The Cyber Resilience Act (“CRA”), initially proposed by the Commission in September 2022, seeks to protect consumers and businesses from products with inadequate security features.  It will cover a wide range of products such as connected doorbells, smart speakers, wearables, Wi-Fi routers and antivirus software.

The European Parliament has now formally adopted the text agreed with the Council of the EU in November 2023 (previously reported by Wiggin). The key aspects of the adopted text, which includes some amendments to the Commission’s original proposal, are highlighted below.

The CRA applies to “products with digital elements” (“PDEs”), which means any software or hardware product and its remote data processing solutions, whose intended or reasonably foreseeable use includes a direct or indirect logical or physical connection to a device or network.  Remote data processing solutions are processing solutions at a distance which are necessary for the PDE to function (e.g. a service that allows the user to control and monitor his home heating system using a mobile application).

The CRA applies to all economic operators involved in (and throughout) the lifecycle chain of PDEs i.e. manufacturers (and their authorised representatives), importers and distributors with most of the obligations imposed on manufacturers. The CRA has extraterritorial application and applies to entities both inside and outside the EU – to the extent they import, distribute or place on the EU market products in scope of the CRA.

The numerous obligations under the CRA include and obligation to comply with a list of “essential” cybersecurity and vulnerability handling requirements (with a presumption of conformity where the PDE conforms to a published harmonized standard). These include a requirement for the manufacturer to design and develop PDEs to ensure an appropriate level of cybersecurity based on the risks and, on the basis of a risk assessment, make PDEs available on the market without known exploitable vulnerabilities and with a secure by default configuration, and ensure that vulnerabilities can be addressed through security updates. In respect of vulnerability handling, manufacturers must identify and document vulnerabilities in PDEs and, in relation to risks posed to PDEs, address and remediate vulnerabilities such as by providing security updates. The vulnerability handling essential requirements must be observed for the length of time during which the product is expected to be used, which shall not be less than five years (unless the PDE is expected to be in use for less than five years).

PDEs categorised in the Annexes to the CRA as “important” or “critical”, such as password managers and firewalls, are subject to further requirements under the CRA.

Manufacturers are also required to perform conformity assessments of PDEs and the processes put in place by the manufacturer to determine whether the CRA requirements are met. The CRA provides for various types of conformity assessment procedures, in line with the risk level of the PDE and its categorisation. Once compliance with CRA requirements has been demonstrated through the conformity assessment, manufacturers will need to draw up the EU declaration of conformity and affix the “CE” marking to the PDE in line with CRA requirements. They will also need to draw up technical documentation and user instructions in accordance with CRA requirements prior to placing a product on the EU market. PDEs will be subject to market surveillance by competent EU market surveillance authorities throughout the product lifecycle.

The CRA contains detailed reporting obligations including an obligation on manufacturers to notify any actively exploited vulnerability contained in a PDE, or any severe incident having impact on the PDE’s security, that it becomes aware of within 24 hours to the competent Cyber Security Incident Response Team (“CSIRT”) and the EU Agency for Cybersecurity (“ENISA”). ENISA will be setting up a single reporting platform for this purpose. The co-legislators have inserted an option to restrict the information sent to ENISA under certain conditions (e.g. where there is an imminent risk from further dissemination) in light of concerns raised that that requiring manufacturers to report unpatched vulnerabilities to which they have not yet found a solution would further entice malicious actors to focus on these vulnerabilities and would result in ENISA becoming the primary target of cyber-attacks.

Non-compliance can result in fines up to a maximum of €15m or 2.5% of global turnover.

The text will have to be formally approved by the Council for the EU before it comes into force. The CRA provisions will come into effect three years from the date on which it comes into force save that the vulnerability reporting requirements will apply 21 months from that date.

For more information, click here.