Stricter cybersecurity rules to apply to products

On a high level, the Cyber Resilience Act:

• introduces mandatory cybersecurity requirements for the design, development, production and making available on the market of hardware and software products, including office applications, smart speakers, hard drives, games, operating systems, network interfaces, firewalls and computers and smartphones;
• rebalances responsibility for compliance towards manufacturers, who must meet obligations such as providing cybersecurity risk assessments with regard to these products, issuing declarations of conformity, and cooperating with the competent authorities, all for a set period or the expected lifetime of the product;
• provides for transparency obligations regarding the security aspects of hardware and software products to allow consumers to take cybersecurity into account when selecting and using products that contain digital elements; and
• obligates manufacturers to ensure continued security of their products and put in place vulnerability handling processes to ensure the cybersecurity of digital products, including obligations for importers or distributors in relation to those processes.

This proposal should be seen in context of the wider EU cybersecurity framework, including NIS2 and the Digital Operational Resilience Act (DORA). The CRA aims to fill the gaps and make existing cybersecurity legislation more coherent by imposing security obligations on hardware and software throughout the supply chain and throughout the product lifecycle.

What are the main elements of the political agreement?

• On the product lifetime it was agreed that the manufacturer’s support period for a connected product should correspond to its expected lifetime and that a support period of at least five years is indicated, except for products which are expected to be in use for a shorter period of time;
• The European Parliament and the Council reached an agreement on two different lists for important and critical products based on their criticality and the level of cybersecurity risk. For instance, for connected products with a cybersecurity-related functionality and a function which carries a significant risk of adverse effects, third party conformity assessments will be required before the placing on the market. For products with slightly lower risk profiles, such as identity management systems, biometric readers, standalone and embedded browsers, VPN products and network management systems, manufacturers should perform conformity assessments via their internal control procedures;
• Products should also have security updates installed automatically and separately from functionality ones;
• The Commission will need to adopt further rules to specify the definitions of the product categories.
• The new rules will apply three years after the law enters into force. Manufacturers, importers and distributors of hardware and software products will have to adapt to the new requirements within this time period;
  • In relation to the reporting obligation of manufacturers for incidents and vulnerabilities, there is a more limited 21-month grace period;
  • Additional support measures for small and micro enterprises were included, such as specific awareness-raising and training activities, as well as support for testing and conformity assessment procedures.

Two European standardisation organizations, CEN and CENELEC, are now developing standards and common specifications that should be ready within the three-year period.

Next steps

The agreed text is now being finalised in technical meetings. The final text will have then need to be formally adopted by both the European Parliament and the Council before it is published in the EU Official Journal and becomes law.

For more information, please contact Feyo Sickinghe, Natallia Karniyevich and Berend van der Eijk.

SIGN UP TO OUR CONNECTED NEWSLETTER FOR A MONTHLY ROUND-UP FROM OUR REGULATORY & PUBLIC AFFAIRS TEAM