Cyber Resilience Act: An Important Step for More IT Security with Possible Consequences for Financial Institutions

The Cyber Resilience Act implements further EU regulation for protection against cyber-attacks. The focus here is on requirements that aim to make the use of “digital products” more secure. While the impacts of other initiatives, such as DORA on financial institutions are already being intensively discussed, the Cyber Resilience Act does not seem to have played a role in this regard so far. We believe that certain aspects should indeed be considered, at least from the perspective of financial institutions as users of “digital products”.

Hardware and software products are increasingly vulnerable to sophisticated cyber-attacks, which in 2021 led to enormous economic damages of around 20 billion euros. In addition to industrial products such as microcontrollers, end-user software, automation and control systems, and embedded software in hardware products, household appliances that can be connected to the networks via Wi-Fi or mobile networks (including printers, refrigerators, notebooks, and baby monitors) have also become highly susceptible to cyber-attacks. Even prominent companies are under increasing pressure to increase their security standards. For example, successful attacks were carried out in November 2021 on the servers of MediaMarktSaturn-Holding using an encryption Trojan. Although the stores remained open, the effects were nevertheless immense. In particular, the cash register and inventory management systems in the stores were affected. Sales were therefore only possible for cash. Also, orders, returns, and pickups were not possible. Another and perhaps less well-known example of successful attacks involved Aerzener Maschinenfabrik. Here, cyber criminals were able to gain access to the IT network and encrypt company data. Production had to be shut down, and the 1,100 employees were put on short-time work.

A major reason for the rise in successful cyberattacks is that companies often have generally low levels of cybersecurity with respect to their products. An enormous problem, however, is that there are currently no uniform cybersecurity regulations across the EU to guide companies:existing single market regulations in the EU only apply to certain products with digital elements. Most hardware and software products are currently not covered by EU legislation addressing cybersecurity. For example, there are no cybersecurity rules in the current EU regulatory framework for “non-embedded software” through which the storage or transfer of sensitive corporate data takes place. This includes, among other things, enterprise software and cloud infrastructure. Cybersecurity attacks are increasingly targeting such vulnerabilities, causing significant economic costs.

EU Draft Legislation

On September 15, 2022, EU Commission President Ursula von der Leyen introduced a European cybersecurity law – the Cyber Resilience Act – that serves as a complement to the Cybersecurity Act (CSA). It is based on the EU Cyber Security Strategy 2020 and the EU Security Union Strategy 2020.

With the Cyber Resilience Act, the EU Commission undertakes the necessary task of introducing uniform product standards for cybersecurity at the European level, especially for manufacturers of tangible and intangible products with digital elements (hardware and software) and raising the level of resilience in the EU. The regulation thus sets a framework for only putting products into circulation in the future that meet certain minimum standards. In addition to hardware products, such as sensors and cameras, smart cards, mobile devices, or network devices such as routers and switches, software products and related services should be covered. However, certain products, such as medical devices, which fall under sector-specific legislation, are exempt from the requirements of the CRA.

The draft legislation regulates the following essential objectives:

Digital (wireless and wired) products that are placed on the European market must meet basic cybersecurity requirements in terms of design, development, and manufacturing processes even before they are launched on the market.
Manufacturers remain responsible for cybersecurity throughout a product’s lifecycle. According to the new regulation, they are more obligated to provide security support and free software updates to address identified vulnerabilities.
Manufacturers must report incidents that negatively impact the security of the product’s hardware and/or software to the EU’s cybersecurity authority, ENISA.
Security of hardware and software products must be made more transparent to consumers, enabling them to obtain sufficient information regarding the cybersecurity of the products they purchase and use.

Special requirements for “critical products”

Manufacturers of “critical products” and “highly critical products” must undergo a special conformity assessment procedure. Products are classified into three categories:

Class 1 (critical products): including identity management systems, browsers, password managers, anti-virus programs, firewalls, virtual private networks (VPNs), comprehensive IT systems, physical network interfaces, as well as routers and chips used in essential facilities as defined in the Network and Information Security Directive 2 (“NIS-2 Directive”).
Class 2 (highly critical products): including desktop and mobile devices, virtualized operating systems, digital certificate issuers, general-purpose microprocessors, card readers, robot sensors, smart meters, and all IoT devices, as well as routers and firewalls for industrial use.
Unclassified or standard products.

According to the EU Commission’s proposal, a third-party evaluation will also be required for class 2 products.

Market surveillance authorities and sanctions

Member States will be required to establish market surveillance authorities to verify compliance with the requirements of the CRA. They should also be able to carry out coordinated control measures throughout the EU. In the event of a breach, the penalties include the recall of the relevant products and fines of up to 15 million euros or 2.5 percent of annual sales, whichever is higher.

Expected timeline

The European Council and the European Parliament will now consider the proposed legislation. The Commission’s proposal provides for the new requirements to take effect 24 months after the regulation comes into force, although individual elements, such as the obligation to report security incidents, are to apply after just 12 months. One point of criticism in the current discussion relates to the “too short transition period”. The envisaged transition period of 24 months (or 12 months in the case of the obligation to report security incidents) for implementing such measures is considered to be significantly too short.

Consequences for financial institutions

The Cyber Resilience Act (CRA) has taken a significant step in the European Union’s internal market by introducing horizontal cybersecurity regulations to meet market needs and make digital products more secure.

Regarding financial institutions, the Cyber Resilience Act should be viewed primarily from a customer perspective. In our assessment, it represents a concretization and partial expansion of the MaRisk with practical implications for organization and processes. With a view to increasing IT security and future audits in this area, a number of recommendations for action can be derived here:

A detailed documentation of the categorization of products used in accordance with the CRA should be carried out to create a basis for downstream activities.
Purchasing processes may need to be supplemented by checking for CRA compliance.
Measures for planning and implementing the replacement of non-CRA-compliant products must be planned and implemented.
Monitoring of products and their CRA compliance during the product life cycle must be carried out. This should already be a matter of course, but in our estimation and experience it is still not being implemented comprehensively and consistently.
Additions to the IT asset risk management are required, from the definition and documentation of corresponding criteria in the risk analysis and evaluation to the definition of measures and the monitoring of accepted risks.
Internal audits should be expanded to include appropriate audit criteria.

A conclusive list of possible implications is of course not possible within the scope of this brief elaboration, but we strongly advise analyzing the consequences of the Cyber Resilience Act in one’s own organization, at least from the customer’s perspective, and planning and implementing necessary measures.

Über den Autor

Mesut Arslan ist für Be – Shaping The Future als Senior Consultant tätig. Er ist Experte für IT- und Cybersicherheit im Umfeld der Kredit- und Finanzdienstleistungen. Er stützt sich auf mehrjährige Erfahrung in der Prüfung und Beratung von international tätigen Unternehmen im Banken- und Versicherungssektor.