Last September, the European Commission presented a proposal for a new Regulation, the so-called Cyber Resilience Act (CRA). If approved, it will apply to all connected digital products - with just a few exceptions, mainly in the medical, military, and mobility sphere. Having already looked at the aim of this new Regulation and the different products it applies to, we will now take a closer look at the key requirements for these products and the compliance obligations and penalties for the economic operators that fail to comply.
As we pointed out in a previous blog post, the Cyber Resilience Act was first officially announced in last year’s State of the Union Address by Ursula von der Leyen. To quote the EU Commission President herself: “we cannot talk about defence without talking about cyber. If everything is connected, everything can be hacked. Given that resources are scarce, we have to bundle our forces. And we should not just be satisfied to address the cyber threat, but also strive to become a leader in cyber security. It should be here in Europe where cyber defence tools are developed. This is why we need a European Cyber Defence Policy, including legislation on common standards under a new European Cyber Resilience Act.”
The Cyber Resilience Act aims to increase consumer trust and confidence in connected digital products by introducing cybersecurity requirements and mandating conformity assessments for those products. More precisely, the Regulation establishes that such products can only be placed on the EU market if they are compliant with essential cybersecurity requirements, such as:
- being designed, developed, and produced to ensure cybersecurity adequate to the risks (Security-by-design and security-by-default are two principles introduced under Article 10(1) read together with Annex I of the Proposal);
- being delivered without known vulnerabilities; that is, meeting cybersecurity criteria based on a risk assessment, such as the protection of data, the protection from unauthorised access, etc.
The manufacturers of these connected digital products will also have to follow certain mandatory procedures, such as proactively identifying and addressing risks as well as monitoring and remediating vulnerabilities during their products’ entire life cycle. To that end, they will have to provide automatic system updates without delays and free of charge. They will also have to apply regular tests and reviews of their products’ security.
Other procedural requirements for manufacturers are linked to a kind of duty of information. Manufacturers are, for instance, required to:
- facilitate the sharing of information about potential vulnerabilities,
- create and enforce a policy on vulnerability disclosure,
- publicly disclose information about fixed vulnerabilities, once security updates have been made available.
Other economic operators, such as importers and distributors, also must ensure that the connected digital products meet all the necessary requirements before selling them. And when identifying a vulnerability in a product, they have to inform the manufacturer immediately. If the product presents a significant cybersecurity risk, the importer should also notify the market surveillance authorities.
The connected digital products that fall within the scope of the Cyber Resilience Act will also have to undergo conformity assessments by their manufacturer, except in certain specific cases. Specific conformity assessments for critical products (class I and II), which are subject to higher cybersecurity risks, must be done by third parties appointed by national authorities.
Penalties for non-compliance with the essential cybersecurity requirements for connected digital products and with the obligations for manufacturers as listed above could amount up to EUR 15 million, or 2.5% of the annual worldwide turnover, whichever is higher. The penalties for non-compliance with other requirements can amount up to EUR 10 million, or 2% of the annual worldwide turnover, whichever is higher. The supply of incorrect, incomplete or misleading information to notified bodies and market surveillance authorities can cost up to EUR 5 million, or 1% of the annual worldwide turnover, whichever is higher.
The proposal is currently going through the ordinary legislative procedure, during which the European Parliament and the European Council will build their positions on the file before they negotiate to adopt it and before it can enter into force. The proposed Regulation would become applicable 24 months after its entry into force. However, reporting obligations for manufacturers would already apply from 12 months after the entry into force.
Check out our website for more news, articles, and other publications about the EU Institutions.If you have specific questions about this new EU legislation or want to discuss it in more detail, do not hesitate to contact me or my colleagues.