Yesterday, the European Parliament approved the Cyber Resilience Act (“CRA”), which sets out cybersecurity requirements for “products with digital elements” (“PDEs”) placed on the EU market. The term PDE is defined broadly to include both hardware and software products, such as antivirus software, VPNs, smart home devices, connected toys, and wearables. The approved text is available here.
The text adopted by the European Parliament is identical to the compromise version between the Parliament and the Council in December 2023, which we described here. To recap, primary obligations in the CRA apply to manufacturers of PDEs, who must:
- implement certain “essential” cybersecurity requirements on their PDEs;
- carrying out conformity assessments on PDEs; and
- notify competent authorities and others about identified vulnerabilities and serious cybersecurity incidents.
As with most recent European technology regulation, non-compliance could result in significant fines: up to the higher of €15 million or 2.5% of global turnover.
Next steps
The CRA will have to be formally adopted by the Council before it becomes law. That will likely be in April 2024. The final version of the CRA will then be published in the EU’s Official Journal. The majority of the provisions in the CRA will apply in full three years after the date of publication (although vulnerability reporting obligations will apply 21 months after this date).
* * *
Covington’s Privacy and Cybersecurity Practice regularly advises on cybersecurity laws in Europe and elsewhere. If you have any questions about how the raft of new European cyber regulations will affect your business, or about developments in the cybersecurity space more broadly, our team would be happy to discuss.