On September 15, 2022, the European Commission published a draft regulation that sets out cybersecurity requirements for “products with digital elements” (PDEs) placed on the EU market — the Cyber Resilience Act (CRA). The Commission has identified that cyberattacks are increasing in the EU, with an estimated global annual cost of €5.5 trillion. The CRA aims to strengthen the security of PDEs and imposes obligations that cover:

  1. the planning, design, development, production, delivery and maintenance of PDEs;
  2. the prevention and handling of cyber vulnerabilities; and
  3. the provision of cybersecurity information to users of PDEs.

The CRA also imposes obligations to report any actively exploited vulnerability as well as any incident that impacts the security of a PDE to ENISA within 24 hours of becoming aware of it.

The obligations apply primarily to manufacturers of PDEs, which include entities that develop or manufacture PDEs as well as entities that outsource the design, development and manufacturing to a third party. Importers and distributors of PDEs also need to ensure that the products comply with CRA’s requirements.

The requirements apply for the lifetime of a product or five years from its placement on the market, whichever is shorter. Due to the cross-border dimension of cybersecurity incidents, the CRA applies to any PDEs that are placed on the EU market—regardless of where they are manufactured—and imposes new mandatory conformity assessment requirements. The proposed regulation will now undergo review and potential approval in the Council of the EU and the European Parliament. Its provisions would apply fully within two years after entry into force, potentially in late 2026. We set out more detail and commentary below based on our initial review of the proposal.

Coverage

Under the CRA, a “product with digital elements” is defined broadly as “any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately.” The CRA excludes from its scope PDEs that have already been placed on the EU market, unless there have been “substantial modifications in their design or intended purpose.”

Specific rules apply to “critical” PDEs, which are listed in Annex III of the CRA (and can be amended by the Commission). These are divided into two groups based on the level of risk:

  • Class 1, which includes ID-management systems, VPNs, browsers, various network systems, mobile device management software, and update/patch management; and
  • Class 2, which includes operating systems for servers, desktops, and mobile devices; smartcards, smartcard readers and tokens; microprocessors; and IoT devices intended for the use by essential entities under the draft NIS2 Directive (e.g., energy, transport, banking, health, digital infrastructure, public administration and space sectors).

Out of scope

The CRA does not apply to cloud computing services such as Software-as-a-Service (SaaS), which are covered by the draft NIS2 Directive, or to products already regulated under EU laws that apply to medical devices, in vitro diagnostic medical devices, civil aviation, motor vehicles, and products developed exclusively for national security or military purposes.

The CRA also does not apply to free and open-source software developed or supplied outside the course of a commercial activity.

Interplay with other EU laws

Given the CRA’s broad scope, it includes various provisions on the interplay with multiple other EU laws, such as the GDPR, the Product Liability Directive, the Radio Equipment Directive (RED), the draft General Product Safety Regulation, the draft Machinery Regulation, the draft AI Act, the draft Regulation on the European Health Data Space, and the draft NIS2 Directive.

The CRA also envisages that compliance may be possible by adopting standards created under the RED Delegated Act and the Cybersecurity Act. For instance, the RED Delegated Act defines the scope of radio equipment subject to essential requirements on cybersecurity, data protection and protection against fraud (e.g., not harming the network or its functioning nor misusing it). In August 2022, the Commission adopted an Implementing Decision with a mandate to CEN-CENELEC to draft harmonized standards to show compliance with essential requirements under the RED.

Obligations

The CRA applies primarily to manufacturers, which are defined broadly as “any natural or legal person who develops or manufactures [PDEs] or has [PDEs] designed, developed or manufactured, and markets them under his or her name or trademark, whether for payment or free of charge.” Manufacturers are required to conduct mandatory security assessment requirements in relation to the design, development and production of PDEs; ensure that vulnerability-handling requirements are put in place; and provide necessary information to users. In particular, manufacturers are required to:

  • conduct a cybersecurity risk assessment of the PDEs and, based on that assessment, design, develop and produce the PDEs so that they ensure an appropriate level of cybersecurity and are delivered without any known exploitable vulnerability (in accordance with Annex I);
  • systematically document relevant cybersecurity aspects of the PED, including vulnerabilities they become aware of and any relevant information provided by third parties, and, where applicable, update the risk assessment of the product;
  • draw up technical documentation (including the content of Annex V), carry out a conformity assessment (in accordance with Annex VI), maintain an EU declaration of conformity (in accordance with Annex IV), and affix CE marking;
  • maintain appropriate policies and procedures to process and remediate potential vulnerabilities in the product reported from internal or external sources;
  • provide a set of information and instructions (listed in Annex II) to users of PDEs to allow users to take cybersecurity into account when selecting and using such products;
  • report any actively exploited vulnerability—i.e., a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber-threat—contained in the PDE to the European Union Agency for Cybersecurity (ENISA) within 24 hours of becoming aware of it; and
  • report any incident having impact on the security of the PDE to ENISA within 24 hours of becoming aware of it.

Importers must only place on the market PEDs that comply with the essential requirements set out under the law, and ensure that the manufacturer has carried out the appropriate conformity assessment procedures, drawn up the documentation, and that PEDs bear the CE marking and is accompanied by required information for users. Importers who identify a vulnerability in a PDE must inform the manufacturer without undue delay, and must inform immediately market surveillance authorities where a PDE presents a “significant cybersecurity risk.”

Enforcement

Under the CRA, market surveillance authorities (MSAs), to be designated or created in each EU Member State, have the primary responsibility for enforcement, including through coordinated sweeps of IoT products made available in the EU. The MSAs shall also cooperate with ENISA and the European Data Protection Board (EDPB).

Moreover, the European Commission can request that an MSA or ENISA evaluate a PDE’s compliance and order that the product be withdrawn or recalled from the market. This power reserved to the Commission is attracting some attention.

Penalties

Member States shall establish penalties applicable to infringements by economic operators, with limits set out in the CRA as follows:

  • Non-compliance with essential requirements set out in Annex I and obligations for manufactures shall be subject to administrative fines of up to €15 million or up to 2.5% of its global revenue, whichever is higher.
  • Non-compliance with other obligations under the CRA shall be subject to administrative fines of up to €10 million or up to 2% of global revenue, whichever is higher.

In case incorrect, incomplete or misleading information is supplied to notified bodies and market surveillance authorities in reply to a request, the offender shall be subjected to administrative fines of up to €5 million or up to 1% of global revenue, whichever is higher.

The most onerous obligations imposed on manufacturers and developers of PDEs include mandatory risk and conformity assessment requirements. Moreover, the CRA establishes obligatory notification requirements to the relevant conformity assessment bodies and a framework for market surveillance. Organizations are likely to incur additional compliance costs in order to adhere to these new obligations. In particular, software developers and hardware manufacturers will need to comply with the security requirements and the prescriptive documentation and reporting obligations imposed by the CRA.

Implications

Certain companies may feel comfortable with elements of the CRA that mirror existing good practices. However, many are likely to need to consider carefully requirements relating to conformity assessments depending on the nature of their products and how they are classified; technical documentation; and the need to have appropriate policies and procedures for handling cybersecurity vulnerabilities and incidents. In particular, the obligation to report an actively-exploited vulnerability in their product or an incident that impacts the security of their product adds to the growing burden on companies to notify different types of incident—including personal data breaches, cyber incidents, and sector-specific notification requirements—under EU and other law.

*                      *                      *

The Covington Team will continue to review and monitoring the progress of the CRA and is happy to assist with any potential inquiry.

(Evangelos Sakiotis and Diane Valat of Covington & Burling LLP contributed to the preparation of this blog post.)

Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Photo of Cándido García Molyneux Cándido García Molyneux

Cándido García Molyneux is a Spanish of counsel in the Brussels office of Covington & Burling.  His practice focuses on EU environmental law, renewable energies, and international trade law.  He advises clients on legal issues concerning environmental product regulation, emissions trading, renewable energies…

Cándido García Molyneux is a Spanish of counsel in the Brussels office of Covington & Burling.  His practice focuses on EU environmental law, renewable energies, and international trade law.  He advises clients on legal issues concerning environmental product regulation, emissions trading, renewable energies, energy efficiency, shale gas, chemical law, product safety, waste management, and international trade law and non-tariff trade barriers.  Mr. García Molyneux was very much involved in the legislative process that led to the revision and amendment of the ETS Directive and Renewable Energies Directive.  He is an external professor of environmental law and policy at the College of Europe.

Photo of Bart Szewczyk Bart Szewczyk

Having served in senior advisory positions in the U.S. government, Bart Szewczyk advises on European and global public policy, particularly on technology, trade and foreign investment, business and human rights, and environmental, social, and governance issues, as well as conducts international arbitration. He…

Having served in senior advisory positions in the U.S. government, Bart Szewczyk advises on European and global public policy, particularly on technology, trade and foreign investment, business and human rights, and environmental, social, and governance issues, as well as conducts international arbitration. He also teaches grand strategy as an Adjunct Professor at Sciences Po in Paris and is a Nonresident Senior Fellow at the German Marshall Fund.

Bart recently worked as Advisor on Global Affairs at the European Commission’s think-tank, where he covered a wide range of foreign policy issues, including international order, defense, geoeconomics, transatlantic relations, Russia and Eastern Europe, Middle East and North Africa, and China and Asia. Previously, between 2014 and 2017, he served as Member of Secretary John Kerry’s Policy Planning Staff at the U.S. Department of State, where he covered Europe, Eurasia, and global economic affairs. From 2016 to 2017, he also concurrently served as Senior Policy Advisor to the U.S. Ambassador to the United Nations, Samantha Power, where he worked on refugee policy. He joined the U.S. government from teaching at Columbia Law School, as one of two academics selected nationwide for the Council on Foreign Relations International Affairs Fellowship. He has also consulted for the World Bank and Rasmussen Global.

Prior to government, Bart was an Associate Research Scholar and Lecturer-in-Law at Columbia Law School, where he worked on international law and U.S. foreign relations law. Before academia, he taught international law and international organizations at George Washington University Law School, and served as a visiting fellow at the EU Institute for Security Studies. He also clerked at the International Court of Justice for Judges Peter Tomka and Christopher Greenwood and at the U.S. Court of Appeals for the Third Circuit for the late Judge Leonard Garth..

Bart holds a Ph.D. from Cambridge University where he studied as a Gates Scholar, a J.D. from Yale Law School, an M.P.A. from Princeton University, and a B.S. in economics (summa cum laude) from The Wharton School at the University of Pennsylvania. He has published in Foreign AffairsForeign PolicyHarvard International Law JournalColumbia Journal of European LawAmerican Journal of International LawGeorge Washington Law ReviewSurvival, and elsewhere. He is the author of three books: Europe’s Grand Strategy: Navigating a New World Order (Palgrave Macmillan 2021); with David McKean, Partners of First Resort: America, Europe, and the Future of the West (Brookings Institution Press 2021); and European Sovereignty, Legitimacy, and Power (Routledge 2021).

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.