The EU Cyber Resi­li­en­ce Act: more cyber­se­cu­ri­ty for products?

The EU Com­mis­si­on is plan­ning to publish a pro­po­sal this year for a new Pro­duct Cyber­se­cu­ri­ty Regu­la­ti­on, the Cyber Resi­li­en­ce Act (CRA). In this arti­cle, we will exp­lain what the “Cyber Resi­li­en­ce Act” will mean for com­pa­nies, as well as pro­vi­ding tips for imple­men­ta­ti­on in advance.

I. Which com­pa­nies will be affec­ted by the CRA?

The CRA will defi­ne cyber­se­cu­ri­ty requi­re­ments for digi­tal pro­ducts and asso­cia­ted ancil­la­ry ser­vices over their ent­i­re life cycle. The scope of the CRA is qui­te broad and will inclu­de all pro­ducts which are not cove­r­ed by other EU legis­la­ti­on, such as e.g. the Dele­ga­ted Act of the Radio Equip­ment Direc­ti­ve (RED) and the Medi­cal Device Regu­la­ti­on (MDR). Asi­de from hard­ware pro­ducts like sen­sors and came­ras, smart cards and mobi­le devices, and net­work equip­ment like rou­ters and swit­ches, the CRA will cover e.g. soft­ware pro­ducts as well.

II. What is the pur­po­se of the CRA?

The pur­po­se of the CRA is to crea­te a uni­form secu­ri­ty stan­dard for digi­tal pro­ducts in the Euro­pean mar­ket. It is desi­gned to meet the gro­wing need for cyber­se­cu­ri­ty and resi­li­en­ce in IT sys­tems in an incre­a­singly inter­con­nec­ted envi­ron­ment, as well as advan­cing con­su­mer pro­tec­tion. At the same time, the EU Com­mis­si­on plans to sim­pli­fy the exis­ting cyber­se­cu­ri­ty requi­re­ments for pro­ducts in the inter­nal mar­ket while accoun­ting for the gro­wing impor­t­ance of cyber­se­cu­re products.

III. What should com­pa­nies be pre­pa­red for?

In addi­ti­on to fun­da­men­tal cyber­se­cu­ri­ty requi­re­ments, the CRA will defi­ne obli­ga­ti­ons for com­pa­nies, and will inclu­de pro­vi­si­ons rela­ting to con­for­mi­ty assess­ment, noti­fi­ca­ti­on of con­for­mi­ty assess­ment bodies and mar­ket sur­veil­lan­ce. But the draf­ting of the CRA is still in its ear­ly sta­ges, so that the spe­ci­fic pro­vi­si­ons it will con­tain are as yet unclear. The Com­mis­si­on is pre­sent­ly con­si­de­ring various approa­ches, including:

  • vol­un­ta­ry mea­su­res, such as e.g. vol­un­ta­ry cer­ti­fi­ca­ti­on systems;
  • “ad hoc” regu­la­to­ry mea­su­res, enab­ling the aut­ho­ri­ties to add to or modi­fy exis­ting rules whenever new risks emerge;
  • a com­po­si­te approach con­sis­ting of bin­ding and non-binding rules and gene­ral hori­zon­tal regulation.

IV. What hap­pens now?

The EU Commission’s public con­sul­ta­ti­on on the CRA will come to an end on 25 May. The Com­mis­si­on will then draft a pro­po­sal for cor­re­spon­ding legis­la­ti­on, taking into account the results of the con­sul­ta­ti­on pro­ce­du­re. The publi­ca­ti­on of this pro­po­sal is sche­du­led for the third quar­ter of 2022. When and whe­ther this pro­po­sal will take effect can­not be jud­ged at the pre­sent time.

V. What should com­pa­nies do now?

Regard­less of which spe­ci­fic path Euro­pean law­ma­kers deci­de on, it is clear that incre­a­sed cyber­se­cu­ri­ty requi­re­ments are alrea­dy on the agen­da for com­pa­nies with pro­ducts in the rele­vant sec­tor. The­re is a clear trend towards incre­a­sed regu­la­ti­on by law­ma­kers and rising con­su­mer expec­ta­ti­ons with regard to hig­her secu­ri­ty stan­dards for digi­tal pro­ducts, not least given the fact that thre­ats are steadi­ly moun­ting. In order to avoid fal­ling behind due to tight imple­men­ta­ti­on peri­ods, com­pa­nies should proac­tively exami­ne which new rules will app­ly to them so that they can be inclu­ded in their cyber­se­cu­ri­ty com­pli­an­ce manage­ment systems.

back

Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.