The EU Cyber Resi­li­ence Act: more cyber­se­cu­ri­ty for products?

The EU Com­mis­si­on is plan­ning to publish a pro­po­sal this year for a new Pro­duct Cyber­se­cu­ri­ty Regu­la­ti­on, the Cyber Resi­li­ence Act (CRA). In this artic­le, we will explain what the “Cyber Resi­li­ence Act” will mean for com­pa­nies, as well as pro­vi­ding tips for imple­men­ta­ti­on in advance.

I. Which com­pa­nies will be affec­ted by the CRA?

The CRA will defi­ne cyber­se­cu­ri­ty requi­re­ments for digi­tal pro­ducts and asso­cia­ted ancil­la­ry ser­vices over their enti­re life cycle. The scope of the CRA is quite broad and will include all pro­ducts which are not cover­ed by other EU legis­la­ti­on, such as e.g. the Dele­ga­ted Act of the Radio Equip­ment Direc­ti­ve (RED) and the Medi­cal Device Regu­la­ti­on (MDR). Asi­de from hard­ware pro­ducts like sen­sors and came­ras, smart cards and mobi­le devices, and net­work equip­ment like rou­ters and swit­ches, the CRA will cover e.g. soft­ware pro­ducts as well.

II. What is the pur­po­se of the CRA?

The pur­po­se of the CRA is to crea­te a uni­form secu­ri­ty stan­dard for digi­tal pro­ducts in the Euro­pean mar­ket. It is desi­gned to meet the gro­wing need for cyber­se­cu­ri­ty and resi­li­ence in IT sys­tems in an incre­asing­ly inter­con­nec­ted envi­ron­ment, as well as advan­cing con­su­mer pro­tec­tion. At the same time, the EU Com­mis­si­on plans to sim­pli­fy the exis­ting cyber­se­cu­ri­ty requi­re­ments for pro­ducts in the inter­nal mar­ket while accoun­ting for the gro­wing importance of cyber­se­cu­re products.

III. What should com­pa­nies be pre­pared for?

In addi­ti­on to fun­da­men­tal cyber­se­cu­ri­ty requi­re­ments, the CRA will defi­ne obli­ga­ti­ons for com­pa­nies, and will include pro­vi­si­ons rela­ting to con­for­mi­ty assess­ment, noti­fi­ca­ti­on of con­for­mi­ty assess­ment bodies and mar­ket sur­veil­lan­ce. But the draf­ting of the CRA is still in its ear­ly stages, so that the spe­ci­fic pro­vi­si­ons it will con­tain are as yet unclear. The Com­mis­si­on is pre­sent­ly con­side­ring various approa­ches, including:

  • vol­un­t­a­ry mea­su­res, such as e.g. vol­un­t­a­ry cer­ti­fi­ca­ti­on systems;
  • “ad hoc” regu­la­to­ry mea­su­res, enab­ling the aut­ho­ri­ties to add to or modi­fy exis­ting rules when­ever new risks emerge;
  • a com­po­si­te approach con­sis­ting of bin­ding and non-binding rules and gene­ral hori­zon­tal regulation.

IV. What hap­pens now?

The EU Commission’s public con­sul­ta­ti­on on the CRA will come to an end on 25 May. The Com­mis­si­on will then draft a pro­po­sal for cor­re­spon­ding legis­la­ti­on, taking into account the results of the con­sul­ta­ti­on pro­ce­du­re. The publi­ca­ti­on of this pro­po­sal is sche­du­led for the third quar­ter of 2022. When and whe­ther this pro­po­sal will take effect can­not be jud­ged at the pre­sent time.

V. What should com­pa­nies do now?

Regard­less of which spe­ci­fic path Euro­pean law­ma­kers deci­de on, it is clear that increased cyber­se­cu­ri­ty requi­re­ments are alre­a­dy on the agen­da for com­pa­nies with pro­ducts in the rele­vant sec­tor. The­re is a clear trend towards increased regu­la­ti­on by law­ma­kers and rising con­su­mer expec­ta­ti­ons with regard to hig­her secu­ri­ty stan­dards for digi­tal pro­ducts, not least given the fact that thre­ats are ste­adi­ly moun­ting. In order to avo­id fal­ling behind due to tight imple­men­ta­ti­on peri­ods, com­pa­nies should proac­tively exami­ne which new rules will app­ly to them so that they can be included in their cyber­se­cu­ri­ty com­pli­ance manage­ment systems.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.