On 30 November 2023, Parliament and Council negotiators reached an informal agreement on the Cyber Resilience Act (CRA), which aims to ensure that products with digital features are secure to use, resilient against cyber threats and provide enough information about their security properties. This Act introduces comprehensive cybersecurity requirements for digital products, encompassing a wide range of connected devices and software. In short, it aims to ensure that products such as connected home cameras, fridges, TVs and toys are safe before they are placed on the European market. The CRA is instrumental for legal professionals to understand due to its implications on digital product compliance and cybersecurity standards within the EU.

Key Provisions and Objectives

• The Cyber Resilience Act establishes EU-wide cybersecurity requirements for the design, development, production, and market availability of products with digital elements. This legislation aims to create a unified cybersecurity standard across the European Union.
• The scope of the Act encompasses both hardware and software products, with a special focus on connected devices and software used in various sectors.

Enhanced Security Requirements

• Manufacturers are required to design products to meet essential cybersecurity standards, which include conducting thorough risk assessments and protecting against known vulnerabilities.
• The Act categorizes products into 'Important' and 'Critical' groups based on the level of cybersecurity risk they pose, tailoring the security requirements according to the risk level.

Transparency and Consumer Protection

• Under the CRA, there is an obligation to clearly communicate the cybersecurity features of digital products to consumers, enhancing transparency and informed decision-making.
• The Act mandates that certain products should receive security updates automatically, thus ensuring continuous protection for consumers against evolving cyber threats.

Compliance and Enforcement

• A significant shift in the CRA is the transfer of compliance responsibility predominantly to manufacturers, which involves conducting cybersecurity risk assessments and issuing declarations of conformity.
• A market surveillance framework is established to monitor and enforce compliance with the regulations set out in the CRA.

Vulnerability Reporting and Incident Notification

• The CRA imposes a duty on stakeholders to report identified vulnerabilities and severe security incidents to national cybersecurity authorities and the EU Agency for Cybersecurity (ENISA) within specified time frames.
• ENISA's role is notably enhanced, involving greater involvement in managing and assessing reported vulnerabilities and incidents.

Compliance Requirements for Manufacturers and Importers

• Products are subject to conformity assessments to verify adherence to cybersecurity requirements under the CRA.
• Manufacturers and importers must notify relevant authorities about any vulnerabilities identified in their products.
• There is an obligation to inform about severe security incidents to both authorities and users of the affected products.
• The CRA requires manufacturers to conduct due diligence on imported products to ensure compliance with the established cybersecurity standards.

Transition Period and Future Outlook

Following the provisional agreement between the Council and Parliament on 30 November 2023, work still continues at technical level in the coming weeks to finalise the details of the new regulation. The CRA will be implemented in a phased manner, with full enforcement expected by early 2027. This gradual approach allows manufacturers and other stakeholders to adapt to the new requirements. The Act is part of a broader EU initiative to strengthen cybersecurity regulations, indicating a continued focus on digital security in the coming years.

List of important resources:

1. European Council press release on the Cyber Resilience Act, 30 November 2023
2. European Parliament press release on the Cyber Resilience Act, 1 December 2023
3. Cyber resilience act, Council’s negotiating mandate, 19 July 2023
4. Regulation on harmonized cybersecurity requirements for products with digital elements (cyber resilience act), Commission proposal, 15 September 2022