Ticking Time Bomb Cybersecurity

Cybersecurity threats affect all industries and all types of products with digital elements worldwide. Global annual losses from cybercrime were estimated at 5.5 trillion euro in 2021 alone.

The spreading of malicious software and elusive mechanisms for cyberattacks pose risks for supply chains, and for the integrity, availability, and privacy of data. The prominent cyber-attacks carried out on the Kaseya VSA supply chain and WannaCry are mainly the fault of poor product security.

The low cybersecurity level of products with digital elements makes them especially vulnerable to cyber threats. Supply-chain attacks, in particular, are spreading rapidly: attack strategies targeting vulnerabilities in company supply chains reached 17 % in 2021, compared to roughly 1 % of all cases in 2020. Even minor security gaps and inconsistent security updates greatly increase the cybersecurity risk. Against this background, legislation plays a vital role in helping the markets to resist cybersecurity threats. European cybersecurity legislation consists of various legislative acts and strives to make the EU more resilient to cyber-attacks and security incidents.

The two main pillars of the EU’s Cybersecurity Framework are the recently adopted Network and Information Security Directive [NIS 2, (EU) 2022/2555] and the Cyber Resilience Act (CRA), a Regulation proposed last year by the European Commission [COM(2022) 454 final]. While the NIS 2 Directive lays down requirements enhancing the level of cybersecurity of the services provided by entities that are deemed critical for the functioning of a society, the CRA proposal introduces provisions strengthening the cybersecurity level of hardware and software products with digital elements. In reality, both legislative acts cannot be regarded separately as they have several close links to each other. The following analysis reveals some major points of (non-)interaction between the CRA and the NIS 2 Directive.

More information on the regulation proposed by the European Commission, analysed by  cep-experts here.

Synergy of the pillars of the EU’s Cybersecurity Framework

The NIS 2 Directive imposes new due diligence obligations on essential and important entities with the aim of increasing cybersecurity. Thus, operators of essential services and providers of digital services have to take all necessary measures to manage the risks posed to the security of the network and information systems that they use. The CRA complements those risk management requirements, in particular by introducing minimum cybersecurity requirements for hardware and software products used by essential and important entities.

Under the CRA proposal, products with digital elements must be designed, developed, and manufactured to ensure an appropriate level of cybersecurity before being placed on the European markets. Furthermore, they must be deployed in a secure default configuration and manufacturers must ensure that their products are placed on the market without any exploitable vulnerabilities. The CRA also obliges every manufacturer of products with digital elements to carry out conformity assessment procedures, or have them carried out by third parties, to prove that its products meet the necessary cybersecurity requirements. These provisions complement the NIS 2 Directive insofar as essential and important entities can, as a consequence, rely – to a now higher extent – on a certain level of quality and resilience in the hardware and software products they use. However, they still have to audit their suppliers and service providers appropriately. In general, this interconnection between the two legislative acts, makes it easier for essential and important entities to comply with the risk management requirements of the NIS 2 Directive.

The new transparency requirements of the CRA further assist essential and important entities in the identification of suitable, reliable, and secure products. They can also better compare the level of security of similar hardware and software products. Specifically, manufacturers must disclose, in technical documentation, the means used to meet the essential cybersecurity requirements as well as the circumstances under which cybersecurity risks could occur when using the product, and for how long users can expect security updates. Against this background, the interplay between the CRA and the NIS 2 ensures a higher level of  cybersecurity for products with digital elements being used along the entire length of the  supply chains of essential and important entities.

Non-interaction between the pillars of the EU’s Cybersecurity Framework

Nevertheless, there are some points of non-interaction between the CRA and the NIS 2 Directive that should be addressed by the European Parliament and the Council during the – currently ongoing – legislative process. This applies primarily to the different notification requirements of the two legal acts which will create additional red tape for market participants. Those obligations include different addressees for incident and vulnerability notifications, unharmonized reporting deadlines, as well as deviations regarding the scope of the notification obligations. First, whereas the CRA requires a single notification of incidents or known actively exploited vulnerabilities within 24 hours, the NIS 2 follows a multi-stage notification approach. The latter requires two notifications, one within 24 and the second within 72 hours, as well as two reports with relevant status updates, one within 72 hours and another within a month. Second, whereas notifications under the CRA must be sent to the European Union Agency for Cybersecurity (ENISA), notifications and reports under the NIS 2 must be submitted to the national computer security incident response teams (CSIRTs) or competent national authority. Third, in contrast to the NIS 2, which requires notification of significant incidents, the CRA obliges notification of all incidents and exploited vulnerabilities. These non-interactions force market actors falling under the scope of both legislative acts to set up different procedures for incident and vulnerability reporting. To enhance the effective notification system, it is advisable to harmonize the notification requirements and opt for a single reporting addressee. Against this backdrop, the proposals of EP rapporteur Nicola Danti, in his draft report on the CRA, are welcome since they are aiming at alignment with NIS 2 as regards the timetable for reporting and the information to be included in the notifications. In the choice of addressee, however, the provisions of the CRA and the NIS 2 remain disparate.

This contribution is based on the article “The EU’s cybersecurity framework: the interplay between the Cyber Resilience Act and the NIS 2 Directive” written by Philipp Eckhardt & Anastasia Kotovskaia and published in the International Cybersecurity Law Review on 29 March 2023.