Ready for the New Cyber Resilience Law?

The Cyber Resilience Law will come into force this year. In this report we review what its new requirements are and what actions companies will have to take to comply with them.

In September 2022, the European Commission approved the Cyber Resilience Act, which sets new cybersecurity requirements for digital products throughout their lifecycle.

The rule is expected to come into force during the current financial year, although a three-year transition period is set to adapt to its new requirements.

But it is not advisable to leave everything to the end, so it is advisable to do your homework as soon as possible and take the appropriate measures to respond to the new obligations as soon as possible.

In order to do so, the first thing to do is to know what the new Cyber Resilience Law contemplates and which companies will be affected by its imminent entry into force.

What is the Cyber Resilience Law?

The EU Cyber Resilience Law is a new framework of cybersecurity standards for digital products, including both hardware and software.

“It introduces stricter requirements for cyber risk management, obliging companies to implement adequate and proportionate security measures to protect their systems and data,” explains Pedro Viana, head of Presales at Kaspersky Iberia.

Here are some of the highlights.

Cybersecurity requirements. “All products with digital elements must meet strict cybersecurity requirements from the design phase and throughout their lifecycle. This includes the obligation for manufacturers to report vulnerabilities and incidents and provide continuous security updates,” details Rafael Rosell, commercial director of S2 Grupo.

Viana particularly emphasises that the law establishes cybersecurity requirements throughout the entire lifecycle, including subsequent maintenance. “Manufacturers will be responsible for ensuring that their products comply with these requirements and will have to provide security updates for a certain period of time,” he says.

It also states that organisations should conduct regular assessments and implement incident response plans.

Compliance assessment. The head of S2 Grupo points out that “the law imposes the need for a conformity assessment to be carried out by the manufacturer itself, in collaboration with independent bodies for higher-risk products”.

Transparency and safety for consumers. Rossell points out that the new law pays special attention to this aspect. “The aim is to ensure that consumers receive sufficient information on the cybersecurity of the products they purchase, thus promoting greater transparency and trust.

Notification and fines for non-compliance. “In case of serious cyber incidents, organisations will be obliged to notify the competent authorities,” warns the Kaspesrky spokesperson.

In addition, the S2 Group spokesperson reminds that “companies that do not comply with the requirements can face significant fines, which can be up to EUR 15 million or 2.5% of their annual turnover”.

Who is affected by the law?

The law affects all manufacturers, importers and distributors of digital products on the European market. “This includes a wide range of devices and software with digital elements connected to networks or other devices. In particular, it focuses on Internet of Things (IoT) products, software and hardware that require data connections,” says Rossell.

As such, Viana explains that “it will affect a wide range of organisations in the EU, from businesses of all sizes to critical infrastructure operators and third-party service providers”.

In addition, he notes that “specific clauses will apply to operators of critical infrastructure, such as the energy, transport and health sectors, as well as to third party service providers, who will have to ensure the security of their customers’ data”.

An important aspect of the new law is that it extends to manufacturers of IoT devices, which have become a dangerous gateway for cybercriminals, as we have reported before.

So the Cyber Resilience Act covers manufacturers of connected products, such as smart TVs, toys, cars and internet-connected appliances. “They will have to ensure that their products meet certain cybersecurity requirements before they can be sold on the EU market,” says Kaspersky’s head of Presales.

How to prepare?

Inevitably, adapting to the law will have consequences for companies. “Implementing all these measures may involve significant investments in cybersecurity and changes in companies’ operational processes and product development.”

Given this situation, it is questionable whether Spanish companies are prepared. “Some have already taken steps to improve their cyber security in response to the increase in the number and severity of cyber attacks, as well as to increasing regulation and awareness of the risks involved. However, many others are not yet ready to comply with the requirements of the Cyber Resilience Law due to a lack of resources, knowledge and awareness,” admits Viana.

As a result, many domestic companies will have to improve their cybersecurity practices to comply with the requirements of the new law. Among other things, they will have to do the following:

Security audits. Rossell indicates that companies affected by this regulation will have to assess the vulnerabilities of their products and systems. “Spanish companies will have to carry out a cyber-risk assessment to identify the assets most vulnerable to cyber-attacks,” says the head of Kaspersky.

Establish security measures. It is not enough just to assess the risks, but also to be prepared for them. “Organisations should implement appropriate security measures to mitigate these risks, such as firewalls, intrusion detection systems and anti-virus software,” says Viana.

Design a response plan. “Developing an incident response plan will be crucial to know how to respond in the event of a cyberattack, including steps to contain it and restore affected systems,” notes the Kaspersky representative.

Upgrade and improve products. “They will have to integrate security requirements from the design phase and maintain a continuous process of updating and vulnerability management,” notes the commercial director of S2 Grupo.

Training and capacity building. Prevention is the cornerstone of the retaining wall against cyber risks. Therefore, Rossell points out that companies need to ensure that their teams are well trained in cybersecurity and new regulations.

Provide documentation and transparency. Rossell reminds that organisations need to have clear and detailed documentation on risk management and compliance with the law. All risks must be documented.

A controversial law

Although the Cyber Resilience Law is a step forward in terms of security, there is no unanimity when it comes to assessing the new text.

“It has generated mixed opinions among cybersecurity experts. Some praise its comprehensive approach and its potential to improve the EU’s cybersecurity posture, while others criticise it for its complexity and possible negative impact on innovation,” says Viana.

In any case, he believes “it is an important step towards improving cybersecurity in the region”, although he thinks it is too early to assess its success.

Among its positive points, he highlights that the law “addresses multiple aspects of cybersecurity, from the security of digital products to incident management and oversight by authorities”.

Rossell also welcomes the Cyber Resilience Act as it “takes a comprehensive and necessary approach to address today’s cybersecurity challenges”.

“The law responds to the need to protect both consumers and businesses by providing a clear and consistent framework that facilitates compliance and improves transparency in the digital marketplace,” he adds.

Similarly, the head of Kaspersky believes that “by establishing clear and demanding requirements, it provides a solid framework for companies and organisations to strengthen their cyber defences and respond effectively to current and future challenges in the digital sphere”.

In addition, the S2 Group representative emphasises that it “encourages manufacturers to consider security from the earliest stages of design and development, thus promoting a culture of ‘security by design'” which is essential in the modern digital environment”.

Moreover, Rossell believes it responds to the real needs of our society. “The increase in the number and severity of cyber-attacks, as well as the growing dependence on technology, underline the importance of strengthening cybersecurity. The Cyber Resilience Act addresses these needs by promoting security by design, collaboration between public and private actors, and risk awareness,” he stresses.