The CRA has introduced a novel, and potentially quite worrying, approach to cybersecurity legislation.
What if someone is harmed by their own government, but the technology used against them was created by a company based in the United States? Should that person be able to hold the American company responsible? The United States may soon have an answer, as this very question continues to wind its way through the American court system. Europe may have one soon too, though as an unintended result of recent legislative decisions, rather than through deliberations in the courts.
In the United States, the Court of Appeals for the Ninth Circuit recently overturned an earlier decision in Doe v. Cisco Systems, which had prevented members of Falun Gong, a religious group from China, from bringing a claim against Cisco Systems. This claim was based on allegations that Cisco aided and abetted the Chinese government in carrying out torture by designing and providing the surveillance system used by the Chinese government. The basis for the claim is the Alien Torts Statute (ATS), which enables private parties to bring a claim for breaches of public international law.
The ATS does not provide carte blanche for disgruntled aliens to mount claims against American companies. In Kiobel, the Court applied a presumption against extraterritorial application of the ATS, which it reinforced in the Nestle case by confirming that the relevant actions of the company must have taken place within the United States. The recent decision in Doe, however, is based on the fact that the alleged work by Cisco in designing and improving the systems used by the Chinese government took place within the United States.
The Doe decision highlights a clear branch of American jurisprudence that examines claims by nonresidents who have suffered alleged harm at the hands of others but with the support of domestic American companies. The use of the ATS has attracted commentary from law firms, human rights organizations, and other interested parties. While the statute remains divisive, it is reasonably well understood.
There has been no such equivalent commentary with regard to equivalent European legislation. However, a recent piece of EU legislation, which has been approved by the European Parliament but not yet enacted, introduces the ability for the European Commission to restrict the sale of technology products (including both hardware and standalone software products) from the European market if the use of that technology enabled the breach of fundamental rights. This breach can involve any person anywhere in the world, regardless of citizenship. Hypothetically, under this mechanism, the European Commission could conclude, based on the evidence presented by the plaintiffs in Doe, that all Cisco products could be removed from the EU internal market. Surprisingly, this new mechanism to prohibit the sale of technology is embedded in product cybersecurity legislation, the Cyber Resilience Act, and not in a standalone fundamental rights act.
The Cyber Resilience Act (CRA)
The Cyber Resilience Act (CRA) is a forthcoming piece of legislation in the European Union that introduces specific horizontal cybersecurity requirements for products containing digital elements, including software products. Although the European Parliament has approved the final text of the CRA, the law has not yet been enacted. The CRA is the first EU law to outline detailed statutory requirements regarding product cybersecurity. Similar to other European legislation, the CRA has broad territorial effects. Beginning in 2027, any manufacturer of a product within the scope of the CRA that is made available in the European market will have to comply with its requirements and obligations.
At its core, the CRA attempts to introduce a unified set of cybersecurity requirements to all “products with digital elements.” This includes physical devices such as Internet of Things products, smart meters, laptops, mobile phones, CPUs, and routers, and software products such as operating systems, games, password managers, applications (such as word processing and photo editing), and anti-virus protection and cybersecurity products. Software-as-a-Service (SaaS) products are out of scope, unless the SaaS component is an integral part of the product (i.e., a remote data processing solution), in which case the CRA will apply. Despite receiving scant media and academic coverage and discussion, especially compared to the more high-profile EU Artificial Intelligence (AI) Act, there are few technology products for sale within the European Union that the CRA will not impact.
The CRA applies to technology products on two levels. First, it mandates that the cybersecurity level of the product itself must conform to the CRA’s requirements. Second, it addresses the risk that the product could pose to other fundamental values, such as the health and safety of individuals, which is a core aspect of EU product safety law. Additionally—and it is here where the CRA becomes analogous to the Alien Torts Statute—it ensures compliance with other legal obligations designed to safeguard the fundamental rights of European citizens, as outlined in other EU and member state laws.
From a product perspective, the CRA requires that products be released to the market with all known vulnerabilities addressed and developed following “secure by design” principles. Additionally, developers must conduct and maintain a cybersecurity risk assessment, provide a software bill of materials detailing the third-party components used, and ensure security updates are available for at least five years from point of sale.
Using a “risk-based” approach, the CRA classifies relevant products into several categories:
-
Default: Expected to be approximately 90 percent of all products with digital elements within the common market.
-
Important Class I: Products related to cybersecurity functionality or functions that carry a significant risk of adversely affecting a wide range of other products or users’ health and safety. Examples include browsers, password managers, physical network interfaces, and smart home virtual assistants.
-
Important Class II: Products that, if affected by cyber incidents, might lead to greater negative effects due to the nature of their cybersecurity-related function or the performance of another function with significant risk. Examples include hypervisors, firewalls, and tamper-resistant microprocessors.
-
Critical Products: Products that have cybersecurity-related functionality, perform functions that carry a significant risk of adverse effects, and are considered critical dependencies for EU NIS2 Directive essential entities.
Noncompliance with the CRA incurs penalties similar to that of the EU General Data Protection Regulation (GDPR). Violations of core requirements can result in fines of up to 15 million euros ($16 million) or 2.5 percent of global revenue, whichever is higher. Other breaches can result in fines of up to 10 million euros ($10.7 million) or 2 percent of global revenue.
The approach taken by the CRA with regard to the protection of fundamental rights is rather novel. While the EU AI Act clearly integrates three regulatory approaches of EU law—risk based, product safety, and rights based—the CRA seemingly builds on only the first two.
On the one hand, the CRA recognizes that not all products with digital elements pose the same risks. Therefore, manufacturers of such products will be subject to different obligations, particularly regarding conformity assessment depending on the product’s risk categorization (i.e., default, important I & II, and critical). Unlike the AI Act, where a set of requirements applies only to high-risk AI systems, the CRA’s essential requirements (Annex I of the Regulation) apply to all products within the scope of the regulation.
On the other hand, the CRA pivots on EU product safety principles and institutions. In a nutshell, EU product safety legislation limits impose high-level health and safety “essential requirements,” leaving for EU technical standards the implementation of such requirements. These standards are developed by European Standardisation Organisations (ETSI, CEN, and CENELEC) after a mandate from the European Commission. To make a product available on the EU market, manufacturers have to demonstrate the conformity of their products with those requirements through specific conformity assessment procedures (at a higher level of abstraction, self-assessment, or third-party assessment).
Against this backdrop, the commission states, in the explanatory memorandum to the CRA proposal, that the Cyber Resilience Act will “enhance to a certain extent the protection of fundamental rights and freedoms such as privacy, protection of personal data, freedom to conduct business and protection of property or personal dignity and integrity.” One could wonder, therefore, to what extent the CRA effectively upholds fundamental rights.
Protecting Fundamental Rights in Product Cybersecurity Legislation
The CRA has introduced a novel, and potentially quite worrying, approach to cybersecurity legislation by combining elements of fundamental rights protection (albeit in a limited capacity) with product-specific cybersecurity requirements. The CRA mandates that products with digital elements, although compliant with the product specific requirements, must not pose risks to the health or safety of individuals, or conflict with obligations under union or member states laws designed to protect fundamental rights. Both national market surveillance authorities and the European Commission are empowered to enforce these regulations. They can require companies to mitigate risks, withdraw, or recall noncompliant products from the market, on the basis that they conflict with obligations under EU or domestic member states laws designed to protect fundamental rights.
In exceptional circumstances, where immediate intervention is believed by the European Commission to be necessary to maintain the proper functioning of the EU market, and if national authorities fail to act effectively (from the perspective of the European Commission), the European Commission can impose corrective or restrictive measures at the Union level under Article 57 of the CRA. This process involves evaluating the risks with support from ENISA, the EU Cybersecurity Agency, and notifying the relevant market surveillance authorities.
Interestingly, Recital 113 of the CRA, although nonbinding, helps clarify the meaning of “exceptional circumstances” that legitimize the Commission’s enforcement procedure in place of national authorities. These include emergency situations where a noncompliant product is made available in several member states or is used in critical sectors by NIS2 entities while containing known vulnerabilities that are being exploited by malicious actors and for which the manufacturer does not provide available patches. In such cases, it makes sense for either the market surveillance agency or the European Commission to be able to act to remove the product and the risk from the European market. This provision, however, marks a significant shift in EU product safety legislation enforcement, centralizing authority with the Commission, which was previously held exclusively by national authorities.
However, the CRA grants powers to national market surveillance authorities and the European Commission that extend beyond mere product safety concerns. Article 57 of the CRA clarifies that the notion of risk is not directly applicable to fundamental rights but to the compliance with obligations designed to protect these rights. This distinction, though subtle, is crucial. It requires that, in the event of a suspected risk to compliance with Union or Member States obligations to protect fundamental rights, either the market surveillance authority or the Commission conduct a context-based impact assessment on the product to verify whether there is a risk of noncompliance with EU laws protecting fundamental rights, irrespective of whether the product itself is in conformity with the product obligations imposed by the CRA. Furthermore, these impact assessments can be carried out simultaneously on a number of products.
However, since fundamental rights and freedoms cannot be easily quantified, these assessments involve ascribing values to these rights, effectively making them normative judgments. Furthermore, the evidence of fundamental rights violations used in these assessments is not confined to the European Union. Consequently, the use of a product by a nation-state, a terrorist group, or freedom fighters during armed conflict or for self-defense against foreign or domestic threats anywhere in the world could be “non-technical” sufficient grounds for removing that product from the European Union market if the European Commission or a national market surveillance authority can be persuaded to instigate a fundamental rights assessment.
Furthermore, as the CRA includes integrated components of products in its scope, manufacturers of specialized processors, sensors, or algorithms could find that all products utilizing these components might be removed from the European Union due to their use in other jurisdictions.
***
The CRA is a novel piece of legislation on two fronts. It introduces comprehensive cybersecurity requirements for most technological products that are available in the European Union and will also form part of the forthcoming revisions to the Products Liability Directive. The ability for the European Commission to intervene with regard to the availability of a product is also welcome, as it allows for products that pose a risk to European citizens, companies, institutions, and critical infrastructure to be removed promptly or brought into compliance.
However, the conflation of cybersecurity and fundamental rights introduces a worrying mechanism, even if used infrequently, that would allow the adoption of corrective and restrictive measures up to the removal of products from the European Union, on the basis of the degree of their compliance with fundamental rights law.
If the European Commission intended to develop an analogue to the Alien Torts Statute, which allows the removal of products from the European Market (as opposed to enabling a claim to be made against the technology company itself), this should be in a separate and distinct piece of legislation and not delivered as part of a cybersecurity regulation.
– Iain Nash, Pier Giorgio Chiara, Published courtesy of Lawfare.