The Cyber Resilience Act: Strengthening Cybersecurity in the Digital Age
As the world becomes increasingly interconnected through digitalization and the Internet of Things (IoT), the risks associated with cybersecurity incidents are escalating. These incidents can have profound implications for both the economy and society at large. In response to these challenges, the European Union (EU) has developed a comprehensive regulatory framework aimed at enhancing the cybersecurity of products with digital content. The Cyber Resilience Act (CRA), approved by the EU Parliament and the Council of the EU on October 10, 2024, is set to come into force shortly, marking a significant step in the EU’s cybersecurity strategy.
Background
The EU has been proactive in establishing a robust cybersecurity strategy, which includes various directives and regulations. Notably, the NIS2 Directive, which came into effect in 2023, mandates extensive cybersecurity requirements for companies in specific sectors. Additionally, the Digital Operational Resilience Act (DORA Regulation) has created a harmonized framework for managing cybersecurity and ICT risks within financial markets. Building on these sector-specific provisions, the CRA introduces comprehensive cybersecurity requirements applicable to all products with digital elements, aligning with the New Legislative Framework (NLF) that governs product safety law.
Scope of the Cyber Resilience Act
The CRA applies to all products with digital elements available on the EU market, encompassing both hardware and software that can process, store, or transmit digital data. This broad definition includes commercially marketed IoT products, ensuring that a wide range of digital devices are covered under the regulation. However, services not linked to specific products, such as Software-as-a-Service (SaaS) or Platform-as-a-Service (PaaS), are generally excluded unless they are integral to the product’s functionality and developed by the manufacturer.
The CRA also addresses the nuances of free and open-source software, stipulating that it is only subject to the regulation if marketed commercially. For open-source software not intended for commercial use, the obligations fall on "managers of open-source software," who face less stringent requirements.
Certain product categories, such as medical devices and aviation security, are exempt from the CRA due to existing cybersecurity regulations. Additionally, small and micro-enterprises are afforded relief in meeting their obligations.
Essential Requirements for Cybersecurity
Under Article 6 of the CRA, products with digital elements must meet essential cybersecurity requirements before being made available on the market. These requirements include ensuring an appropriate level of cybersecurity, having no known exploitable vulnerabilities, and being properly installed and maintained. The CRA emphasizes a risk-based approach, requiring manufacturers to conduct comprehensive cybersecurity risk assessments and document their findings.
Obligations of Manufacturers
Manufacturers bear the most extensive obligations under the CRA. They must ensure that products are designed, developed, and manufactured in compliance with the essential requirements. This includes conducting thorough risk assessments, maintaining technical documentation, and undergoing conformity assessment procedures before market placement. Manufacturers are also responsible for implementing secure default configurations, protecting against unauthorized access, and ensuring automatic security updates.
In addition to these obligations, manufacturers must establish procedures for identifying and addressing vulnerabilities post-market. They are required to report actively exploited vulnerabilities to designated authorities and maintain a single point of contact for user communication.
Responsibilities of Importers and Distributors
Importers and distributors also play crucial roles in ensuring cybersecurity compliance. Importers must verify that manufacturers have fulfilled their obligations before placing products on the market. They are responsible for reporting vulnerabilities and taking corrective actions if products do not meet conformity requirements.
Distributors are tasked with verifying that manufacturers and importers have complied with their obligations, ensuring that products meet essential requirements before market placement. If they become aware of non-compliance, distributors must take immediate action to restore conformity or withdraw the product from the market.
Sanctions for Violations
The CRA establishes a graduated system of penalties for non-compliance. Manufacturers failing to meet essential requirements may face fines of up to EUR 15 million or 2.5% of their total worldwide annual turnover, whichever is higher. Other violations may incur fines of up to EUR 10 million or 2% of turnover. Importantly, small and micro-enterprises and open-source software managers are exempt from certain reporting obligations and associated penalties.
Outlook and Implementation Timeline
With the CRA set to come into force in the coming weeks, affected economic operators will have three years to implement the new requirements. However, obligations related to conformity assessment procedures will take effect within 18 months, and reporting obligations for manufacturers will commence after 21 months. Given the typical development timelines for new products, manufacturers, importers, and distributors must proactively prepare for compliance to avoid severe penalties.
Conclusion
The Cyber Resilience Act represents a significant advancement in the EU’s efforts to bolster cybersecurity across the digital landscape. By establishing clear obligations for manufacturers, importers, and distributors, the CRA aims to create a safer environment for consumers and businesses alike. As the digital world continues to evolve, the CRA will play a critical role in mitigating cybersecurity risks and ensuring the resilience of products with digital elements in the European market.