The Cyber Resilience Act: A new era for cybersecurity

While the AI Act has garnered significant attention, the European Cyber Resilience Act (‘CRA’) passed the first legislative hurdle on the same date with much less fanfare. With the European Parliament indicating that the Regulation is “close to adoption”, companies dealing with hardware or software should already start considering its broad scope. Below, we briefly explain what constitutes a product with digital elements, what are the requirements for economic operators placing such products on the market and what you can do today.

What is the Cyber Resilience Act?

The CRA is a proposed European Regulation aiming to establish a horizontal, technology-neutral framework setting minimum cybersecurity requirements for most software and hardware products. These products are termed “products with digital elements” under the CRA.

By establishing these minimum requirements, the European legislator aims to address the generally low level of cybersecurity in the Union for products with digital elements and the low user awareness of cybersecurity in general. Given the increasing number of connected devices and the fragmented legislative landscape for cybersecurity requirements, there is a high level of urgency for legislation such as the CRA.

The CRA imposes requirements for products with digital elements and obligations for economic operators, including manufacturers, distributors, and importers of such products.

What are Products with Digital Elements?

Products with digital elements include both hardware and software that have a direct or indirect, logical or physical data connection to a device or network. Without such a data connection, the product does not qualify as a product with digital elements. However, in today’s digital world, many products have this capability to transmit or receive data.

These products are divided into four categories, ranging from general products with digital elements to important (class I and II) and critical ones.

The CRA also applies to remote data processing solutions and components integrated into products with digital elements. Remote data processing solutions include solutions such as databases and as-a-service solutions providing one or more functionalities to these products. Components integrated into these products can qualify as products with digital elements themselves, requiring due diligence checks by manufacturers before inclusion.

It is clear that the CRA has a broad scope, and manufacturers will need to perform identification and qualification exercises to ensure compliance.

What are the obligations of economic operators?

The CRA places significant responsibilities on the manufacturer of products with digital elements. Manufacturers must ensure their products comply with the essential requirements outlined in Annex I of the CRA and implement policies, processes, and procedures to ensure compliance throughout the design, development, and maintenance stages, including vulnerability handling.

Products with digital elements must undergo conformity assessments, similar to those required under other Union harmonisation legislation such as the Machinery Regulation, Medical Device Regulation, and new Artificial Intelligence Regulation. Depending on the product category, these assessments can be performed by the manufacturer or a third party.

Manufacturers are also obligated to report actively exploited vulnerabilities and severe incidents, with the option to report other incidents, threats, and vulnerabilities voluntarily.

Other economic operators, including importers, distributors, and authorized representatives, have obligations flowing down from those of the manufacturer and are responsible for verifying product compliance and maintaining documentation for relevant authorities.

When Will the CRA’s Provisions Take Effect?

On March 12, 2024, the European Parliament passed an amended version of the CRA after its first reading. The CRA proposal is now with the Council for its first reading. Official sources indicate that the proposal is “close to adoption”.

Once adopted, the CRA will become fully applicable 36 months after its entry into force, meaning products with digital elements commercialised before that date will fall outside its scope unless substantially modified. Certificates and approvals under other European harmonisation legislation will remain valid for up to 42 months after the CRA’s entry into force.

However, please be aware that the reporting obligations under the CRA will become fully applicable from the date of entry into force.

What Can You Do Today?

Organisations should start preparing now, as compliance will take time. Relevant actions include:

• Assessing and categorising products and services (including software) as products with digital elements within the CRA’s scope. The CRA’s extensive range means many offerings could fall under its scope.
• Determining the CRA’s applicable requirements. Given the broad scope, compliance requirements will vary depending on the specific PDEs.
• Modifying products with digital elements to meet the identified criteria. This may require significant adjustments, particularly for products in advanced development stages or with established market presence.
• Compiling requisite documentation to meet CRA standards. This includes updates to technical files, legal documents, and establishing procedures for vulnerability management.
• Performing conformity assessments, internally or through a mandatory external party, based on the products with digital elements’ categorisation. Organisations with regulated products under other legislation may find this process more manageable.
• Implementing procedures to sustain compliance and respond to changes and incidents, with ongoing recognition of evolving cybersecurity requirements.

Author: Pedro Demolder