How will the Cyber Resilience Act change cybersecurity requirements for products?
On 30 November 2023, Parliament and Council negotiators reached an informal agreement on the Cyber Resilience Act (CRA), which aims to ensure that products with digital features are secure to use, resilient against cyber threats and provide enough information about their security properties. This Act introduces comprehensive cybersecurity requirements for digital products, encompassing a wide range of connected devices and software. In short, it aims to ensure that products such as connected home cameras, fridges, TVs and toys are safe before they are placed on the European market. The CRA is instrumental for legal professionals to understand due to its implications on digital product compliance and cybersecurity standards within the EU.
Key Provisions and Objectives
The Cyber Resilience Act establishes EU-wide cybersecurity requirements for the design, development, production, and market availability of products with digital elements. This legislation aims to create a unified cybersecurity standard across the European Union.
The scope of the Act encompasses both hardware and software products, with a special focus on connected devices and software used in various sectors.
Enhanced Security Requirements
Manufacturers are required to design products to meet essential cybersecurity standards, which include conducting thorough risk assessments and protecting against known vulnerabilities.
The Act categorizes products into 'Important' and 'Critical' groups based on the level of cybersecurity risk they pose, tailoring the security requirements according to the risk level.
Transparency and Consumer Protection
Under the CRA, there is an obligation to clearly communicate the cybersecurity features of digital products to consumers, enhancing transparency and informed decision-making.
The Act mandates that certain products should receive security updates automatically, thus ensuring continuous protection for consumers against evolving cyber threats.
Compliance and Enforcement
A significant shift in the CRA is the transfer of compliance responsibility predominantly to manufacturers, which involves conducting cybersecurity risk assessments and issuing declarations of conformity.
A market surveillance framework is established to monitor and enforce compliance with the regulations set out in the CRA.
Vulnerability Reporting and Incident Notification
The CRA imposes a duty on stakeholders to report identified vulnerabilities and severe security incidents to national cybersecurity authorities and the EU Agency for Cybersecurity (ENISA) within specified time frames.
ENISA's role is notably enhanced, involving greater involvement in managing and assessing reported vulnerabilities and incidents.
Compliance Requirements for Manufacturers and Importers
Products are subject to conformity assessments to verify adherence to cybersecurity requirements under the CRA.
Manufacturers and importers must notify relevant authorities about any vulnerabilities identified in their products.
There is an obligation to inform about severe security incidents to both authorities and users of the affected products.
The CRA requires manufacturers to conduct due diligence on imported products to ensure compliance with the established cybersecurity standards.
Transition Period and Future Outlook
Following the provisional agreement between the Council and Parliament on 30 November 2023, work still continues at technical level in the coming weeks to finalise the details of the new regulation. The CRA will be implemented in a phased manner, with full enforcement expected by early 2027. This gradual approach allows manufacturers and other stakeholders to adapt to the new requirements. The Act is part of a broader EU initiative to strengthen cybersecurity regulations, indicating a continued focus on digital security in the coming years.
List of important resources:
Siyanna Lilova
Dec 4, 2023
Latest posts
Discover other pieces of writing in our blog
