Cyber-resilience Act signals big change in commercial software development

• Published date: 01 December 2022
• Publication title: Irish Times (Dublin, Ireland)

The Irish attack was not the only major cyber incident by a Russian-based group that late spring: a few weeks later, a Russian-based ransomware group disabled many computer systems worldwide, via vulnerabilities in widely used technology from Kaseya, an American firm

Given today's international relationships, I wonder whether Russian authorities would now assist in resolving any cyberattack originating within their country?

The EU authorities have not been idle. In 2020, the EU Commission awarded a study contract to a consortium of international management consultants on the need for cybersecurity resilience in information and communications technologies (ICT). While recognising that existing EU legislation broadly addresses consumer protection and security, the current regulations do not focus specifically on digital systems. A 375-page report on cybersecurity requirements for ICT products was duly published in December 2021.

In a follow-up last spring, the EU Commission opened a public consultation process inviting comments on the likely impact of EU-wide cyber resilience legislation. A total of 109 submissions were made. They included just one from Ireland - by ESB Networks - which advocated mandatory regulatory intervention.

Proposal

In September, the commission published a legislative proposal for consideration by the European Parliament and council on "horizontal cybersecurity requirements for products with digital elements", or the "Cyber-Resilience Act".

There is now a second phase of public consultation until January 16th. The Act's main proposal is that any digital system which protects sensitive information or performs critical functions would be required to carry a "CE" quality mark.

The new legislation would apply to two general categories of digital systems. The initial list of class 1 products includes internet browsers, network management tools and specialised controllers. Class 2 products would be deemed to have a higher cyber risk. The initial list includes operating systems, general purpose microprocessors, network modems and routers, encryption software and even smart meters.

Class 1 products could be self-certified by their manufacturers. A class 2 product would, however, require a cyber risk assessment by an independent auditor. Documentation would have to be maintained for at least 10 years after each product launch. Any actively exploited vulnerability would have to be notified within 24 hours to Enisa, the EU agency for...