Cyber-resilience Act signals big change in commercial software development

Act would require digital systems with sensitive information or critical functions to carry a CE quality mark. Surprisingly, there has been little public comment by industry

In the wake of cyberattacks such as that on the Health Service Executive in May 2021, the European Commission ordered a report on cybersecurity requirements for ICT products. Photograph: iStock
In the wake of cyberattacks such as that on the Health Service Executive in May 2021, the European Commission ordered a report on cybersecurity requirements for ICT products. Photograph: iStock

It is 18 months since the devastating cyberattack on the digital infrastructure of our national health service. In the middle of the pandemic in May 2021, the State was held to ransom by a cybercrime group believed to be based, according to intelligence agencies, near St Petersburg in Russia. Within a week, however, the group unexpectedly provided the Irish authorities with a decryption key to re-establish their systems.

The Irish attack was not the only major cyber incident by a Russian-based group that late spring: a few weeks later, a Russian-based ransomware group disabled many computer systems worldwide, via vulnerabilities in widely used technology from Kaseya, an American firm.

Given today’s international relationships, I wonder whether Russian authorities would now assist in resolving any cyberattack originating within their country?

The EU authorities have not been idle. In 2020, the EU Commission awarded a study contract to a consortium of international management consultants on the need for cybersecurity resilience in information and communications technologies (ICT). While recognising that existing EU legislation broadly addresses consumer protection and security, the current regulations do not focus specifically on digital systems. A 375-page report on cybersecurity requirements for ICT products was duly published in December 2021.

READ MORE

In a follow-up last spring, the EU Commission opened a public consultation process inviting comments on the likely impact of EU-wide cyber resilience legislation. A total of 109 submissions were made. They included just one from Ireland – by ESB Networks – which advocated mandatory regulatory intervention.

Digital systems

In September, the commission published a legislative proposal for consideration by the European Parliament and council on “horizontal cybersecurity requirements for products with digital elements”, or the “Cyber-Resilience Act”. There is now a second phase of public consultation until January 16th.

The Act’s main proposal is that any digital system which protects sensitive information or performs critical functions would be required to carry a “CE” quality mark.

The new legislation would apply to two general categories of digital systems. The initial list of class 1 products includes internet browsers, network management tools and specialised controllers. Class 2 products would be deemed to have a higher cyber risk. The initial list includes operating systems, general purpose microprocessors, network modems and routers, encryption software and even smart meters.

Class 1 products could be self-certified by their manufacturers. A class 2 product would, however, require a cyber risk assessment by an independent auditor. Documentation would have to be maintained for at least 10 years after each product launch. Any actively exploited vulnerability would have to be notified within 24 hours to Enisa, the EU agency for cybersecurity based in Athens.

A digital product with a CE mark could be freely sold across the EU. National authorities might require non-conforming products to be withdrawn from the market. Importers and distributors would require their suppliers to have obtained CE marking on digital products.

Products designated under the Act would be required to have accurate current documentation on their cyber vulnerabilities, including a software bill of materials (including any third-party software, such as open-source components).

Seriousness of transgression

Penalties under the Act could range up to €15 million or 2.5 per cent of global turnover, depending on the seriousness of the transgression.

The proposed legislation is, in my view, extremely ambitious and would herald a complete change in commercial software development not just for EU technology companies, but for any company wishing to sell its products in the EU.

Because operating systems and internet technology are designated as high-risk, class-2 digital devices, non-European suppliers of mobile phone technologies, laptops, desktops, and computer server systems such as Apple, Google, Microsoft, Intel, Sony, Huawei, AMD, ARM and Cisco would have to submit many (if not all) of their products to the obligations of the Act. I thus find it remarkable that, so far, there has been little public comment by the industry at large on the deep implications.

It would not just be for the large tech giants. All technology companies would need to consider the impact on their engineering processes. Companies using only open-source technology would nevertheless fall under the Act if they commercially benefit.

Cloud-based software-as-a-service companies would need to consider the cyber risk of their underlying infrastructure and would also face a separate and imminent directive (EU Network and Information Security 2).

Even technology start-ups would be impacted, not least because in any exit to an acquirer or public listing, conformity with the Act would likely impact on the exit valuation.

Anyone involved in the software or hardware sector (from professional engineers to product managers to executive leadership) and anyone with a responsibility for technology administration (from policy advisers to industry groups to politicians) should read the proposed Act, reflect on its implications and consider making a submission before the middle of January.