Media Centre

The European Commission Published the Cyber Resilience Act Official Draft

20 September 2022

The European Commission (“EC“) has recently published the official proposal of the Cyber Resilience Act (“the CRA“), which would regulate cybersecurity requirements for products with digital elements.

According to the EC, having identified increasing risk of cybersecurity in the EU, the EC proposes to impose new requirements aiming to improve the level of cybersecurity of products with digital elements and to build up the awareness and understanding of the importance of cybersecurity aspects in the eyes of users of such products.

A “product with digital elements” is broadly defined under the CRA as “any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately.” This practically means that any software or tangible product with digital elements that is sold or distributed in the EU may be subject to the CRA. However, certain products, such as Software-as-a-Service, open-source software and test versions are exempted from the ambit of the CRA.

In addition, given its potential broad scope, the CRA entails provisions concerning its interplay with other EU laws such as the GDPR, the proposed AI Act, the NIS Directive, and more.

The CRA applies primarily to manufacturers, with some obligation applying also to importers and distributers of products with digital elements. If approved, the obligations under the CRA will apply to any product sold or marketed in the EU, regardless of its or the manufacturer’s jurisdiction of origin, for the lifetime of the product, or for a period of five years from its placement in the market, whichever is shorter.

The list below consists of the key requirement under the CRA:

  • Conducting cybersecurity risk assessments for each product, and design and develop such products to appropriately address the cybersecurity risks identified;
  • Documenting cybersecurity aspects of products with digital elements – including any vulnerability the manufacturer is aware of and the use of third party components within the product;
  • Carrying out a conformity test and maintaining a declaration of conformity with the requirements of the CRA;
  • Marking the products to identify conformity with the CRA;
  • Providing information and instruction to users on cybersecurity aspects of the product;
  • Reporting to ENISA in case of exploited vulnerabilities or incidents impacting the security of the products;
  • Reporting to users in case of an incidents impacting the security of the products.

 

The CRA applies stricter obligations for digital products that are deemed “critical” by the EC. Critical products are divided into two categories:

  • Class I products are considered to be of high risk and include browsers, network management systems, VPNs, SIEM systems etc.
  • Class II are classified as posing even higher risk and include operating systems, firewalls, routers and modems, smart cards and smartcard readers.

 

Manufacturers of critical products will be required, among other things, to undergo a conformity assessment by third party independent auditors.

Manufacturers, importers and distributers will be required to comply with the obligations set out under the CRA before making any product with digital elements available in the EU.

The CRA required Member States to establish designated market surveillance authorities who will be in charge with enforcing the CRA. The designated authorities shall have the power to initiate a recall or withdrawal of the product from the market in instances of non-compliance. In addition, Member States are required to establish penalties for infringement of the obligations under the CRA. Such penalties are limited at €15,000,000 or 2.5% of the infringing entity’s global turnover, whichever is higher.

The CRA is now subject to review and approval by the European Council and Parliament. Once adopted and entered into force, there will be a grace period of 24 months for compliance, with the exception of the reporting obligations for manufacturers, which shall apply 12 months after entry into force of the CRA.

Feel free to contact us if you have any questions regarding these developments and their potential effects on your company’s compliance efforts.

Search by +