Cyber Resilience Act

On 12 March 2024, the European Parliament approved the proposed Cyber Resilience Act (Proposal for a regulation on horizontal cybersecurity requirements for products with digital elements; "CRA"). The CRA now has to be formally adopted by the European Council in order to come into law. This is expected in April 2024.

The CRA is aimed at improving the cybersecurity of products with digital elements, such as doorbells, smart home devices and Wi-Fi routers, sold on the EU market. It introduces common rules and requirements for manufacturers of such products, as well as obligations for its importers and distributors to ensure that products with digital features are secure to use, resilient against cyber threats and provide sufficient information about their security properties.  

Scope

The CRA will be applicable to all products with digital elements made available on the Euro-pean market, whose intended purpose or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network, with the exception of specified exclusions, such as medical devices and cars. The term 'product with digital ele-ments' is broadly defined and includes connectable hardware and software products and their remote data processing solutions. This means that all hardware and software products that have or are able to have a data or network connection during use, fall within the scope of the CRA. However, software provided as a service is not covered by the CRA, as this is covered by the NIS 2 Directive. 

The obligations of the CRA apply to all economic operators involved in the lifecycle chain of products with digital elements: manufacturers, importers and distributors, with most obligations imposed on manufacturers.

The obligations of the CRA are in line with already existing product safety rules. The CRA clarifies that certain obligations of the Product Safety Regulation (EU 2023/988) apply to products with digital elements with respect to aspects and risks or categories of risks not covered by the CRA if such products are not subject to specific safety requirements laid down in other EU law. 

Obligations of manufacturers 

Manufacturers of products with digital elements must comply with the following obligations of the CRA:

• Essential requirements: Manufacturers are required to ensure that products with digital elements that they make available on the market meet the essential require-ments included in Annex I to the CRA. Such requirements include, among others, that products are free of known vulnerabilities, have secure settings and access controls, protect data confidentiality, integrity and availability, limit data processing and attack surfaces, mitigate exploitation and provide security logs. 
  
  
• Risk assessment: manufacturers must assess the cybersecurity risks of a product with digital elements and use the outcome of that assessment to reduce cybersecurity risks, prevent and mitigate security incidents, and protect users' health and safety throughout the product lifecycle. This risk assessment has to be documented and updated as appropriate.
  
  
• Documentation: the products should be accompanied by technical documentation and user instructions. The documentation and instructions must be in a clear and in-telligible form and in a language which can be easily understood by users and include the name and contact details of the manufacturer. Additionally, the product should bear a type, batch or serial number or other element allowing their identification.
  
  
• Support: Manufacturers should determine the support time for their product, which shall be at least five years. During this period, products should be monitored and security updates should be made available. The end date of the support period must be clearly communicated to users of the product.
  
  
• Conformity assessments: Before making the products available in the EU, manufacturers must carry out a conformity assessment and affix the CE marking to the product. Depending on the product's risk level (important or critical), they can use different methods of conformity checking, from self-checking for low-risk products to full quality control for high-risk products.
  
  
• Reporting: Manufacturers must report any vulnerability in the product that is actively being exploited, and severe incidents having an impact on the security of the product, to the Computer Security Incident Response Team (the CSIRT) and the EU Agency for Cybersecurity ("ENISA"). Early warning notifications should be made within 24 hours after becoming aware of the vulnerability or incident. Manufacturers shall also inform the impacted product users as soon as possible about the vulnerability or the incident that affects the product's security and suggest any actions that the users can take to reduce the impact if possible.
  
  

Obligations of importers and distributors

The CRA also imposes obligations on importers and distributors of products with digital elements. Importers are, for example, required to ensure that manufacturers have met their obligations, such as that all essential requirements are met and that the appropriate conformity assessment has been carried out. Distributors are obliged to ensure that the product bears a CE marking, and that the manufacturer has complied with certain obligations, such as that the product bears a type, batch or serial number or other element allowing their identification, that the name and contact details of the manufacturer are included in the product's documentation, and that the end of the support period is clearly communicated. Additionally, both Importers and distributors must notify manufacturers of any product vulnerability as soon as possible. 

When an importer or distributor places a product with digital elements on the market under its own name or trademark or carries out a substantial modification of the product, it shall be considered to be the manufacturer for the purpose of the CRA.

Supervision and sanctions

The Act also establishes a market surveillance and enforcement system, with Member States designating authorities to monitor and verify compliance and to take corrective or restrictive measures in case of non-compliance. 

Fines for non-compliance with the essential cybersecurity requirements and other obligations applicable to manufacturers may reach up to EUR 15 million or 2.5 percent of the total worldwide annual turnover in the preceding financial year. If importers and distributors fail to meet their requirements under the CRA, they could face a fine of up to EUR 10 million or 2 percent of their total worldwide annual turnover. 

Moreover, the CRA empowers the Commission to adopt delegated and implementing acts to update and specify certain aspects of the legislation, such as the list of critical products and the content of the declaration of conformity.

Adaptation and entry into force

After adoption of the CRA by the Council, the CRA will enter into force on the 20th day following its publication in the Official Journal. Upon entry into force, manufacturers, importers and distributors of products with digital elements will have 36 months to adapt to the new requirements. However, the obligation for manufacturers to report incidents and vulnerabilities will become applicable 21 months after the entry into force.