New Obligations for Manufacturers of Products with Digital Elements

Back on 16 December 2020, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy presented a new EU Cybersecurity Strategy for the Digital Decade, aimed at strengthening the resilience of Europe against cyber threats and in order to provide its citizens and businesses with trustworthy products and services throughout the European market.

During the 2021 State of the Union Address, European Commission’s President Ms. Ursula von der Leyen insisted on the need to have a European Cyber Defense Policy and to pass legislations on common standards under a new European Cyber Resilience Act.

Following this Address, the European Commissioner for the Internal Market Mr. Thierry Breton had warned that the world, including Europe, was vulnerable to large-scale cyber-attacks and that it was necessary to increase our collective resilience through advanced technology, secure infrastructure, common requirements, increased operational cooperation and effective sanctions.

A year later, the President of the European Commission presented the Commission’s proposal for a new Cyber Resilience Act during the 2022 State of the Union Address, given on 15 September 2022.

To justify the importance and urgency of passing a new regulation to increase the overall level of cybersecurity of all products with digital elements placed on the internal market, the European Commission notably:

  • recalled that the estimated global annual cost of cybercrime was €5.5 trillion by 2021,
  • insisted on the fact that there is still a low level of cybersecurity on these products which remain vulnerable, and
  • pointed out that there is also an insufficient understanding and access to information regarding the security of these products by users.

Large Scope

The draft Cyber Resilience Act appears to be quite ambitious as it intends to broadly apply to all “products with digital elements whose intended, or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.”

According to the proposed regulation, a product with digital elements “means any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately.” On the basis of this definition, almost any product containing a digital element could technically be covered by the new regulation.

As explained by Ms. von der Leyen and by the Executive Vice-President for a Europe fit for the Digital Age, Ms. Margrethe Vestager, the new regulation “will put the responsibility where it belongs, with those that place the products on the market”, i.e., the economic operators.

The economic operators specifically targeted by the draft Cyber Resilience Act are the manufacturers, the importers, and the distributors of the digital products. Different obligations would apply to them.

Strict Obligations

Annex I of the draft Cyber Resilience Act contains most of the essential cybersecurity requirements that the digital products falling within the above-described scope would have to comply with. Indeed, Article 10 provides that, when placing a product with digital elements on the market, manufacturers would have to ensure that the product has been designed, developed and produced in accordance with the essential requirements set out in Section 1 of Annex I.

According to Section 1 of Annex I, products with digital elements would have to be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks, and would also have to be delivered without any known exploitable vulnerabilities.

Furthermore, under Article 10.12 of the draft regulation, manufacturers “who know or have reason to believe that [their products] are not in conformity with the essential requirements set out in Annex I shall immediately take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, to withdraw or to recall the product, as appropriate.”

Manufacturers would therefore assume most of the responsibility for the products that they decide to place on the EU market. In doing so, manufacturers will also be required to comply with conformity assessment procedures, including the undertaking of an assessment of the cybersecurity risks associated with the products. They should then take these risks into account during the planning, design, development, production, delivery and maintenance phases.

Moreover, the proposed regulation would impose important reporting obligations on manufacturers. Pursuant to Article 11, any manufacturer would, without undue delay and in any event within 24 hours of becoming aware of it, have to notify to the European Union Agency for Cybersecurity (ENISA) any actively exploited vulnerability contained in the product with digital elements. Manufacturers would also have to report any incident to the users of the products.

Risks of Recall & Withdrawal of Non-Defective Products

Based on these provisions, the risk of having its digital products being recalled or withdrawn from the EU internal market would have to be closely monitored by manufacturers, distributors and importers.

Pursuant to the draft Cyber Resilience Act, the safety of digital products would now also be assessed based on their cyber risks, and not solely on the harm that these digital products could physically cause to the users. To the best of our knowledge, this would constitute a new development at the European level.

Under French law, digital products that do not comply with the draft Cyber Resilience Act could therefore perfectly be considered to be defective products, despite working perfectly on a technical standpoint.

In France, in addition to the new Cyber Resilience Act, potential plaintiffs would be likely be entitled to invoke a number of alternative grounds, such as the hidden defect guarantee, the strict product liability regime, the legal guarantee of conformity and the general safety obligation regime.

Financial Risks for Economic Operators

Should the manufacturers, importers, and distributors of digital products be in breach of the requirements set out in Annex I and Articles 10 and 11 the draft Cyber Resilience Act, Article 53 provides that they will face administrative fines of up to 15,000,000 Euros or, if the offender is an undertaking, up to 2.5 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.

In addition, the breach of any other obligation of the draft Cyber Resilience Act would result in administrative fines of up to 10,000,000 Euros or, if the offender is an undertaking, up to 2 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.

Finally, the supply of incorrect, incomplete or misleading information to notified bodies and market surveillance authorities in reply to a request shall be subject to administrative fines of up to 5,000,000 EUR or, if the offender is an undertaking, up to 1 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.

Therefore, the financial risks that economic operators would face appear to be substantial. These risks are, however, in line with the European Commission’s ambition to put the responsibility on those that are placing the products on the EU market.

Manufacturers, distributors and importers should therefore take the European Commission’s proposed Cyber Resilience Act very seriously as it could have a detrimental financial impact on their businesses.

A Dual Enforcement of the new Regulation

In order to enforce these proposals, the European Commission would rely on the national market surveillance authorities of the Member States while also reserving the European Union Agency for Cybersecurity the right to take corrective or restrictive measures at the EU level.

Overall, the European Commission would depend on national market surveillance authorities, which should be responsible for the control of products with digital elements in the EU market. In France, it is likely that the General Directorate for Competition Policy, Consumer Affairs and Fraud Control (DGCCRF) will play a central role in the enforcement of the new regulations.

Article 43 of the draft Cyber Resilience Act provides that if and where a market surveillance authority finds that a product does not comply with the requirements, “it shall without delay require the relevant operator to take all appropriate corrective actions to bring the product into compliance with those requirements, to withdraw it from the market, or to recall it within a reasonable period, commensurate with the nature of the risk, as it may prescribe.” Should a manufacturer fail to take appropriate corrective actions, the relevant market surveillance authority would be given the power to take any appropriate provisional measures to prohibit or restrict that product, to withdraw it from the market or to recall it.

In parallel to the market surveillance authorities, the European Commission would also be entitled to take corrective or restrictive measures at the EU level based on the evaluation of the ENISA and after having duly consulted the Member States. The European Commission could notably order the withdrawal or the recalling of digital products, per Article 45.4 of the proposed regulation.

Furthermore, even if products with digital elements comply with the new Cyber Resilience Act, market surveillance authorities would still need to require that the relevant operators take all appropriate measures should the products nevertheless pose “a risk to the health or safety of persons, to the compliance with obligations under Union or national law intended to protect fundamental rights, the availability authenticity, integrity or confidentiality of services offered using an electronic information system by essential entities of the type referred to in [Annex I to Directive XXX / XXXX (NIS2)] or to other aspects of public interest protection.”

Implementation Timeline

Article 57 of the draft Cyber Resilience Act provides that the new regulation shall apply 24 months after the date of its entry into force, except for Article 11, which shall apply 12 months after the date of the regulation’s entry into force.

This means that the obligation to actively report exploited vulnerabilities and incidents would apply only one year after the entry into force of the proposed regulation.

In any event, in view of the complexity of the obligations that will be put on the economic operators’ shoulders, even a transition period of two years would impose a heavy burden on these operators.

Mitigation of Risks

In order to attempt to mitigate the numerous risks described above, manufacturers, importers and distributors should anticipate the entry into force of the Cyber Resilience Act and already start conducting cyber security risk assessment of their digital products.

Although the new regulation may only become applicable 24 months after the date of its entry into force, it appears to be clear that cybersecurity of digital products now constitutes one of the top priorities of the European Commission, similar to the regulation of data privacy with the GDPR back in 2018.

Sylvie Gallage-Alwis Partner, Signature Litigation

Sylvie Gallage-Alwis Partner, Signature Litigation

Elias Boukachabine Associate, Signature Litigation

Elias Boukachabine Associate, Signature Litigation

Environmental Cancer in Europe: How Should We React?

According to a report from the European Environment Agency published on 28 June, exposure to pollution would be the cause of 10% of cancers in Europe.  This pollution includes air pollution, second-hand smoke, radon, UV radiation, asbestos, as well as many other substances that have the reputation of being dangerous.

Which importance for environmental cancer in Europe?

Each year cancer represents 3 million new patients and 1.3 million deaths in the European Union.  According to the EEA, out of these 1.3 million, 250,000 would be caused by environmental cancer including over 20,000 young people.

On a global scale, despite Europe representing 10% of the population, it reports almost 23% of new cases of cancer and 20% of deaths related to cancer.  According to the studies carried out to date, cancer would also be the main cause of occupational deaths in the European Union.

It ought to be noted that according to the European Commission, these estimations would however be limited due to knowledge deficiencies and uncertainties.  It is therefore likely that these numbers are underestimated.  The European Commission indeed considers that “unless we take decisive action now, cancer cases are set to increase by 24% by 2035, making it the leading cause of death in the EU”.

In Europe, cancer is the most common type of noncommunicable disease and the second most common cause of death after circulatory diseases.  In concrete terms, this means that almost all Europeans are likely to be affected by cancer in one way or another, whether it is themselves, their relatives or acquaintances.

Furthermore, the fact that several cancers have latency periods means that today’s pollution will potentially be the cause of future cancers.

In addition to this health burden, there is also an economic burden: in 2018, for example, cancer would have cost 178 billion Euros.

Percentage of premature cancer deaths attributable to environmental risks in Europe in 2019

Percentage of premature cancer deaths attributable to environmental risks in Europe in 2019

What precisely are these risks?

Environmental risks that contribute to the development of cancer can be divided into six categories:

  • Air pollution: both indoor and outdoor air pollution are thought to cause lung cancer and other types of cancer.
  • Radon: exposure to radon inside buildings would be a major cause of lung cancer.
  • UV radiation: excessive exposure to ultraviolet radiation would be a major cause of skin cancer, including malignant melanoma.
  • Chemicals: many chemicals are known to cause cancer in various organs, including contaminants in water, soil and air.
  • Passive smoking: exposure to passive smoking is identified as a cancer risk even for people who have never smoked themselves.
  • Asbestos: asbestos is recognised as a major cause of mesothelioma and lung cancer.

How can these risks be avoided?

According to the EEA, there are effective and inexpensive ways to reduce the risk of environmental and occupational cancers: simply reducing exposure to pollution, including through behavioural changes. The European Commission considers that 40% of cancers could be avoided through the implementation of strategies that would prevent the disease, save lives and reduce suffering.

Too many cancer cases would indeed have an underlying environmental cause that it would be possible to protect oneself from by limiting pollution and exposure to harmful substances, which would be beneficial for both humans and the environment.  A reduction of these risks should therefore be directly correlated to a decrease in cancer rates.

Europe’s role

Many directives are constantly being implemented by the EU as part of the “zero pollution” action plan in relation to the reduction of environmental cancers.  The main initiatives taken by Europe in this respect are listed below:

  • Europe’s Beating Cancer Plan: a political commitment to turn the tide against cancer and another steppingstone towards a strong European Union Health and a more secure, better prepared and more resilient EU. The plan is expected to receive 4 billion Euros in funding.  The proposed measures include a reduction in environmental pollution by complying with the World Health Organisation guidelines on air quality, as well as exposure to carcinogens and harmful radiation.
  • The EU’s Cancer Mission: a mission to save more than 3 million lives by 2030.
  • The European Code Against Cancer: A European Commission initiative listing 12 ways to reduce one’ s risk of developing cancer, notably including second-hand smoke, radon and potential carcinogens at workplaces.
  • The roadmap on carcinogens: on 25 May 2016 a convention aiming at implementing strategies to raise awareness regarding the risks resulting from exposure to carcinogens at workplaces was signed by six European organisations. This convention was then renewed in November 2019 and signed by new European organisations.

During a conference of the German Presidency entitled “Preventing work-related cancer”, a new strategy 2020-2024 was then presented with four goals:

  • creating awareness in companies and employees regarding the risks of exposure to carcinogens and the need to carry out preventative actions in the whole of Europe.
  • providing help to prevent exposure to carcinogens in workplaces and to reduce their effects.
  • mobilising stakeholders and increasing the involvement of the parties concerned, in order to multiply the efforts throughout Europe.
  • targeting innovation to bridge the gap between research results and the needs of companies.

Although there are still many uncertainties and a growing need for access to data, the European Union is actively working on the implementation of various measures and prevention strategies.  It will now be important for companies to follow these developments closely in order not to risk being sanctioned by this new context.

Sylvie Gallage-Alwis

Nancy Forster