The EU Commission is planning to publish a proposal this year for a new Product Cybersecurity Regulation, the Cyber Resilience Act (CRA). In this article, we will explain what the “Cyber Resilience Act” will mean for companies, as well as providing tips for implementation in advance.
I. Which companies will be affected by the CRA?
The CRA will define cybersecurity requirements for digital products and associated ancillary services over their entire life cycle. The scope of the CRA is quite broad and will include all products which are not covered by other EU legislation, such as e.g. the Delegated Act of the Radio Equipment Directive (RED) and the Medical Device Regulation (MDR). Aside from hardware products like sensors and cameras, smart cards and mobile devices, and network equipment like routers and switches, the CRA will cover e.g. software products as well.
II. What is the purpose of the CRA?
The purpose of the CRA is to create a uniform security standard for digital products in the European market. It is designed to meet the growing need for cybersecurity and resilience in IT systems in an increasingly interconnected environment, as well as advancing consumer protection. At the same time, the EU Commission plans to simplify the existing cybersecurity requirements for products in the internal market while accounting for the growing importance of cybersecure products.
III. What should companies be prepared for?
In addition to fundamental cybersecurity requirements, the CRA will define obligations for companies, and will include provisions relating to conformity assessment, notification of conformity assessment bodies and market surveillance. But the drafting of the CRA is still in its early stages, so that the specific provisions it will contain are as yet unclear. The Commission is presently considering various approaches, including:
- voluntary measures, such as e.g. voluntary certification systems;
- “ad hoc” regulatory measures, enabling the authorities to add to or modify existing rules whenever new risks emerge;
- a composite approach consisting of binding and non-binding rules and general horizontal regulation.
IV. What happens now?
The EU Commission’s public consultation on the CRA will come to an end on 25 May. The Commission will then draft a proposal for corresponding legislation, taking into account the results of the consultation procedure. The publication of this proposal is scheduled for the third quarter of 2022. When and whether this proposal will take effect cannot be judged at the present time.
V. What should companies do now?
Regardless of which specific path European lawmakers decide on, it is clear that increased cybersecurity requirements are already on the agenda for companies with products in the relevant sector. There is a clear trend towards increased regulation by lawmakers and rising consumer expectations with regard to higher security standards for digital products, not least given the fact that threats are steadily mounting. In order to avoid falling behind due to tight implementation periods, companies should proactively examine which new rules will apply to them so that they can be included in their cybersecurity compliance management systems.back