The European Commission proposed a Cyber Resilience Act (CRA) on 15 September 2022 aimed at protecting consumers and businesses from products with insufficient security features. This act, promoted by the Commission as ‘the first of its kind in EU legislation’, introduces mandatory cybersecurity requirements applicable to products with digital elements, over their entire life cycle. Manufacturer, importers and distributers of connected hardware and software products to be placed on the EU market will have to comply with these enhanced cybersecurity requirements and will be subject to a new liability regime. Furthermore, the CRA will introduce obligations to provide security assistance and software updates to address identified vulnerabilities. Moreover, the initiative aims to ensure that consumers have sufficient information about the cybersecurity of the products they buy and use. According to the Commission, the CRA is likely to become an international standard on cyber resilience, way beyond the EU.
The initiative builds on the 2020 EU Cybersecurity Strategy and is intended to complement the existing EU cybersecurity and other sector/product-specific EU rules.
Objectives of the CRA
Four specific objectives were set out:
- ensure that manufacturers improve the security of products with digital elements in the design and development phase and throughout the whole life cycle;
- ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers;
- enhance the transparency of security properties of products with digital elements; and
- enable businesses and consumers to use products with digital elements securely.
Scope and obligations – Connected hardware and software products
The proposed CRA lays down cybersecurity requirements that will apply to manufacturers, importers and distributors of ‘products with digital elements whose intended, or foreseeable use includes a data connection to a device or a network’. The definition of ‘products with digital elements’ is very broad covering any software or hardware product and its remote data processing solution as well as non-embedded software or hardware to be placed on the market separately. In a nutshell, the CRA applies to wired and wireless products that are connected to the internet and software placed on the EU market. Software provided as part of a service will not be covered by the CRA but may fall under the Directive on measures for a high common level of cybersecurity across the Union (NIS 2) or other sectorial legislation on security of services.
The CRA introduces horizontal and common rules for products with digital elements which are not specific to certain sectors or products, and which shall complement and be aligned to existing Union rules on product safety and sector-specific cybersecurity rules. Products with digital elements will have to meet essential security requirements and have a vulnerability handling process in place before being made available on the market. Manufacturers will have to perform a conformity assessment to determine whether the requirements are met and consider the outcome of this assessment to ensure cybersecurity ‘by design’ to minimise cybersecurity risks, prevent security incidents and minimise impact of such incidents throughout the life cycle of the product. The CRA covers the entire supply chain introducing due diligence obligations also for importers and distributers, depending on their roles in the supply chain, to ensure the essential cybersecurity requirements are met.
Critical products with digital elements
For digital products deemed to be ‘critical’, stricter conformity assessment rules apply which require the involvement of third party auditors. The CRA divides these into two classes of ‘critical products with digital elements’ reflecting the related level of cybersecurity risk:
- those regarded to be of ‘higher risk’ like firewalls, smartcards, token, IoT devices for the use by critical infrastructure providers under NIS 2, robot sensors and controller, smart meters; and
- those regarded as ‘lower risk’ such as identity management system software, browsers, password managers, mobile device management software, remote access/sharing software.
Interplay with the proposed AI Act
The system of classifying products into risk categories is also picked up in the proposed AI Act. To avoid conflicting provisions, the CRA introduces a special provision for products with digital elements which are simultaneously classified ‘high-risk AI systems’ under the Draft AI Act. Those products will generally have to comply with the conformity assessment procedure set out by the AI Act, except for ‘critical digital products’ for which the conformity assessment rules of the CRA shall apply in addition insofar as the ‘essential requirements of the CRA are concerned’.
The CRA introduces comprehensive and short-notice reporting obligations on manufacturers who are required to notify to ENISA within 24 hours of becoming aware of (i) any actively exploited vulnerability contained in a product with digital elements and (ii) any incident having impact on the security of the product. The manufacturer must also inform the users of the product without undue delay about any incident affecting it and about possible corrective measures. Importers and distributers who identify vulnerabilities and security incidents are required to inform the manufacturer about it without undue delay.
Market surveillance, penalties, fines and civil enforcement
The CRA comes strict on market surveillance granting national market surveillance authorities the right—in case of non-compliance—to prohibit or restrict that product being made available on its national market, to withdraw it from that market or recall it. The Member States will be free to designate either a new or an existing authority, like the national cybersecurity agencies, to act as a market surveillance authority under the CRA. The CRA sets out that these authorities will have to cooperate with the ENISA, the national Data Protection Authorities to contribute to the enhancement of data protection through cybersecurity, and the authorities competent for the upcoming AI Act. Member States will have to ensure that each market surveillance authority has the power to impose or request the imposition of administrative fines.
The CRA also establishes maximum levels for administrative fines that should be provided in the national laws for non-compliance with the CRA. Those fines can go up to 15 Mil EUR or 2.5% of a company’s worldwide annual turnover in case essential cybersecurity obligation are infringed. In addition, civil litigation may well be facilitated by the CRA, e.g. where a product caused harm due to a lack of security updates of this product after placing it on the market.
Challenges in practice - overlap with existing regulation
Although the CRA stipulates to be coherent with the current product-related EU regulatory framework and the recent proposals made in the context of the EU Digital Strategy, rules like those being introduced for high-risk AI products will become a challenge for companies due to its complex interplay with other Union policies, including obligations on the processing of personal data under the GDPR. Also, questions like the scope of the CRA seem to be unclear, e.g. in contrast to the proposed Data Act that is covering digital tangible products (i.e. IoT devices) and ancillary services (e.g. software). The burden to detect and analyse which elements of a product suit would fall under which of both Acts will certainly put another layer of compliance efforts on companies.
The CRA will now go through the EU’s legislative process, which usually takes around 18 – 24 months. Given that we are more than halfway through the European Commission’s mandate, the aim will certainly be to agree the final text ahead of the European Parliament elections in May 2024.
In a nutshell, the CRA applies to wired and wireless products that are connected to the internet and software placed on the EU market. (..) The CRA is likely to become an international standard on cyber resilience, way beyond the EU.