On the 15th of September 2022, the European Commission published a proposal for a regulation, known as the Cyber Resilience Act (CRA), providing horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020. In the proposal, the Commission states that hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of EUR 5.5 trillion by 2021. It also states that in today's connected environment, a cybersecurity incident in one product can affect an entire organization or a whole cross-border supply chain within a matter of minutes.
In short, the CRA lays down rules for ensuring that manufacturers improve the security of products with digital elements (PDE) from the design and development phase throughout the whole life cycle. It also contains provisions that aim to enhance transparency regarding the security properties of PDE's, as well as to enable businesses and consumers to use such products securely.
The CRA will apply to all PDE's whose 'intended and reasonably foreseeable use' includes a direct or indirect logical or physical data connection to a device or network. It does, however, exclude a range of products, such as Software-as-a-service (SaaS) products, medical devices, and motor vehicles, since these products are already covered by other legislative acts.
Key provisions under the CRA?
- Conformity assessments
Before placing a PDE on the market, manufacturers will be required to perform 'conformity assessments' of the PDE and the vulnerability handling processes it has put in place, to demonstrate conformity with a list of 'essential requirements'. The method and contents of the conformity assessment will depend on the PDE's respective cybersecurity requirements. For this purpose, the CRA distinguishes between Class I and Class II-type products, where PDE's in the latter category constitute a higher cyber security risk. Examples of Class I PDE's are network management systems, password managers, and standalone and embedded software. Examples of Class II PDE's are general purpose microprocessors, as well as routers and modems intended for connection to the internet, and switches, intended for industrial use. Manufacturers of Class I products are allowed to perform the conformity assessments themselves, whereas manufacturers of Class II products must employ a third party (a 'notified body') to carry out the conformity assessment on their behalf.
- EU declaration of conformity and CE-marking
Where compliance has been demonstrated by the conformity assessment procedure, manufacturers are required to draw up an EU declaration of conformity and affix the European Conformity (CE) mark in accordance with the provisions in the CRA.
- Technical documentation
Manufacturers will need to draw up technical documentation before placing a PDE on the market. This documentation must contain all relevant data or details of the means used by the manufacturer to ensure that the PDE and the processes put in place by the manufacturer comply with applicable essential requirements. In addition, the technical documentation must be updated continuously, where appropriate, during the expected product lifetime or five years after placing the product on the market (whichever is shorter). Furthermore, manufacturers shall keep the technical documentation and the EU declaration of conformity, where relevant, at the disposal of the market surveillance authorities for ten years after the PDE has been placed on the market.
- Information and instructions for use
Before placing a PDE on the market, the manufacturer will need to draw up and provide certain information and instructions for use in a language which can be easily understood by the users. For example, the point of contact where information about cybersecurity vulnerabilities of the PDE can be reported and received. Moreover, the intended use, including the security environment provided by the manufacturer, as well as the PDE's essential functionalities and information about the security properties.
- Notification periods
Manufacturers must notify the EU Agency for Cybersecurity (ENISA) within 24 hours of becoming aware of any actively exploited vulnerability contained in a PDE. The notification shall include details concerning the vulnerability and, where applicable, any corrective or mitigating measures taken.
- Market surveillance and enforcement
National market surveillance authorities are given powers to carry out surveillance in their respective member states and to impose administrative fines to enforce compliance with the CRA. According to the proposal, member states shall lay down the rules for administrative fines for non-compliance with the provisions. However, the CRA does establish maximum levels for these fines. In some cases, non-compliance can reach up to 15 000 000 EUR or, if the offender is an undertaking, up to 2.5 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.
- Obligations for importers and distributors
Importers and distributors are required to ensure the existence of relevant documentation and CE-marking before placing or making a PDE available on the market. Furthermore, they are required to inform the manufacturer and the relevant market surveillance authorities where a product with digital elements presents a significant cybersecurity risk.
When will the CRA apply?
To allow manufacturers, notified bodies, and Member States time to adapt to the new requirements, the CRA is proposed to become applicable 24 months after its entry into force, except for the reporting obligation on manufacturers, which would apply from 12 months after the date of entry into force.
The proposed CRA is open for feedback until 22 November 2022. If you would like to share your views on the proposal with the European Commission, you can do so by visiting the following link and clicking the yellow "Give feedback" button:
This article is intended to be a general summary of the law and does not constitute legal advice. Consult with counsel to determine applicable legal requirements in a specific situation.