EU cyber law could be costly for British businesses, warns parliamentary report

Businesses in the United Kingdom are likely to face increased costs as a result of the European Union’s new Cyber Resilience Act (CRA), a parliamentary committee has warned, despite a similar law already in place for British businesses.

In a report published Tuesday, the committee scrutinizing the impact of European legislation on the U.K. said that as drafted, the CRA — which introduces minimum security standards for internet-connected products — was likely to impact British businesses exporting to the European Union.

The CRA requires companies to have mechanisms to fix any flaws discovered in their devices after they have been sold to consumers for a period of up to five years, or at least during the expected lifetime of the product.

Devices that don’t meet these standards could be taken off the market and the manufacturers could face fines of €15 million or 2.5% of their global annual revenue for failing to comply with the rules.

The need for the law has been driven by the manufacturing and design practices for many Internet of Things (IoT) products that often introduce additional risks into home and business networks.

In one often-cited case described by Darktrace, hackers were allegedly able to steal data from a casino’s otherwise well-protected computer network after breaking in through an internet-connected temperature sensor in a fish tank.

Although a similar law covering security standards for these products has already been passed in the U.K. (the Product Security and Telecommunications Infrastructure Act 2022), the standards that British and European products will have to meet may differ.

"Even if the substantive cyber-security requirements for a particular device were the same in the UK and the EU, there would still be administrative hurdles," said the committee, as there is no agreement between Brussels and Westminster on mutually recognizing each other’s standards as sufficient.

Such an agreement may not come until 2025, as part of the review of the EU/UK Trade and Cooperation Agreement following Brexit.

A U.K. government spokesperson noted that the EU proposal is still under discussion and could change. The Product Security and Telecommunications Infrastructure Act 2022 is "world-leading legislation," they said.

“That piece of legislation would not have been possible as an EU member state, and the approach we have taken will ensure that we can support businesses while also nurturing technological innovation and ensuring we are able to rapidly respond to emerging threats," the spokesperson told The Record.

'Conformity assessments'

The committee noted the current draft of the EU law also would require products to undergo “conformity assessments” before being sold, which would mean products are certified by a third-party before becoming available — something which will increase production costs and delay product launches.

The CRA’s high compliance costs have been a significant concern to those debating the law, although the European Commission says that the costs for industry are expected to come to just 10% (€29 billion) of the annual losses (€290 billion) chalked up to cyber incidents inside the bloc.

Bart Groothuis, the cyber rapporteur for the European Parliament who is currently negotiating the law, has told The Record that he is concerned about the impact that the conformity assessments will have on products within the EU, saying: “I’m very worried we’re overdoing it.”

A border question

The CRA — alongside the EU’s proposed Artificial Intelligence Act — also potentially risks provoking some of the delicate arrangements between Westminster and Brussels over the status of Northern Ireland. While part of the U.K., it remains economically connected to the Republic of Ireland, an EU member, without a hard border.

Under the current arrangements, this means that some EU law applies in Northern Ireland, particularly statutes involving product trading standards, as there is no hard border for these products to enter the European market.

“The precise implications of the Cyber Resilience Act under the Protocol are somewhat ambiguous. This could, in the future, give rise to differences of interpretation between the UK and the EU about its legal effects in Northern Ireland,” said the committee.

The British government has argued that the new EU regulation would not apply in Northern Ireland, however the committee stated "the EU could theoretically still request" that the cybersecurity requirements for physical goods be applied there.

“We understand the EU has not, to date, made such a request, and that precedent suggests the EU would have normally communicated this when the proposal was first published in September 2022,” the report added.

Update (4/27/2023): This story has been updated to include comments from a U.K government spokesperson.