Successful cyberattacks against both hardware and software products are becoming disturbingly frequent. According to Cybersecurity Ventures, cybercrime cost the world an estimated 7 trillion USD in 2022. With such a high price tag there is no wonder that both companies and governments are taking notice. The U.S. led the way with the presidential executive order on Improving the Nation’s Cybersecurity issued on May 12, 2021. This was followed by the secure software development framework (SSDF) from NIST that is slowly becoming an established new best practice, required as a matter of course in any software product. The European Union isn’t standing idly by – The European Cyber Resilience Act is a proposed piece of legislation designed to strengthen the cybersecurity of critical infrastructures across the EU.
The feedback-gathering phase for the bill started back in December 2020 but the first draft of the bill was only published on September 14, 2022. Since any such large-scale legislation could potentially have wide-reaching implications we thought we’d take the dive and try to explain what this bill is all about and who’s going to be impacted by it. Let’s start with a brief overview of the proposed legislation.
Breaking Down the Bill: What You Need to Know
The ECRA aims to strengthen the cybersecurity of critical infrastructures across the European Union (EU). The act primarily affects operators of essential services and digital service providers. These are defined in the EU’s existing Directive on the security of network and information systems (NIS Directive) and include, among others, energy, transportation, banking, health, and digital infrastructure sectors.
The proposed act would also apply to digital service providers that are not covered by the NIS Directive, but which offer online services to consumers in the EU. These include online marketplaces, cloud computing services, and search engines.
Since it aims to cover any connected devices not already covered by other EU legislation it’s likely it would impact IoT and other connected devices, particularly those that are already on the market.
The proposed act includes a number of measures, such as:
- The establishment of a cybersecurity certification scheme for operators of essential services and digital service providers.
- The creation of a cybersecurity information-sharing platform to help organizations share information about cyber threats and incidents. The proposed bill includes a reporting obligation for any cybersecurity event within 24 hours to The European Union Agency for Cybersecurity (ENISA).
- The adoption of a common methodology for assessing cybersecurity risks and the development of guidelines for risk management.
- The establishment of a European Cyber Resilience Centre to provide support to member states in the event of a cyber attack.
Importantly, the proposed legislation includes a certification scheme for ICT products, services, and processes. The certification process involves a conformity assessment by a designated conformity assessment body (CAB) to determine whether the product, service, or process meets the requirements specified in the Act. The Act establishes a European Cyber Resilience Certification Board, which is responsible for maintaining the certification scheme and ensuring its consistency across the EU. Regular testing and auditing are meant to continue even once the new board issued a certificate of conformity to the provider of the product, service, or process in question. Continued monitoring would ensure that compliance with the bill’s requirements doesn’t slack off once a certificate is granted – maintaining compliance is meant to be continuous.
In addition, the ECRA proposes a number of measures to improve cooperation and information-sharing between EU member states and to strengthen the EU’s cybersecurity capabilities. These include the establishment of a European Cybersecurity Competence Center and a network of national cybersecurity coordination centers, as well as the development of a common framework for cybersecurity incident reporting and response. The bill also proposes the establishment of a European vulnerability database so as not to rely solely on the U.S.’s NVD.
The bill also covers market surveillance and enforcement to make sure the new standards are properly observed within all member states and for any covered devices and services offered within the EU market, no matter where they were manufactured.
How Does It Relate to Recent U.S. Best Practices?
As mentioned above, both the U.S. and the EU have set out to upgrade their respective markets’ cybersecurity protections. As such it makes sense to see if any of the new U.S. best practices have found their way into the ECRA.
To those familiar with the SSDF (NIST 800-218) some of the ECRA’s language might seem familiar. The bill requires that security be included in products from their inception and not be ‘added on’ later. The ECRA includes requirements for the identification and management of supply chain risks, and the proposed European Cybersecurity Certification Scheme, though still not properly defined, would likely require the use of Software Bill of Materials (SBOM) and secure software development practices.
The proposal also calls for the implementation of technical and organizational measures to secure information systems and data, including the use of strong authentication and encryption, monitoring and detection capabilities, incident response planning, and regular security testing and auditing – all elements clearly defined in the SSDF.
One of the new best practices promoted in the U.S. is the use of the SBOM to track dependencies, vulnerabilities, and software licensing. It’s meant to increase product transparency and enable manufacturers and users a clearer view of what exactly might be hidden inside the product. While the ECRA doesn’t mention the SBOM explicitly it is worth noting that the issue of software transparency, which includes the concept of SBOMs, has long been a topic of discussion in the context of the European Union’s cybersecurity strategy. In June 2021, the European Commission released a proposal for a Regulation on Digital Operational Resilience for the financial sector, which includes a requirement for financial entities to use and maintain a “comprehensive and up-to-date inventory of their ICT systems and assets.” This inventory should include “an up-to-date map of the interconnections and interdependencies of the ICT systems and assets and, where relevant, of the respective software and hardware components.”
While this requirement is specific to the financial sector, it does suggest that the European Union is considering the importance of software transparency in ensuring cybersecurity resilience. It remains to be seen whether the European Cyber Resilience Act or other legislative initiatives will include more explicit requirements for SBOMs in the future.
How Is This Bill Going To Affect You?
As the ECRA is not yet final it’s hard to be definitive here. What we can do is draw parallels to another comprehensive EU legislation – the GDPR.
The General Data Protection Regulation (GDPR) is a comprehensive privacy and data protection regulation that the European Union adopted (EU) in April 2016 and it went into effect on May 25, 2018. The bill applies to all organizations that collect, process or store the personal data of individuals located in the EU, regardless of the organization’s location or the location of the stored data. It imposes obligations on organizations to ensure the security and privacy of personal data, including requirements for data breach notification, data protection impact assessments, and privacy by design and default. Organizations that fail to comply with the GDPR can face significant fines and other penalties.
In the years since we saw the GDPR bill go into effect, we noticed a ‘trickle-down’ effect of this regulation. Initially, only organizations that did business in the EU felt they needed to comply. U.S. businesses faced several steep fines for disregarding the bill’s requirements. Today, even businesses that have nothing to do with EU citizens follow the regulation. It only makes sense to comply so that if and when you want to sell to Europe there is no need to scramble for compliance.
Overall, the ECRA feels much the same way. With a lot of the world still scrambling to respond to the spike in cybersecurity incidents, any comprehensive and clear legislation designed to mitigate the security shortcomings of software producers has a good chance of being adopted. Again – it makes sense to comply in advance so that if and when you’re ready to sell to the EU you’re already covered.
That means that the answer to the question ‘Is this bill going to affect me?’ is a resounding yes if you have anything to do with software manufacturing. It may not affect you out of the gate but at some point, you will need to be compliant, even if it’s just recognized as a new common best practice.
Luckily, an Evidence-Based Security Hub Can Help
To overcome the evolving security challenges, we are currently witnessing the evolution of Application Security to Software Supply Chain Security. It includes a new generation of technologies and novel tools that try to address these challenges. Automated tools and solutions help organizations achieve a new level of security by providing an evidence-based continuous code security assurance platform that can attest to the trustworthiness of the software development life cycle and software components.
Scribe is a Software Supply Chain Security hub. It collects evidence and presents them for each build run through your CI/CD pipeline. Scribe’s solution was built to facilitate compliance with U.S. and EU regulations and best practices in terms of increasing the transparency of software and the trust between software providers and software users. The platform enables detailed SBOM creation and sharing as well as other security insights. What’s more, the platform can verify that the build you are looking at is compliant with SLSA level 3 and with NIST’s SSDF framework. Considering the obvious relationships and similarities between the ECRA and the SSDF, being able to attest that your software is SSDF compliant could go a long way to establishing your ECRA compliance as well.
A Final Word: Don’t Get Caught Unprepared
The European Cyber Resilience Act is currently only a proposal and has not yet been adopted by the EU. The proposed act is currently in the legislative process, being reviewed by the European Parliament and the Council of the EU. The bill is expected to undergo several rounds of negotiations and revisions before it is adopted as law. There is a good chance that the act’s final version may change, including the provisions related to product security, certification, and the products and sectors that the bill covers.
It is worth noting that the details of how the act proposes to verify that products meet cybersecurity standards have not yet been fully covered in the published draft. The final version of the act may include more specific requirements for product certification and verification among many other areas that require clarification. Since the legislation isn’t yet fully realized, industry stakeholders suggested that the legislation should include more precise definitions, taking into account variations in the creation, functionality, and use of digital products. They made it clear that too strict cybersecurity requirements run the risk of keeping SMEs out of the market. To show exactly how uncertain things are, a new update from December 2022 has already placed SAAS products clearly outside of the regulation’s scope.
To give both the EU states and the relevant product developers time to adjust, the proposed regulation will take effect 24 months after it enters into force, with the exception of the reporting requirement for manufacturers, which will take effect 12 months after the date of the bill becoming law. Two years may seem like a long time but if you run a small or medium business and suddenly have to follow a whole host of new cybersecurity regulations, that time frame may feel far too short.
Regardless of the exact details, the ECRA represents a significant step forward in the EU’s efforts to enhance cybersecurity and protect critical infrastructure and we can all look forward to a world where most businesses comply with the ECRA as naturally as they inform clients of their cookie collection policy.