Logo
Media Centre

The European Commission Published the Cyber Resilience Act Official Draft

Ariel Yosefi On Dvori

20 September 2022

The European Commission (“EC“) has recently published the official proposal of the Cyber Resilience Act (“the CRA“), which would regulate cybersecurity requirements for products with digital elements.

According to the EC, having identified increasing risk of cybersecurity in the EU, the EC proposes to impose new requirements aiming to improve the level of cybersecurity of products with digital elements and to build up the awareness and understanding of the importance of cybersecurity aspects in the eyes of users of such products.

A “product with digital elements” is broadly defined under the CRA as “any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately.” This practically means that any software or tangible product with digital elements that is sold or distributed in the EU may be subject to the CRA. However, certain products, such as Software-as-a-Service, open-source software and test versions are exempted from the ambit of the CRA.

In addition, given its potential broad scope, the CRA entails provisions concerning its interplay with other EU laws such as the GDPR, the proposed AI Act, the NIS Directive, and more.

The CRA applies primarily to manufacturers, with some obligation applying also to importers and distributers of products with digital elements. If approved, the obligations under the CRA will apply to any product sold or marketed in the EU, regardless of its or the manufacturer’s jurisdiction of origin, for the lifetime of the product, or for a period of five years from its placement in the market, whichever is shorter.

The list below consists of the key requirement under the CRA:

  • Conducting cybersecurity risk assessments for each product, and design and develop such products to appropriately address the cybersecurity risks identified;
  • Documenting cybersecurity aspects of products with digital elements – including any vulnerability the manufacturer is aware of and the use of third party components within the product;
  • Carrying out a conformity test and maintaining a declaration of conformity with the requirements of the CRA;
  • Marking the products to identify conformity with the CRA;
  • Providing information and instruction to users on cybersecurity aspects of the product;
  • Reporting to ENISA in case of exploited vulnerabilities or incidents impacting the security of the products;
  • Reporting to users in case of an incidents impacting the security of the products.

 

The CRA applies stricter obligations for digital products that are deemed “critical” by the EC. Critical products are divided into two categories:

  • Class I products are considered to be of high risk and include browsers, network management systems, VPNs, SIEM systems etc.
  • Class II are classified as posing even higher risk and include operating systems, firewalls, routers and modems, smart cards and smartcard readers.

 

Manufacturers of critical products will be required, among other things, to undergo a conformity assessment by third party independent auditors.

Manufacturers, importers and distributers will be required to comply with the obligations set out under the CRA before making any product with digital elements available in the EU.

The CRA required Member States to establish designated market surveillance authorities who will be in charge with enforcing the CRA. The designated authorities shall have the power to initiate a recall or withdrawal of the product from the market in instances of non-compliance. In addition, Member States are required to establish penalties for infringement of the obligations under the CRA. Such penalties are limited at €15,000,000 or 2.5% of the infringing entity’s global turnover, whichever is higher.

The CRA is now subject to review and approval by the European Council and Parliament. Once adopted and entered into force, there will be a grace period of 24 months for compliance, with the exception of the reporting obligations for manufacturers, which shall apply 12 months after entry into force of the CRA.

Feel free to contact us if you have any questions regarding these developments and their potential effects on your company’s compliance efforts.

Related Practice Areas

Related Lawyers

More news

Nebraska is the 17th US State to Adopt Comprehensive Data Protection Legislation
Maryland is the 16th US State to Pass Comprehensive Consumer Privacy Legislation
Kentucky is the 15th US State to Adopt Comprehensive Data Protection Legislation
JOIN OUR
Newsletter

    © 2020, All rights reserved, Herzog Law
    Site by Gootte

    The information contained in this web site is provided for informational purposes only and should not be construed as legal advice on any subject matter and should not be relied upon as such. Herzog accepts no responsibility for any consequences whatsoever arising from use of the information contained in this web site. The accessing of information contained in this web site shall under no circumstances be considered as creating an attorney-client relationship between Herzog and any party accessing this web site. Contacting through email any lawyer named in this web site or sending information without prior agreement of Herzog shall not be construed as automatically creating an attorney-client relationship between Herzog and the party sending an email or information. The material contained in this web site has been created by and remains the property of Herzog. No reproduction, transmission, publication or any other form of dissemination shall be permitted unless the prior written consent of Herzog has been obtained. This web site may contain links to other web sites operated by third parties. Herzog does not sponsor, approve or endorse the content of any such web site and is not responsible for the materials appearing in such sites.

    Search by
    Search by +

    Search