Back on 16 December 2020, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy presented a new EU Cybersecurity Strategy for the Digital Decade, aimed at strengthening the resilience of Europe against cyber threats and in order to provide its citizens and businesses with trustworthy products and services throughout the European market.
During the 2021 State of the Union Address, European Commission’s President Ms. Ursula von der Leyen insisted on the need to have a European Cyber Defense Policy and to pass legislations on common standards under a new European Cyber Resilience Act.
Following this Address, the European Commissioner for the Internal Market Mr. Thierry Breton had warned that the world, including Europe, was vulnerable to large-scale cyber-attacks and that it was necessary to increase our collective resilience through advanced technology, secure infrastructure, common requirements, increased operational cooperation and effective sanctions.
A year later, the President of the European Commission presented the Commission’s proposal for a new Cyber Resilience Act during the 2022 State of the Union Address, given on 15 September 2022.
To justify the importance and urgency of passing a new regulation to increase the overall level of cybersecurity of all products with digital elements placed on the internal market, the European Commission notably:
- recalled that the estimated global annual cost of cybercrime was €5.5 trillion by 2021,
- insisted on the fact that there is still a low level of cybersecurity on these products which remain vulnerable, and
- pointed out that there is also an insufficient understanding and access to information regarding the security of these products by users.
The draft Cyber Resilience Act appears to be quite ambitious as it intends to broadly apply to all “products with digital elements whose intended, or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.”
According to the proposed regulation, a product with digital elements “means any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately.” On the basis of this definition, almost any product containing a digital element could technically be covered by the new regulation.
As explained by Ms. von der Leyen and by the Executive Vice-President for a Europe fit for the Digital Age, Ms. Margrethe Vestager, the new regulation “will put the responsibility where it belongs, with those that place the products on the market”, i.e., the economic operators.
The economic operators specifically targeted by the draft Cyber Resilience Act are the manufacturers, the importers, and the distributors of the digital products. Different obligations would apply to them.
Annex I of the draft Cyber Resilience Act contains most of the essential cybersecurity requirements that the digital products falling within the above-described scope would have to comply with. Indeed, Article 10 provides that, when placing a product with digital elements on the market, manufacturers would have to ensure that the product has been designed, developed and produced in accordance with the essential requirements set out in Section 1 of Annex I.
According to Section 1 of Annex I, products with digital elements would have to be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks, and would also have to be delivered without any known exploitable vulnerabilities.
Furthermore, under Article 10.12 of the draft regulation, manufacturers “who know or have reason to believe that [their products] are not in conformity with the essential requirements set out in Annex I shall immediately take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, to withdraw or to recall the product, as appropriate.”
Manufacturers would therefore assume most of the responsibility for the products that they decide to place on the EU market. In doing so, manufacturers will also be required to comply with conformity assessment procedures, including the undertaking of an assessment of the cybersecurity risks associated with the products. They should then take these risks into account during the planning, design, development, production, delivery and maintenance phases.
Moreover, the proposed regulation would impose important reporting obligations on manufacturers. Pursuant to Article 11, any manufacturer would, without undue delay and in any event within 24 hours of becoming aware of it, have to notify to the European Union Agency for Cybersecurity (ENISA) any actively exploited vulnerability contained in the product with digital elements. Manufacturers would also have to report any incident to the users of the products.
Risks of Recall & Withdrawal of Non-Defective Products
Based on these provisions, the risk of having its digital products being recalled or withdrawn from the EU internal market would have to be closely monitored by manufacturers, distributors and importers.
Pursuant to the draft Cyber Resilience Act, the safety of digital products would now also be assessed based on their cyber risks, and not solely on the harm that these digital products could physically cause to the users. To the best of our knowledge, this would constitute a new development at the European level.
Under French law, digital products that do not comply with the draft Cyber Resilience Act could therefore perfectly be considered to be defective products, despite working perfectly on a technical standpoint.
In France, in addition to the new Cyber Resilience Act, potential plaintiffs would be likely be entitled to invoke a number of alternative grounds, such as the hidden defect guarantee, the strict product liability regime, the legal guarantee of conformity and the general safety obligation regime.
Financial Risks for Economic Operators
Should the manufacturers, importers, and distributors of digital products be in breach of the requirements set out in Annex I and Articles 10 and 11 the draft Cyber Resilience Act, Article 53 provides that they will face administrative fines of up to 15,000,000 Euros or, if the offender is an undertaking, up to 2.5 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.
In addition, the breach of any other obligation of the draft Cyber Resilience Act would result in administrative fines of up to 10,000,000 Euros or, if the offender is an undertaking, up to 2 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.
Finally, the supply of incorrect, incomplete or misleading information to notified bodies and market surveillance authorities in reply to a request shall be subject to administrative fines of up to 5,000,000 EUR or, if the offender is an undertaking, up to 1 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.
Therefore, the financial risks that economic operators would face appear to be substantial. These risks are, however, in line with the European Commission’s ambition to put the responsibility on those that are placing the products on the EU market.
Manufacturers, distributors and importers should therefore take the European Commission’s proposed Cyber Resilience Act very seriously as it could have a detrimental financial impact on their businesses.
A Dual Enforcement of the new Regulation
In order to enforce these proposals, the European Commission would rely on the national market surveillance authorities of the Member States while also reserving the European Union Agency for Cybersecurity the right to take corrective or restrictive measures at the EU level.
Overall, the European Commission would depend on national market surveillance authorities, which should be responsible for the control of products with digital elements in the EU market. In France, it is likely that the General Directorate for Competition Policy, Consumer Affairs and Fraud Control (DGCCRF) will play a central role in the enforcement of the new regulations.
Article 43 of the draft Cyber Resilience Act provides that if and where a market surveillance authority finds that a product does not comply with the requirements, “it shall without delay require the relevant operator to take all appropriate corrective actions to bring the product into compliance with those requirements, to withdraw it from the market, or to recall it within a reasonable period, commensurate with the nature of the risk, as it may prescribe.” Should a manufacturer fail to take appropriate corrective actions, the relevant market surveillance authority would be given the power to take any appropriate provisional measures to prohibit or restrict that product, to withdraw it from the market or to recall it.
In parallel to the market surveillance authorities, the European Commission would also be entitled to take corrective or restrictive measures at the EU level based on the evaluation of the ENISA and after having duly consulted the Member States. The European Commission could notably order the withdrawal or the recalling of digital products, per Article 45.4 of the proposed regulation.
Furthermore, even if products with digital elements comply with the new Cyber Resilience Act, market surveillance authorities would still need to require that the relevant operators take all appropriate measures should the products nevertheless pose “a risk to the health or safety of persons, to the compliance with obligations under Union or national law intended to protect fundamental rights, the availability authenticity, integrity or confidentiality of services offered using an electronic information system by essential entities of the type referred to in [Annex I to Directive XXX / XXXX (NIS2)] or to other aspects of public interest protection.”
Article 57 of the draft Cyber Resilience Act provides that the new regulation shall apply 24 months after the date of its entry into force, except for Article 11, which shall apply 12 months after the date of the regulation’s entry into force.
This means that the obligation to actively report exploited vulnerabilities and incidents would apply only one year after the entry into force of the proposed regulation.
In any event, in view of the complexity of the obligations that will be put on the economic operators’ shoulders, even a transition period of two years would impose a heavy burden on these operators.
Mitigation of Risks
In order to attempt to mitigate the numerous risks described above, manufacturers, importers and distributors should anticipate the entry into force of the Cyber Resilience Act and already start conducting cyber security risk assessment of their digital products.
Although the new regulation may only become applicable 24 months after the date of its entry into force, it appears to be clear that cybersecurity of digital products now constitutes one of the top priorities of the European Commission, similar to the regulation of data privacy with the GDPR back in 2018.