The Cyber Resi­li­ence Act EU Com­mis­si­on pro­po­sal published

New requi­re­ments for manu­fac­tu­r­ers of pro­ducts with digi­tal elements

With incre­asing digi­ti­sa­ti­on and the net­wor­king of pro­ducts, thre­ats from digi­tal space are also rising in equal mea­su­re: EU Com­mis­si­on Pre­si­dent von der Ley­en alre­a­dy noted last year during the Sta­te of the Uni­on Address that if ever­y­thing is net­work­ed, ever­y­thing can be hacked. In order to make the EU more resi­li­ent to cyber attacks, the EU Com­mis­si­on announ­ced a “Cyber Resi­li­ence Act” (CRA) last year and published a cor­re­spon­ding pro­po­sal today .

Tar­get group and obligations

In accordance with the EU Com­mis­si­on’s pre­sen­ta­ti­on, the new regu­la­ti­on is inten­ded to estab­lish duties for manu­fac­tu­r­ers of pro­ducts with digi­tal ele­ments and crea­te bin­ding cyber­se­cu­ri­ty requi­re­ments for them. In addi­ti­on to hard­ware pro­ducts, such as sen­sors and came­ras, smart cards, mobi­le devices or net­work devices such as rou­ters and swit­ches, soft­ware pro­ducts and asso­cia­ted ser­vices in par­ti­cu­lar are also to be cover­ed. Howe­ver, cer­tain pro­ducts, such as radio equip­ment or medi­cal devices, which are cover­ed by sector-specific legis­la­ti­on, are exempt from the requi­re­ments of the CRA.

Accor­ding to the pro­po­sal, manu­fac­tu­r­ers of pro­ducts that fall within the scope of the CRA must com­ply with the fol­lo­wing requi­re­ments, among others, in the future:

  1. Pro­ducts must meet basic cyber­se­cu­ri­ty requi­re­ments in terms of design, deve­lo­p­ment and manu­fac­tu­ring pro­ces­ses even befo­re they are laun­ched on the market.
  2. Manu­fac­tu­r­ers must moni­tor digi­tal pro­ducts throug­hout their life­cy­cle and address any vul­nerabi­li­ties through auto­ma­tic and free updates.
  3. In the event of an inci­dent that may affect the secu­ri­ty of the pro­duc­t’s hard­ware and/or soft­ware, manu­fac­tu­r­ers are requi­red to noti­fy the EU cyber­se­cu­ri­ty aut­ho­ri­ty ENISA.

Spe­cial requi­re­ments for “cri­ti­cal products”

Manu­fac­tu­r­ers of what the EU Com­mis­si­on con­siders “cri­ti­cal pro­ducts” must also under­go a spe­cial con­for­mi­ty pro­ce­du­re. To this end, the CRA pro­po­sal divi­des cer­tain pro­ducts into two classes:

  • Class 1 includes, but is not limi­t­ed to, iden­ti­ty manage­ment sys­tems, brow­sers, pass­word mana­gers, anti­vi­rus pro­grams, fire­walls, vir­tu­al pri­va­te net­works (VPNs), com­pre­hen­si­ve IT sys­tems, phy­si­cal net­work inter­faces, and rou­ters and chips used in essen­ti­al faci­li­ties as defi­ned in the Net­work and Infor­ma­ti­on Secu­ri­ty Direc­ti­ve 2 (“NIS‑2 Directive”).
  • The hig­her Class 2 includes, in par­ti­cu­lar, desk­top and mobi­le devices, vir­tua­li­sed ope­ra­ting sys­tems, digi­tal cer­ti­fi­ca­te issuers, general-purpose micro­pro­ces­sors, card rea­ders, robo­tic sen­sors, smart meters and all IoT devices, as well as rou­ters and fire­walls for indus­tri­al use, which is con­side­red a “sen­si­ti­ve environment”.

Accor­ding to the EU Com­mis­si­on’s pro­po­sal, a third-party assess­ment is also to be requi­red for Class 2 products.

Mar­ket sur­veil­lan­ce bodies and sanctions

In order to ensu­re veri­fi­ca­ti­on of com­pli­ance with the requi­re­ments of the CRA, the mem­ber sta­tes are requi­red to estab­lish mar­ket sur­veil­lan­ce bodies, which are to be able to car­ry out EU-wide coor­di­na­ted con­trol mea­su­res. In the event of a vio­la­ti­on, the pen­al­ties include the recall of the rele­vant pro­ducts and fines of up to EUR 15 mil­li­on or 2.5 per­cent of annu­al reve­nue, whi­che­ver is higher.

Expec­ted schedule

Fol­lo­wing the EU Com­mis­si­on’s pro­po­sal published today, the Euro­pean Coun­cil and the Euro­pean Par­lia­ment will now deal with the pro­po­sed legis­la­ti­on. The Com­mis­si­on’s pro­po­sal pro­vi­des for the new requi­re­ments to app­ly 24 months after the regu­la­ti­on enters into force, alt­hough some ele­ments, such as the duty to report secu­ri­ty inci­dents, are to app­ly after 12 months.

Prac­ti­cal implications

The CRA is inten­ded to app­ly to all digi­tal pro­ducts in the Euro­pean sin­gle mar­ket. To avo­id being caught off guard by the tight imple­men­ta­ti­on dead­lines, manu­fac­tu­r­ers should alre­a­dy check the pro­duct requi­re­ments for cyber­se­cu­ri­ty that they will have to com­ply with in the future. Espe­ci­al­ly for pro­ducts that are not yet capa­ble of remo­te secu­ri­ty updates (OTA updates), a cor­re­spon­ding tech­ni­cal chan­nel should be crea­ted. Updata­bi­li­ty is also beco­ming more important than ever in terms of poten­ti­al pro­duct alerts.

Fur­ther­mo­re, it is note­wor­t­hy that the EU Com­mis­si­on has aban­do­ned the con­cept of vol­un­t­a­ry self-commitment by manu­fac­tu­r­ers. Cer­ti­fi­ca­ti­on in accordance with the Cyber Secu­ri­ty Act is the­r­e­fo­re likely to beco­me less important, as is the BSI’s vol­un­t­a­ry IT secu­ri­ty label. Inde­pen­dent of the spe­ci­fic design of the CRA, the­re is also the ques­ti­on of enforce­ment. The GDPR demons­tra­tes that strict legal requi­re­ments wit­hout super­vi­so­ry con­trol are more of a paper tiger. While high fines are envi­sa­ged, data pro­tec­tion super­vi­so­ry aut­ho­ri­ties across Euro­pe com­plain that they are not suf­fi­ci­ent­ly equip­ped eit­her finan­ci­al­ly or in terms of per­son­nel to enforce the law.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.