How will a new Cyber Resilience Act impact my business?

By Thomas Nygren and Oskar Engman

In short, the CRA lays down rules for ensuring that manufacturers improve the security of products with digital elements (PDE) from the design and development phase throughout the whole life cycle. It also contains provisions that aim to enhance transparency regarding the security properties of PDE's, as well as to enable businesses and consumers to use such products securely.

The CRA will apply to all PDE's whose 'intended and reasonably foreseeable use' includes a direct or indirect logical or physical data connection to a device or network. It does, however, exclude a range of products, such as Software-as-a-service (SaaS) products, medical devices and motor vehicles, since these products are already covered by other legislative acts.

1. Conformity assessments

Before placing a PDE on the market, manufacturers will be required to perform 'conformity assessments' of the PDE and the vulnerability handling processes it has put in place, to demonstrate conformity with a list of 'essential requirements'. The method and contents of the conformity assessment will depend on the PDE's respective cybersecurity requirements. For this purpose, the CRA distinguishes between Class I and Class II-type products, where PDE's in the latter category constitute a higher cyber security risk. Examples of Class I PDE's are network management systems, password managers and standalone and embedded software. Examples of Class II PDE's are general purpose microprocessors, as well as routers and modems intended for connection to the internet, and switches, intended for industrial use. Manufacturers of Class I products are allowed to perform the conformity assessments themselves, whereas manufacturers of Class II products must employ a third party (a 'notified body') to carry out the conformity assessment on their behalf.

2. EU declaration of conformity and CE-marking

Where compliance has been demonstrated by the conformity assessment procedure, manufacturers are required to draw up an EU declaration of conformity and affix the European Conformity (CE) mark in accordance with the provisions in the CRA.

3. Technical documentation

Manufacturers will need to draw up technical documentation before placing a PDE on the market. This documentation must contain all relevant data or details of the means used by the manufacturer to ensure that the PDE and the processes put in place by the manufacturer comply with applicable essential requirements. In addition, the technical documentation must be updated continuously, where appropriate, during the expected product lifetime or five years after placing the product on the market (whichever is shorter). Furthermore, manufacturers shall keep the technical documentation and the EU declaration of conformity, where relevant, at the disposal of the market surveillance authorities for ten years after the PDE has been placed on the market.

4. Information and instructions for use

Before placing a PDE on the market, the manufacturer will need to draw up and provide certain information and instructions for use in a language which can be easily understood by the users. For example, the point of contact where information about cybersecurity vulnerabilities of the PDE can be reported and received. Moreover, the intended use, including the security environment provided by the manufacturer, as well as the PDE's essential functionalities and information about the security properties.

5. Notification periods

Manufacturers must notify the EU Agency for Cybersecurity (ENISA) within 24 hours of becoming aware of any actively exploited vulnerability contained in a PDE. The notification shall include details concerning the vulnerability and, where applicable, any corrective or mitigating measures taken.

6. Market surveillance and enforcement

National market surveillance authorities are given powers to carry out surveillance in their respective member states and to impose administrative fines to enforce compliance with the CRA. According to the proposal, member states shall lay down the rules for administrative fines for non-compliance with the provisions. However, the CRA does establish maximum levels for these fines. In some cases, non-compliance can reach up to 15 000 000 EUR or, if the offender is an undertaking, up to 2.5 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.

7. Obligations for importers and distributors

Importers and distributors are required to ensure the existence of relevant documentation and CE-marking before placing or making a PDE available on the market. Furthermore, they are required to inform the manufacturer and the relevant market surveillance authorities where a product with digital elements presents a significant cybersecurity risk.

To allow manufacturers, notified bodies and Member States time to adapt to the new requirements, the CRA is proposed to become applicable 24 months after its entry into force, except for the reporting obligation on manufacturers, which would apply from 12 months after the date of entry into force.

The proposed CRA is open for feedback until 22November 2022. If you would like to share your views on the proposal with the European Commission, you can do so by visiting the following link and clicking the yellow "Give feedback" button:

https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services_en