyber Resilience Act is the first EU regulation on the cyber security of products with digital elements. This includes not only software products, but also smart devices – from connected refrigerators to computer network devices.

Software security has been a constant challenge since the dawn of the Internet. Every month, new security vulnerabilities are discovered which affected organizations then try to fix as quickly as possible. When security updates fail or are unavailable, it is easy for hackers to compromise the affected systems. Since modern electronic devices – from toys to washing machines to cars – also contain many different software products, the challenge of insecure software affects not only the traditional software industry but also a large part of the manufacturing industry.

Cyber Resilience Act regulates all products with digital elements and online services

To address these challenges, the EU introduced the new Cyber Resilience Act, which was published in the Official Journal of the EU this week. This EU regulation applies to all products with digital elements. It covers not only traditional software products and computer hardware, but also smart devices such as connected washing machines.

Moreover, it covers any online service that is connected to the regulated product and without which the product cannot fulfill one of its functions. Therefore, the Cyber Resilience Act is not only an instrument of product safety regulation but also covers many types of online services. For example, if an online service is accompanied by an app that facilitates the use of the online service on a mobile device, the Cyber Resilience Act would likely apply to the entire online service.

The Cyber Resilience Act will take effect in stages, with the obligation to notify actively exploited vulnerabilities for in-scope products taking effect from 11 September 2026 and the remaining obligations from 11 December 2027. Organisations have, by the standards of recent EU legislation, a more reasonable timeframe for implementation; however, as the Cyber Resilience Act is likely to require many organisations to make significant changes to the way they launch and maintain in-scope products in the EU, there is no time to waste.

Obligation to assess risks

Manufacturers which consider developing a product with digital elements will first have to conduct an assessment of the cybersecurity risks associated with the product. The result of this assessment must be taken into account in the further planning, design, development and manufacturing of the product as well as in its delivery and maintenance. Based on the results of this risk assessment, the manufacturer is subject to a number of obligations to ensure an appropriate level of cybersecurity.

Duty to ensure security

Manufacturers are prohibited from making available on the market products with known exploitable vulnerabilities or products without a secure-by-default configuration.

If a security vulnerability is discovered, manufacturers are also obliged to provide security updates without delay and free of charge. Additionally, manufacturers also have to provide automated security updates that are installed within an appropriate timeframe enabled as a default setting.

According to the Cyber Resilience Act, the support period for products with digital elements – i.e. the period for which users can expect the provision of security updates – has to reflect the time the product is expected to be in use.

Obligation to provide information

According to the Cyber Resilience Act, manufacturers must transparently state the end date of this support period. This is intended to also help users compare products and make more informed purchasing decisions.

Furthermore, manufacturers will be subject to a number of additional information obligations. For example, manufacturers will have to provide a list of circumstances that could lead to significant cybersecurity risks, put in place coordinated vulnerability disclosure policies and establish a single point of contact where information about vulnerabilities discovered in the product can be reported.

Obligation to assess conformity

All manufacturers will have to subject their products with digital elements to a conformity assessment procedure and issue a declaration of conformity confirming that the product meets the essential requirements of the Cyber Resilience Act. This declaration of conformity and the technical documentation may also be requested for inspection by the national authorities. The manufacturer has to affix a “CE” marking, thereby declaring that the product complies with requirements under the Cyber Resilience Act.

Obligation to recall products

Under the Cyber Resilience Act, manufacturers will also be obliged to withdraw or recall products from the market if they are aware or have reason to believe that a regulated product does not comply with the technical security requirements of the Cyber Resilience Act. In the event of non-compliance, the competent national market surveillance authority may also order a recall. In cases of a significant cybersecurity risk, the EU Commission, too, may order a recall.

Obligation to disclose security vulnerabilities

Under the Cyber Resilience Act, manufacturers will have to report any actively exploited vulnerabilities in their products that they become aware of within 24 hours via a central reporting platform to be set up by the European Cyber Security Agency (ENISA). In addition, manufacturers will also have to share and publish information about the eliminated vulnerability after providing corresponding security updates. This obligation includes a description of the vulnerability that allows users to assess its impact and severity, as well as instructions on how users can fix the vulnerability.

Obligations for importers and distributors

In addition to manufacturers, the Cyber Resilience Act also imposes obligations on importers and distributors. They must ensure that they only import and sell products with digital elements on the European market that meet the basic requirements of the Cyber Resilience Act and for which the manufacturers have provided the necessary information. This also includes being able to prove to the authorities that the manufacturer has carried out the conformity procedure, prepared technical documentation and affixed a “CE” mark to the product.

If the importer or distributor has reason to believe that one of the products they import or distribute does not comply with cybersecurity requirements, they must establish conformity by means of corrective measures or withdraw the product from the market or recall it. If the importer or distributor becomes aware of a vulnerability, they must immediately inform not only the manufacturer, but also the market surveillance authorities of the Member States in which they have made the product available.

Fines for non-compliance with obligations

In the event of noncompliance with the Cyber Resilience Act, manufacturers face fines of up to EUR 15 million or 2.5% of their annual global turnover, whichever is higher. Other actors face fines of up to EUR 5 million or 1% of annual worldwide turnover.

Obligations in installments

Given that manufacturers will have to fundamentally revise their development processes, the Cyber Resilience Act does not enter into force immediately. The obligation of manufacturers to report security vulnerabilities will apply from 11 September 2026, other obligations from 11 December 2027.

Products with digital elements that are placed on the market before 11 December 2027 and are not substantially modified thereafter are exempt from the obligations of the Cyber Resilience Act, except for the obligation to report security vulnerabilities which will nevertheless apply.

Conclusion

With the Cyber Resilience Act, for the first time, cyber security of products with digital elements, including software and smart devices, will be subject to strict regulation across the EU. This poses major challenges for both the software industry and a large part of the manufacturing industry. Companies should begin now to tackle the implementation of the new requirements in order to be able to launch legally compliant products once the regulation comes into force.

Author Vinod Bange

Vin leads our London Data Privacy practice and is also a member of our Global Privacy & Security Leadership team bringing his vast experience in this specialist area for over 22 years, advising clients from various data-rich sectors including retail, financial services/fin-tech, life sciences, healthcare, proptech and technology platforms.

Author Magalie Dansac Le Clerc

Magalie Dansac Le Clerc is a partner in Baker McKenzie's Paris office. A member of the Firm's Information Technology and Communications Practice Group, she is a Certified Information Privacy Professional (CIPP).

Author Elisabeth Dehareng

Elisabeth is a partner in Baker McKenzie's Brussels office. She advises clients in all fields of IT, IP and new technology law, with a special focus on data protection and privacy aspects. She regularly works with companies in the healthcare, finance and transport and logistics sectors.

Author Dr Lukas Feiler

Dr. Lukas Feiler, SSCP, CIPP/E, has more than eight years of experience in IP/IT and is a partner and head of the IP and IT team at Baker McKenzie • Diwok Hermann Petsche Rechtsanwälte LLP & Co KG in Vienna. He is a lecturer for data protection law at the University of Vienna Law School and for IT compliance at the University of Applied Science Wiener Neustadt.

Author Francesca Gaudino

Francesca Gaudino is the Head of Baker McKenzie’s Information Technology & Communications Group in Milan. She focuses on data protection and security, advising particularly on legal issues that arise in the use of cutting edge technology.

Author Silvia Grohmann

Silvia Grohmann is an associate of Baker McKenzie's IPTech team in Vienna. Silvia advises multinational and domestic clients on telecommunications law, software licensing, data protection, IT outsourcing, patent law, trademark law, copyright, cyber security and e-commerce matters.

Author Jose María Méndez

José María Méndez es socio responsable del área de Propiedad Intelectual y Tecnologías de la Información y Comunicaciones de Baker & McKenzie Madrid. Anteriormente, fue socio del área de Propiedad Intelectual en un despacho internacional, así como secretario general adjunto de Sogecable y director de la asesoría jurídica del área de cinematografía y televisión. Participa con frecuencia en actividades sin ánimo de lucro de organizaciones como Caritas Diocesanas y Aldeas Infantiles. Asimismo, imparte clases en el Máster de Propiedad Intelectual de la Universidad Carlos III.

Author Dr Michaela Nebel

Dr. Michaela Nebel is a partner in the Frankfurt office of Baker McKenzie. Prior to joining Baker McKenzie she studied law at the University of Passau. She obtained her Doctor of Law degree on a topic related to privacy in the Web 2.0. From July until December 2014 she practiced at the San Francisco office of Baker McKenzie. She is a member of the International Association of Privacy Professionals (IAPP) and since May 2015 a Certified Information Privacy Professional/Europe (CIPP/E) and since May 2017 a Certified Information Privacy Professional/United States (CIPP/US). She is also the author of numerous articles on information technology law, in particular on data protection law and e-commerce law, and the co-author of an English language commentary on the EU General Data Protection Regulation.

Author Prof. Dr. Michael Schmidl

Prof. Dr. Michael Schmidl is co-head of the German Information Technology Group and is based in Baker McKenzie's Munich office. He is an honorary professor at the University of Augsburg and specialist lawyer for information technology law (Fachanwalt für IT-Recht). He advises in all areas of contentious and non-contentious information technology law, including internet, computer/software, data privacy and media law. Michael also has a general commercial law background and has profound experience in the drafting and negotiation of outsourcing contracts and in carrying out compliance projects.

Author Eva-Maria Strobel

Eva-Maria Strobel is a partner in Baker McKenzie's Zurich office. She is a member in the Firm's global IPTech Practice Group, chairs the EMEA IPTech Practice Group and heads the Swiss IPTech team. focuses on the development of intellectual property strategies to procure, protect and commercialize her domestic and multinational client's intangible assets and to grow the return on investment.

Author Florian Tannen

Florian Tannen is a partner in the Munich office of Baker McKenzie. He advises on all areas of contentious and non-contentious information technology law, including internet, computer/software and data privacy law.

Author Dr. Csaba Vári

Csaba Vári is head of the Privacy practice for Baker McKenzie in Hungary and a member of the Intellectual Property and Technology group. He provides comprehensive advice to clients on privacy and cybersecurity matters, from European data protection regulations and local privacy laws to e-commerce and cloud services regulation. His work focuses on advice and support to clients regarding data protection impact assessments, data security incident reporting, and responding to queries from data subjects, as well as representation before regulatory authorities and courts.

Related Posts

Prepping For the Holidays: Companies to Strengthen Cybersecurity Infrastructure in Compliance with Amendments To New York’s Cybersecurity Regulation

Latin America tech regulatory developments: what has changed in the region in 2023 and 2024?

Saudi Arabia publishes guidance on data breach notification