Cybersecurity

CRA – European Cyber Resilience Act

Latest Developments

12 March 2024 – the text of the Cyber Resilience Act was approved by the Parliament. 

15 September 2022 – the Commission published a Proposal for a Regulation on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 (Cyber Resilience Act).

Summary

With the aim of creating the first EU-wide legislation of its kind and to protect consumers and businesses from products with inadequate security features, the European Commission presented on 15 September 2022 a proposal for a new European Cyber Resilience Act. The Act introduces horizontal mandatory cybersecurity requirements for products with digital elements which are not specific to sectors, throughout their whole lifecycle. The proposal is complementary to the requirements under the proposal for a NIS2 Directive which aims at ensuring a high level of cybersecurity of services provided by essential and important entities.

How could it be relevant for you?

The Cyber Resilience Act will apply to manufacturers, importers and distributors, so-called economic operators. Within the scope of this new draft regulation are all products that are connected either directly or indirectly to another device or network, like smart Internet of Things devices, computers, mobile devices, operating systems and apps, as well as safety-critical components that are installed in networks or industrial facilities. There are some exceptions for products, for which cybersecurity requirements are already set out in existing EU rules for medical devices, aviation or cars.

The proposed measures lay down:

  1. Rules for the placing on the market of products with digital elements to ensure their cybersecurity;
  2. Essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products;
  3. Essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle as well as obligations for economic operators in relation to these processes. Manufacturers will also have to report actively exploited vulnerabilities and incidents; and
  4. Rules on market surveillance and enforcement

The core element of the Cyber Resilience Act are the essential requirements that all products with digital elements must fulfil. These include security-by-design features, such as ensuring protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems. Cybersecurity should be considered part of the design process and throughout the development and manufacturing process in the whole product life cycle. No product may be delivered with known vulnerabilities, according to the Commission's plans.

In case of non-compliance with the essential cybersecurity requirements, the draft foresees administrative fines of up to EUR 15 million or, if the offender is an undertaking, up to 2.5 percent of its total worldwide annual turnover for the preceding financial year, whichever is higher.

Next steps

The text still needs to be formally adopted by the Council before it can enter into force. 

*Information is accurate up to 22 April 2024

Explore other chapters in the guide

Data as a key digital asset

Crypto assets

AI as a digital asset

Privacy & Data Protection

Cybersecurity

Digital Identity and Trust Services

Consumer