Newsletter

How will a new Cyber Resilience Act impact my business?

by Thomas Nygren and Oskar Engman

Published:

People man standing staircase

On the 15th of September 2022, the European Commission published a proposal for a regulation, known as the Cyber Resilience Act (CRA), providing horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020. In the proposal, the Commission states that hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of EUR 5.5 trillion by 2021. It also states that in today's connected environment, a cybersecurity incident in one product can affect an entire organisation or a whole cross-border supply chain within a matter of minutes.

In short, the CRA lays down rules for ensuring that manufacturers improve the security of products with digital elements (PDE) from the design and development phase throughout the whole life cycle. It also contains provisions that aim to enhance transparency regarding the security properties of PDE's, as well as to enable businesses and consumers to use such products securely.


The CRA will apply to all PDE's whose 'intended and reasonably foreseeable use' includes a direct or indirect logical or physical data connection to a device or network. It does, however, exclude a range of products, such as Software-as-a-service (SaaS) products, medical devices and motor vehicles, since these products are already covered by other legislative acts.


Key provisions under the CRA?


When will the CRA apply?


To allow manufacturers, notified bodies and Member States time to adapt to the new requirements, the CRA is proposed to become applicable 24 months after its entry into force, except for the reporting obligation on manufacturers, which would apply from 12 months after the date of entry into force.


Final words


The proposed CRA is open for feedback until 22November 2022. If you would like to share your views on the proposal with the European Commission, you can do so by visiting the following link and clicking the yellow "Give feedback" button:


https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services_en

Do you have any questions?