The Cyber Resilience Act enters into force in the EU: Key takeaways for manufacturers and retailers of connected products

This article outlines the essential aspects of the CRA that companies which are manufacturing or selling Internet of Things ("IoT") devices and other connected products in Europe should keep in mind.

Scope of Application: The CRA applies to connected "products with digital elements", with a few exceptions (e.g., medical devices, cars and products developed for defence purposes fall outside the scope of application of the CRA). In essence, it applies to a very wide range of software and hardware products that are connected directly or indirectly to another device or network, such as smart home devices, wearable devices, internet-connected toys and industrial Internet of Things ("IoT") devices.

The CRA introduces cybersecurity requirements for manufacturers, importers and distributors of these products. In other words, the whole supply chain of these products will be affected by the CRA.

Main Obligations: The CRA introduces cybersecurity requirements governing the planning, design, development, and maintenance of connected "products with digital elements". The requirements differ depending on the risk category of the product. The extent of the obligations also varies depending on whether the relevant business operator is a manufacturer, importer or distributor. The most stringent requirements apply to manufacturers, especially those manufacturing higher risk products (e.g. tamper-resistant microprocessors). The main obligations set out in the CRA are the following:

• Essential cybersecurity requirements: The CRA establishes a number of essential cybersecurity requirements that all connected products with digital elements must meet. These requirements impose, among other things, that the products: have no known exploitable vulnerabilities; have  a secure by default configuration; are subject to regular security updates; ensure protection from unauthorised access by appropriate control mechanisms; minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks; be designed, developed and produced to limit attack surfaces; provide security related information by recording and monitoring relevant internal activity; and provide the possibility for users to securely and easily remove on a permanent basis all data and setting. 
  
  In essence, connected products with digital elements should be secure by design and by default.
   
• Conformity assessment:  Products with digital elements must undergo specific conformity assessment procedures to demonstrate compliance with the cybersecurity requirements set out in the CRA. These procedures can be less or more stringent depending on the level of risk of the product. They range from a mere self-assessment to a third-party conformity assessment for higher risk products.
  
  Products with digital elements that are in conformity with EU harmonised standards are presumed to be in conformity with the essential cybersecurity requirements set out in the CRA.
   
• Vulnerability handling and reporting obligations: Manufacturers must put in place vulnerability handling processes to ensure the cybersecurity of products with digital elements during the whole life cycle. This includes, among other things, regular tests and reviews of the security of their products, keeping a record of the vulnerabilities identified, and providing security updates and patches free of charge.
   

Manufacturers must also notify any actively exploited vulnerabilities or severe incidents affecting the sec
urity of products with digital components that they become aware of to the competent Computer Security Incident Response Team ("CSIRT") and the European Union Agency for Cybersecurity ("ENISA"). Such notification must be submitted without undue delay, and in any event within 72 hours, through a reporting platform to be managed by ENISA. However, an early warning notification of a severe incident having an impact on the security of a product with digital elements must be submitted within 24 hours, including at least whether the incident is suspected of being caused by unlawful or malicious acts.

In some circumstances, these notifications may need to be supplemented by other notifications required under different regulatory regimes, such as the General Data Protection Regulation ("GDPR").

• CE marking requirements: Where compliance of a product with digital elements with the essential cybersecurity requirements set out in the CRA has been verified and demonstrated through a conformity assessment procedure, the manufacturer must affix the "CE marking" on the product. 
  
  Importers and distributors of products with digital components must verify that the products they place on the market bear the CE marking.
   

Fines: Non-compliance with the cybersecurity requirements set out in the CRA may result in an administrative fine of up to 15 million EUR or 2.5 % of the total worldwide annual turnover of the company, whichever is higher.

Interplay with Other EU Cybersecurity Rules: The CRA complements the cybersecurity requirements set out in other EU rules, such as the GDPR, the Artificial Intelligence Act, the Digital Operational Resilience Act ("DORA"), the Cybersecurity Act and the NIS2 Directive. 

In some circumstances, compliance with the CRA facilitates compliance with other EU requirements. For instance, high-risk AI systems that meet the requirements of the CRA will be deemed to comply with the cybersecurity requirements set out in the AI Act. Furthermore, the CRA will facilitate compliance with supply chain security obligations of entities subject to DORA that use products with digital elements. 

Coming into effect in Norway: It is currently unclear when the CRA will come into effect in Norway. However, the CRA is likely to be deemed EEA-relevant, and should be incorporated into the EEA Agreement and Norwegian law in the coming years. 

Even though most of the obligations introduced by the CRA will not enter into effect immediately, manufacturers and retailers of connected devices and software solutions should begin assessing whether and how the requirements set out in the CRA will apply to them and across their supply chains. Early preparation is likely to be critical to ensure compliance.