EU digital legislation

CRA-Update – Episode 7: What are vulnerability handling processes put in place by manufacturers and when are they compliant under the CRA?

According to Art. 1 (c) of the planned Cyber Resilience Act (CRA-E) this regulation should also include provisions for vulnerability handling processes put in place by manufacturers.

The purpose of these processes is to ensure the cybersecurity of products with digital elements during the whole life cycle.

The CRA-E does not specify a precise definition for vulnerability handling procedures. Instead, Art. 5 (2) CRA-E stipulates an obligation for the manufacturer to carry out corresponding procedures before making a product available on the market and refers to Annex I Section 2 with regard to the requirements.

This obligation is taken up again in Art. 10 (6) CRA-E. According to this, vulnerabilities must be handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I CRA-E for a maximum period of 5 years. The measures mentioned in Section 2 suggest that the term "vulnerability handling processes" means methods such as the identification, documentation, remediation or mitigation of vulnerabilities as well as information of authorities and product users.

Section 2 of Annex I of the CRA-E specifies the requirements for the treatment of vulnerabilities. The provisions mentioned there are to be understood as a kind of minimum requirement. The wording is unambiguous since the term "shall" directly obliges manufacturers to implement handling processes.

The requirements mentioned initially include the identification and documentation of vulnerabilities and components of the product. For this purpose, the regulation proposes to draw up a software bill of materials (SBOM) in a machine-readable format. Recently, the Federal Office for Information Security (BSI) has also taken up this recommendation and, referring to the CRA, has drafted a technical guideline for the preparation of a SBOM.

Furthermore, the CRA-E requires known vulnerabilities to be addressed immediately, e.g., by providing security updates. This update must be provided to users without delay and free of charge. In this context, information about eliminated vulnerabilities together with information about their impact and severity must be published. In addition, manufacturers must provide mechanisms for the secure distribution of updates so that exploitable vulnerabilities can be fixed quickly.

Moreover, manufacturers are required to carry out testing measures and review the product with digital elements. This could include, for example, penetration tests or fuzz testing procedures to detect programming errors and security vulnerabilities.

Furthermore, the CRA demands a strategy from manufacturers for coordinated disclosure of vulnerabilities. This is likely to mean, for example, the implementation of a documented corporate process by which manufacturers can ensure that product users are informed.

As a further requirement, Section 1 of Annex I provides for information sharing measures (in particular with third parties whose components have been incorporated into the product in question), for example by providing a contact address for reporting discovered vulnerabilities.

The aforementioned requirements are likely to apply regardless of the type of product with digital elements and thus generally to manufacturers' vulnerability handling proccesses.

According to Art. 10 (7) CRA-E, the conformity of the procedures for dealing with vulnerabilities must also be ensured with a conformity assessment procedure.

If, due to a circumstance, the manufacturer's procedures no longer comply with the requirements of Annex I CRA-E from the time the product with digital elements is placed on the market, corrective measures must be taken. This obligation applies for a maximum period of 5 years from the date the product is placed on the market.

Practical recommendations:

Even though the CRA-E is still in the legislative process and comprehensive changes to the regulation are therefore not ruled out, manufacturers of products with digital elements should already address the aforementioned requirements for vulnerability handling processes and, if possible, implement initial procedures. Furthermore, we suggest that implementation is fully documented for verification purposes. This is because implementation represents one of the core obligations of the CRA-E and is indispensable for a successful implementation of the conformity procedure.

Since the importer must also ensure that the requirements in Annex I Section 2 are met and even a distributor may not make such a product available on the market if there are doubts about conformity, we also recommend that these economic operators familiarize themselves with the requirements in Annex I of the CRA-E in order to be able to carry out an appropriate review of those products.

In our CRA-Update series, we regularly present information on the proposed Cyber Resilience Act and keep you informed about changes in the ongoing legislative process. In each of our articles, we give you a brief overview of a specific topic, presenting the most important aspects and practical implications.

Lawyer, Associate
Alexander Weiss
Lawyer, Associate
Alexander Weiss

Go back

CRA-Update

CRA-Update – Episode 10: Penalties under the CRA-E

With the proposed Cyber Resilience Act (CRA-E), the European Commission has set itself the goal of strengthening the security of products with digital elements with horizontal legal requirements in order to better protect the European internal market from growing cyber threats. Concerning this matter, the regulation contains a large number of obligations that apply to all economic operators in a product supply chain, namely manufacturers, importers and distributors.

CRA-Update – Episode 9: Surveillance authorities

The Commission's draft for the Cyber Resilience Act (CRA-E) mentions different authorities with different tasks for monitoring and compliance with the standards of the regulation.

CRA-Update – Episode 8: The conformity assessment procedure

In order to demonstrate the conformity of products with digital elements with the requirements of the proposed Cyber Resilience Act (CRA-E), manufacturers must carry out a so-called conformity assessment procedure in accordance with Art. 24 (1) CRA-E. For this purpose, the CRA-E basically provides for three different types of procedures, for each of which information can be found in Annex VI. The procedures mentioned there are based on Decision 768/2008/EC, which aims to establish a common framework for legislation harmonizing the conditions for the marketing of products and provides for conformity assessment procedures for this purpose.

CRA-Update – Episode 7: What are vulnerability handling processes put in place by manufacturers and when are they compliant under the CRA?

According to Art. 1 (c) of the planned Cyber Resilience Act (CRA-E) this regulation should also include provisions for vulnerability handling processes put in place by manufacturers. The purpose of these processes is to ensure the cybersecurity of products with digital elements during the whole life cycle.

CRA-Update – Episode 6: When is a product with digital elements in conformity with the requirements of the CRA-E?

The planned Cyber Resilience Act (CRA-E) aims to establish uniform EU cybersecurity requirements for products with digital elements in order to handle the growing threat of cyberattacks. For this purpose, the regulation stipulates numerous obligations that primarily affect the manufacturers of such products.

 

CRA-Update – Episode 5: What are the obligations of the distributor under the CRA-E?

Being the last economic operator in the supply chain of products with digital elements, the distributor falls within the scope of the proposed Cyber Resilience Act (CRA-E) as well.

According to the definition in Art. 3 (21) CRA-E, a (legal) person can only fall under the term of the distributor if it makes a product with digital elements available on the Union market without affecting its properties and without being already qualified as a manufacturer or importer.

CRA-Update – Episode 4: What are the obligations of the importer under the CRA-E?

The role of the importer becomes relevant within the proposed Cyber Resilience Act (CRA-E) when he makes available a product with digital elements bearing the name or trademark of a (legal) person and being established outside the European Union on the Union market for the first time.

CRA-Update – Episode 3: What are the obligations of the manufacturer under the CRA-E?

In comparison to the other economic operators, the manufacturer is subject to the most comprehensive obligations of the proposed CRA (CRA-E). This is probably because the manufacturer significantly controls the development of the product with digital elements, determines its characteristics and can thus influence the inherent cybersecurity risks. The specific obligations for manufacturers are set out in Art. 10 and 11 of the proposed CRA.

CRA-Update – Episode 2: Who falls within the scope of the proposed CRA?

According to section II of the proposed CRA the regulation will apply to so-called economic operators such as manufacturers, authorised representatives, importers and distributors of products with digital elements.

CRA-Update – Episode 1: Which products fall within the scope of the proposed CRA?

The current proposal for a new European Cyber Resilience Act by the European Commission from 15th September 2022 (CRA) applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network (see recital 7 and Art. 2 (1) of the proposed CRA).