EU Security Regulations For Manufacturers

If your products are sold on the European market, they will soon be subject to a series of European cybersecurity regulations that are at various stages of adoption.

These regulations not only affect technical requirements but also introduce new operational and organizational processes to ensure the effective management of product security throughout the entire lifecycle of the products.
Compliance with these regulations is mandatory for companies selling their products in the EU, making it essential for manufacturers to stay informed and prepared.

This article explores the regulatory foundation for the cybersecurity requirements manufacturers must incorporate into their products. It covers the groundwork that has been laid in product safety and liability legislation, which provides the foundation and strongly ties the consequences of cybersecurity issues to product safety. The article then digs further into the more detailed requirements set forth in radio equipment, machinery and general product cyber resilience legislation, which are resulting in the development of harmonized technical standards.

General Product Safety Regulation

A single update is of key importance here. The updated general product safety regulation now states that when assessing whether a product is a safe product, relevant cybersecurity aspects will be taken into account.

“when required by the nature of the product, the appropriate cybersecurity features necessary to protect the product against external influences, including malicious third parties, where such an influence might have an impact on the safety of the product, including the possible loss of interconnection;”

Product Liability Directive

The General Product Liability directive adds a further liability perspective to the cybersecurity aspects of product safety.

A product will be considered defective, and a manufacturer held liable if the defect is caused by a cybersecurity vulnerability, including those discovered after the product’s release or deployment. Component suppliers can be held liable alongside the product manufacturer integrating the component.

And while this directive does not specifically mandate security updates or patches, it does state that manufacturers cannot claim exemption from liability due to the failure to provide such updates if they address known vulnerabilities.

Radio Equipment Directive

The Radio Equipment Directive (RED), which applies to any radio equipment supporting communication over the internet, has also been updated. Three essential cybersecurity requirements are mandated, depending on the use case of the product in question.
These are:

The device should not harm the network or its functioning and must not misuse network resources, leading to an unacceptable degradation of service.
It should incorporate safeguards to protect users’ personal data and privacy.
It should support features that ensure protection against fraud.

These high-level regulatory requirements have been translated into harmonized standards by the CEN-CENELEC standards organisation.
Without going into detail, the several areas of security requirements for RED are:

Access control and authentication
Secure updates
Secure storage of data
Secure communication of data in transit
Attack resilience
Network monitoring
Traffic control
Cryptography and confidentiality of cryptographic material
General equipment hardening

Depending on the use case of the product, additional requirements might be necessary:

Logging
Deletion of data
User notifications

Cyber Resilience Act

The Cyber Resilience Act (CRA) is a new EU regulation aimed at ensuring the secure design, development, production, and maintenance of products with digital elements. This includes electronic devices, hardware, software, components, and remote data processing solutions. The CRA aims to promote secure product availability and ensure mechanisms are in place for their continuous security throughout their lifecycle.

To achieve this, the CRA introduces two main sets of requirements, these are:

Essential cybersecurity requirements to maintain adequate product security throughout its lifecycle.
Vulnerability handling requirements, including notification and reporting of identified vulnerabilities.

The requirements are made more explicit in the regulation, and expand upon the areas we’ve already listed for the Radio Equipment Directive. The additional areas covered in the essential cybersecurity requirements are:

Secure design and development lifecycle
Vulnerability management
Data minimization

Manufacturers are expected to introduce a complete and extensive vulnerability handling process, which covers at a minimum:

Ability to identify vulnerabilities for components in the product through a software bill of materials
Remediating known vulnerabilities by providing security updates without delay, through secure mechanisms
Perform security testing of your products
Share and publicly disclose information about fixed vulnerabilities
Have a coordinated vulnerability disclosure policy in place
Facilitate sharing of information about potential vulnerabilities

Non-compliance with the CRA carries severe penalties. Depending on the nature of the infraction, those responsible can be liable for administrative fines up to 15 million euros, or 2.5% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

European standards organisations have now been tasked to develop harmonized techical standards based on these high-level requirements. Due to the overlap with the RED, we remain hopeful that the existing harmonized technical standard will be expanded, instead of creating additional ones.

Machinery Regulation

While this regulation mostly covers mechanical engineering aspects, it has introduced a number of requirements affecting hardware and software solutions. This regulation is especially relevant to OT control systems and other machinery equipment, including partially completed equipment .

Specifically,

Any communication between machinery must not lead to hazardous situations, meaning it should not be a potential cause of injury or damage to health.
Hardware components transmitting signals or data, software and configuration data shall be protected against corruption
Any changes to hardware components transmitting signals or data, software and configuration data, legitimate or not, shall be logged and collected as evidence
It must be possible to easily identify the software installed on the machinery

Control systems furthermore:

Shall not lead to hazardous situations in the event of faults in hardware or errors in control system logic
Shall keep a tracing log of interventions and software update changes, for a duration of 5 years

While control systems with any level of autonomy:

Shall not cause machinery to perform actions beyond its defined task and movement space
Safety related decision making processes are logged and kept for 1 year

Final Thoughts

Many security standards already exist and new ones continue being developed, it is therefore key to ensure the correct security engineering and security testing standards are being adopted. Despite this, and considering the speed at which the methods and tactics of both attackers and defenders are evolving, a static standard might not cover every need for all organisations, so careful evaluation must continue to be made when making product design decisions.

Furthermore, due to other cybersecurity regulations such as NIS2, we can expect a higher importance for cybersecurity as part of the supply chain, and an increased need for products in critical environments to demonstrate their security levels and conformity with these new standards.

This evolving regulatory landscape in the EU requires significant efforts by product manufacturers to meet the expected security objectives. Navigating the complex regulations and their technical implications can be challenging and time consuming.
Amanita Security specializes in guiding manufacturers through these complex requirements.

Get in touch