On September 15, 2022, the European Commission published a draft regulation that sets out cybersecurity requirements for “products with digital elements” (PDEs) placed on the EU market — the Cyber Resilience Act (CRA). The Commission has identified that cyberattacks are increasing in the EU, with an estimated global annual cost of €5.5 trillion. The CRA aims to strengthen the security of PDEs and imposes obligations that cover:
- the planning, design, development, production, delivery and maintenance of PDEs;
- the prevention and handling of cyber vulnerabilities; and
- the provision of cybersecurity information to users of PDEs.
The CRA also imposes obligations to report any actively exploited vulnerability as well as any incident that impacts the security of a PDE to ENISA within 24 hours of becoming aware of it.
The obligations apply primarily to manufacturers of PDEs, which include entities that develop or manufacture PDEs as well as entities that outsource the design, development and manufacturing to a third party. Importers and distributors of PDEs also need to ensure that the products comply with CRA’s requirements.
The requirements apply for the lifetime of a product or five years from its placement on the market, whichever is shorter. Due to the cross-border dimension of cybersecurity incidents, the CRA applies to any PDEs that are placed on the EU market—regardless of where they are manufactured—and imposes new mandatory conformity assessment requirements. The proposed regulation will now undergo review and potential approval in the Council of the EU and the European Parliament. Its provisions would apply fully within two years after entry into force, potentially in late 2026. We set out more detail and commentary below based on our initial review of the proposal.
Coverage
Under the CRA, a “product with digital elements” is defined broadly as “any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately.” The CRA excludes from its scope PDEs that have already been placed on the EU market, unless there have been “substantial modifications in their design or intended purpose.”
Specific rules apply to “critical” PDEs, which are listed in Annex III of the CRA (and can be amended by the Commission). These are divided into two groups based on the level of risk:
- Class 1, which includes ID-management systems, VPNs, browsers, various network systems, mobile device management software, and update/patch management; and
- Class 2, which includes operating systems for servers, desktops, and mobile devices; smartcards, smartcard readers and tokens; microprocessors; and IoT devices intended for the use by essential entities under the draft NIS2 Directive (e.g., energy, transport, banking, health, digital infrastructure, public administration and space sectors).
Out of scope
The CRA does not apply to cloud computing services such as Software-as-a-Service (SaaS), which are covered by the draft NIS2 Directive, or to products already regulated under EU laws that apply to medical devices, in vitro diagnostic medical devices, civil aviation, motor vehicles, and products developed exclusively for national security or military purposes.
The CRA also does not apply to free and open-source software developed or supplied outside the course of a commercial activity.
Interplay with other EU laws
Given the CRA’s broad scope, it includes various provisions on the interplay with multiple other EU laws, such as the GDPR, the Product Liability Directive, the Radio Equipment Directive (RED), the draft General Product Safety Regulation, the draft Machinery Regulation, the draft AI Act, the draft Regulation on the European Health Data Space, and the draft NIS2 Directive.
The CRA also envisages that compliance may be possible by adopting standards created under the RED Delegated Act and the Cybersecurity Act. For instance, the RED Delegated Act defines the scope of radio equipment subject to essential requirements on cybersecurity, data protection and protection against fraud (e.g., not harming the network or its functioning nor misusing it). In August 2022, the Commission adopted an Implementing Decision with a mandate to CEN-CENELEC to draft harmonized standards to show compliance with essential requirements under the RED.
Obligations
The CRA applies primarily to manufacturers, which are defined broadly as “any natural or legal person who develops or manufactures [PDEs] or has [PDEs] designed, developed or manufactured, and markets them under his or her name or trademark, whether for payment or free of charge.” Manufacturers are required to conduct mandatory security assessment requirements in relation to the design, development and production of PDEs; ensure that vulnerability-handling requirements are put in place; and provide necessary information to users. In particular, manufacturers are required to:
- conduct a cybersecurity risk assessment of the PDEs and, based on that assessment, design, develop and produce the PDEs so that they ensure an appropriate level of cybersecurity and are delivered without any known exploitable vulnerability (in accordance with Annex I);
- systematically document relevant cybersecurity aspects of the PED, including vulnerabilities they become aware of and any relevant information provided by third parties, and, where applicable, update the risk assessment of the product;
- draw up technical documentation (including the content of Annex V), carry out a conformity assessment (in accordance with Annex VI), maintain an EU declaration of conformity (in accordance with Annex IV), and affix CE marking;
- maintain appropriate policies and procedures to process and remediate potential vulnerabilities in the product reported from internal or external sources;
- provide a set of information and instructions (listed in Annex II) to users of PDEs to allow users to take cybersecurity into account when selecting and using such products;
- report any actively exploited vulnerability—i.e., a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber-threat—contained in the PDE to the European Union Agency for Cybersecurity (ENISA) within 24 hours of becoming aware of it; and
- report any incident having impact on the security of the PDE to ENISA within 24 hours of becoming aware of it.
Importers must only place on the market PEDs that comply with the essential requirements set out under the law, and ensure that the manufacturer has carried out the appropriate conformity assessment procedures, drawn up the documentation, and that PEDs bear the CE marking and is accompanied by required information for users. Importers who identify a vulnerability in a PDE must inform the manufacturer without undue delay, and must inform immediately market surveillance authorities where a PDE presents a “significant cybersecurity risk.”
Enforcement
Under the CRA, market surveillance authorities (MSAs), to be designated or created in each EU Member State, have the primary responsibility for enforcement, including through coordinated sweeps of IoT products made available in the EU. The MSAs shall also cooperate with ENISA and the European Data Protection Board (EDPB).
Moreover, the European Commission can request that an MSA or ENISA evaluate a PDE’s compliance and order that the product be withdrawn or recalled from the market. This power reserved to the Commission is attracting some attention.
Penalties
Member States shall establish penalties applicable to infringements by economic operators, with limits set out in the CRA as follows:
- Non-compliance with essential requirements set out in Annex I and obligations for manufactures shall be subject to administrative fines of up to €15 million or up to 2.5% of its global revenue, whichever is higher.
- Non-compliance with other obligations under the CRA shall be subject to administrative fines of up to €10 million or up to 2% of global revenue, whichever is higher.
In case incorrect, incomplete or misleading information is supplied to notified bodies and market surveillance authorities in reply to a request, the offender shall be subjected to administrative fines of up to €5 million or up to 1% of global revenue, whichever is higher.
The most onerous obligations imposed on manufacturers and developers of PDEs include mandatory risk and conformity assessment requirements. Moreover, the CRA establishes obligatory notification requirements to the relevant conformity assessment bodies and a framework for market surveillance. Organizations are likely to incur additional compliance costs in order to adhere to these new obligations. In particular, software developers and hardware manufacturers will need to comply with the security requirements and the prescriptive documentation and reporting obligations imposed by the CRA.
Implications
Certain companies may feel comfortable with elements of the CRA that mirror existing good practices. However, many are likely to need to consider carefully requirements relating to conformity assessments depending on the nature of their products and how they are classified; technical documentation; and the need to have appropriate policies and procedures for handling cybersecurity vulnerabilities and incidents. In particular, the obligation to report an actively-exploited vulnerability in their product or an incident that impacts the security of their product adds to the growing burden on companies to notify different types of incident—including personal data breaches, cyber incidents, and sector-specific notification requirements—under EU and other law.
* * *
The Covington Team will continue to review and monitoring the progress of the CRA and is happy to assist with any potential inquiry.
(Evangelos Sakiotis of Covington & Burling LLP contributed to the preparation of this blog post.)