EU Commission Proposal for a Cyber Resilience Act

On 9/15/2022, the EU Commission published its proposed regulation for a Cyber Resilience Act ("CRA") (2022/0272 (COD)). The CRA contains cybersecurity requirements for products with digital elements. Implementation of these requirements is to be ensured through market surveillance and significant threats of sanctions.

The CRA is part of the EU Commission's Cybersecurity Strategy. Another component of the Cybersecurity Strategy is, for example, the revision of the existing Network and Information Security Directive (NIS Directive) known as the NIS2 Directive. For more information on the NIS2 Directive, please visit our website.

The requirements of the CRA apply to "products with digital elements". The term covers all software and hardware products as well as "remote" data processing solutions without which an intended function of the respective product with digital elements could not be performed. Only some specifically regulated products are excluded from the scope of the CRA. This scope of application is thus conceivably broad. Some essential specifications of the CRA are summarized below.

1. Requirements for products with digital elements

The CRA contains general market access regulations for products with digital elements. These may only be placed on the market if (1) the product itself meets basic cybersecurity requirements and (2) requirements for processes for dealing with cybersecurity vulnerabilities are met.

For product and vulnerability handling process requirements, the CRA distinguishes between (1) "normal," (2) "critical," and (3) "highly critical products" with digital elements in three risk classes. Depending on the classification of a product, different requirements apply. However, manufacturers must always perform a conformity assessment for the specific product and processes. Compliant products must bear a proper CE marking and may only be placed on the market with such a marking.

2. Requirements for market participants

In addition to conformity assessment and CE marking, product manufacturers have other obligations. These include dealing with vulnerabilities, including providing security updates free of charge. This obligation applies for the entire lifetime of the product, but for no longer than 5 years from the first time it is placed on the market in the EU. In addition, manufacturers are required to report certain vulnerabilities and incidents affecting product security to ENISA and to inform users of security incidents.

Importersmust ensure before placing products with digital elements on the market that the manufacturer has conducted a proper conformity assessment and prepared the required technical documentation, and that the product has the CE marking and the required information and instructions for use. Upon knowledge of or suspicion of non-conformity, the importer is required to take corrective action or, if appropriate, cease distribution or recall the product. Significant cybersecurity risks must also be reported by the importer to market surveillance.

Before distributinga product with digital elements, distributors are obliged to satisfy themselves that the CE marking is in order and that the obligations of manufacturers and importers have been fulfilled. In case of knowledge of or suspicion of non-conformity, a distributor is subject to the same obligations as an importer.

3. Sanctioning

The CRA provides for substantial administrative fines for violations. According to the proposed regulation, these amount to up to EUR 15 million or 2.5% of the worldwide turnover in the previous business year for manufacturers, and up to EUR 10 million or 2% of this annual turnover for other violations. If a manufacturer, importer or distributor provides inaccurate, incomplete or misleading information to a conformity assessment body or market surveillance, the possible fines are up to EUR 5 million or 1% of annual turnover, whichever is greater.

4. Implementation periods

The provisions of the CRA are to become applicable 24 months after its entry into force, but the information obligations of manufacturers on exploited vulnerabilities and security incidents are to become applicable after 12 months. The EU Commission's proposal marks the initial start of the EU's process for enacting the Cyber Resilience Act.