Cybersecurity
New rules on IT security for digital products and ICT infrastructures
IT security as a central pillar of EU digital legislation
Rapid technological progress and the increased threat level posed by hybrid conflicts and criminal actors in cyberspace have prompted the EU to adopt legislative measures to enhance cybersecurity. In this context, cybersecurity is primarily understood as information security (security), as opposed to physical integrity (safety). Key points in the latest package of legislative measures are the second EU Directive on Network and Information Security (NIS 2), complemented by the Critical Entities Resilience (CER) Directive. In the sphere of digital products and services, the Cyber Resilience Act (CRA) addresses cybersecurity in close alignment with the EU AI Act and Machinery Directive.
Cybersecurity for critical infrastructures
NIS 2 is intended to improve the protection of critical ICT infrastructures (KRITIS operators) in the EU. Compared to the 2016 predecessor directive, NIS 2 has significantly expanded the scope of sectors affected, the number of companies affected by lowered thresholds, and the obligations under the IT security regime. NIS 2 now also requires management bodies (board, management, etc.) to oversee the implementation of risk management measures and provides for personal liability in case of non-compliance. The German legislator implemented NIS 2 into national law with some specifics.
Expansion of the target group by broadening the sectors affected and lowering the thresholds at which a company is affected by NIS 2. Significant expansion of scope to approximately 40,000 companies in Germany.
Expansion and specification of the catalogue of technical and organisational measures as minimum security requirements on cybersecurity to establish robust risk management. Stricter measures relate for example to backup, cryptography, supply chains, multi-factor authentication, and emergency communications.
Introduction of a new three-stage reporting system for security incidents and an obligation to document cybersecurity measures. Rapid response capability and well-established communication channels are required to report serious security incidents within short deadlines.
Introduction of a fines framework of up to €10 million, or 2% of worldwide annual turnover. Management and executive boards can now be held more broadly responsible in cases of inaction.
Implementation into national law required. Further information on the implementation in the various EU Member States can be found here.
The CER Directive further regulates the resilience of critical infrastructures. Its scope of application on a personal level is somewhat narrower than that of NIS 2. It obliges so-called critical entities to take measures ensuring resilience outside cyberspace. This includes requirements to strengthen “physical” security (access and entry controls) or to implement crisis and risk management as well as business continuity management measures.
New requirements for products with digital elements: Cyber Resilience Act and more
By contrast, the CRA aims to ensure reliable cross-sector cybersecurity for products with digital elements that are marketed within, and imported into, the EU. The CRA takes into account the various stages of the value chain: cybersecurity vulnerabilities in a product frequently used as a component can have dramatic effects on all end products incorporating that component – and, depending on the particular case, on systems and infrastructures. The principle is: the greater the potential damage from exploiting a product’s vulnerability, the higher the requirements as per the CRA for demonstrating compliance with security requirements. To this end, common standards, guidelines, and best practices are to be established.
- Scope covers manufacturers, importers and distributors of products with digital elements
- Cybersecurity by design and by default principles
- Tiered regulation based on product risk level; around 10% of products are to be subject to particularly strict regulation as important or critical products
- Conformity assessment as a prerequisite for CE marking
- Cybersecurity throughout the product life cycle
- Mandatory risk assessments
- Technical implementation obligations
- Reporting of security-related incidents within 24 hours
- Fines for violations: up to €15 million, or 2.5% of worldwide annual turnover
- Free security updates, generally for five years or other specified support period
- Implementation by 2026/2027
When implementing CRA requirements, close alignment with the AI Act and the Machinery Directive must be considered. For products that are subject to the Machinery Directive with the aim of ensuring physical integrity (safety), the compliance processes for digital elements must be supplemented by the CRA security requirements. There are also interactions between the CRA and the AI Act: insofar as security provisions of the CRA are fulfilled, the safety provisions of Article 15 of the AI Act are deemed met, while risks specific to AI must be taken into account in CRA assessments. By the same token, conformity assessments conducted under the AI Act are also recognised under the CRA. Implementing CRA requirements is also closely linked to the technical implementation of data access under the Data Act.
Our services
We offer you comprehensive and integrated advisory on cyber compliance and related legal issues:
Analysis
- We conduct impact analyses to determine whether and how the regulation applies to your company and products.
- Based on these impact analyses, we compile the specific regulatory requirements as they apply to your company and products across all relevant jurisdictions.
- As part of a gap analysis, we assess the specific adjustments needed within your organisation.
Implementation
- We advise on all legal questions of implementation: from product design processes and distribution requirements to secure IT operations and the efficient integration of the cyber compliance management system with other management systems. This also includes drafting documentation and policies.
- We provide training, including legally required training for senior management of affected companies as per NIS 2.
Ongoing operations
We advise you on dealings with service providers and suppliers, on product lifecycle management, and on responding to security incidents.
We provide comprehensive advice on ongoing ICT operations, including handling current security incidents with our 24/7 cyber incident response service.
