EU Publishes Draft Cyber Resilience Act – Lexology

Review your content’s performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
add to folder:
Questions? Please contact [email protected]
On September 15, 2022, the European Commission published a draft regulation that sets out cybersecurity requirements for “products with digital elements” (PDEs) placed on the EU market — the Cyber Resilience Act (CRA). The Commission has identified that cyberattacks are increasing in the EU, with an estimated global annual cost of €5.5 trillion. The CRA aims to strengthen the security of PDEs and imposes obligations that cover:
The CRA also imposes obligations to report any actively exploited vulnerability as well as any incident that impacts the security of a PDE to ENISA within 24 hours of becoming aware of it.
The obligations apply primarily to manufacturers of PDEs, which include entities that develop or manufacture PDEs as well as entities that outsource the design, development and manufacturing to a third party. Importers and distributors of PDEs also need to ensure that the products comply with CRA’s requirements.
The requirements apply for the lifetime of a product or five years from its placement on the market, whichever is shorter. Due to the cross-border dimension of cybersecurity incidents, the CRA applies to any PDEs that are placed on the EU market—regardless of where they are manufactured—and imposes new mandatory conformity assessment requirements. The proposed regulation will now undergo review and potential approval in the Council of the EU and the European Parliament. Its provisions would apply fully within two years after entry into force, potentially in late 2026. We set out more detail and commentary below based on our initial review of the proposal.
Under the CRA, a “product with digital elements” is defined broadly as “any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately.” The CRA excludes from its scope PDEs that have already been placed on the EU market, unless there have been “substantial modifications in their design or intended purpose.”
Specific rules apply to “critical” PDEs, which are listed in Annex III of the CRA (and can be amended by the Commission). These are divided into two groups based on the level of risk:
Out of scope
The CRA does not apply to cloud computing services such as Software-as-a-Service (SaaS), which are covered by the draft NIS2 Directive, or to products already regulated under EU laws that apply to medical devices, in vitro diagnostic medical devices, civil aviation, motor vehicles, and products developed exclusively for national security or military purposes.
The CRA also does not apply to free and open-source software developed or supplied outside the course of a commercial activity.
Interplay with other EU laws
Given the CRA’s broad scope, it includes various provisions on the interplay with multiple other EU laws, such as the GDPR, the Product Liability Directive, the Radio Equipment Directive (RED), the draft General Product Safety Regulation, the draft Machinery Regulation, the draft AI Act, the draft Regulation on the European Health Data Space, and the draft NIS2 Directive.
The CRA also envisages that compliance may be possible by adopting standards created under the RED Delegated Act and the Cybersecurity Act. For instance, the RED Delegated Act defines the scope of radio equipment subject to essential requirements on cybersecurity, data protection and protection against fraud (e.g., not harming the network or its functioning nor misusing it). In August 2022, the Commission adopted an Implementing Decision with a mandate to CEN-CENELEC to draft harmonized standards to show compliance with essential requirements under the RED.
The CRA applies primarily to manufacturers, which are defined broadly as “any natural or legal person who develops or manufactures [PDEs] or has [PDEs] designed, developed or manufactured, and markets them under his or her name or trademark, whether for payment or free of charge.” Manufacturers are required to conduct mandatory security assessment requirements in relation to the design, development and production of PDEs; ensure that vulnerability-handling requirements are put in place; and provide necessary information to users. In particular, manufacturers are required to:
Importers must only place on the market PEDs that comply with the essential requirements set out under the law, and ensure that the manufacturer has carried out the appropriate conformity assessment procedures, drawn up the documentation, and that PEDs bear the CE marking and is accompanied by required information for users. Importers who identify a vulnerability in a PDE must inform the manufacturer without undue delay, and must inform immediately market surveillance authorities where a PDE presents a “significant cybersecurity risk.”
Under the CRA, market surveillance authorities (MSAs), to be designated or created in each EU Member State, have the primary responsibility for enforcement, including through coordinated sweeps of IoT products made available in the EU. The MSAs shall also cooperate with ENISA and the European Data Protection Board (EDPB).
Moreover, the European Commission can request that an MSA or ENISA evaluate a PDE’s compliance and order that the product be withdrawn or recalled from the market. This power reserved to the Commission is attracting some attention.
Member States shall establish penalties applicable to infringements by economic operators, with limits set out in the CRA as follows:
In case incorrect, incomplete or misleading information is supplied to notified bodies and market surveillance authorities in reply to a request, the offender shall be subjected to administrative fines of up to €5 million or up to 1% of global revenue, whichever is higher.
The most onerous obligations imposed on manufacturers and developers of PDEs include mandatory risk and conformity assessment requirements. Moreover, the CRA establishes obligatory notification requirements to the relevant conformity assessment bodies and a framework for market surveillance. Organizations are likely to incur additional compliance costs in order to adhere to these new obligations. In particular, software developers and hardware manufacturers will need to comply with the security requirements and the prescriptive documentation and reporting obligations imposed by the CRA.
Certain companies may feel comfortable with elements of the CRA that mirror existing good practices. However, many are likely to need to consider carefully requirements relating to conformity assessments depending on the nature of their products and how they are classified; technical documentation; and the need to have appropriate policies and procedures for handling cybersecurity vulnerabilities and incidents. In particular, the obligation to report an actively-exploited vulnerability in their product or an incident that impacts the security of their product adds to the growing burden on companies to notify different types of incident—including personal data breaches, cyber incidents, and sector-specific notification requirements—under EU and other law.
(Anna Oberschelp de Meneses, Evangelos Sakiotis and Diane Valat of Covington & Burling LLP contributed to the preparation of this blog post.)
add to folder:
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].
© Copyright 2006 – 2022 Law Business Research