European Union Information Technology Cyber Resilience Act
To counter the growing surge of cyberattacks on personal devices, and to encourage enhancements in the cybersecurity protections embedded in the devices, the European Commission has proposed the Cyber Resilience Act (CRA), a set of mandatory cybersecurity requirements that, if enacted, would apply to all products with digital elements that are either directly or indirectly connected to another device or network.
The CRA seeks to regulate digital products to ensure they are free of cyber vulnerabilities, both at the time of a product’s release, and throughout the products’ lifetime, mostly via software updates. The Act also seeks to increase transparency towards consumers, allowing them to take cybersecurity standards into account when selecting a product. The legislation would apply to all software and hardware in all products with a digital element – from advanced home assistants to industrial utilities – sold in the EU, regardless of their manufacturing location. By prohibiting the sale of products with known vulnerabilities, regulators hope to reduce attacks.
Under the CRA, products would receive a digital CE mark. According to the European Commission, about 90% of products in the scope of the CRA fall into the “default category” requiring a self-assessment compliance procedure, while about 10% of products are considered to be “critical products” and will require third-party conformity assessment. Details of the assessment process are still being brushed out, as legislators are still debating the final text of the Regulation. If approved, hardware and software creators will have to conduct regular vulnerability tests, while European member states will ensure compliance through market surveillance bodies. Fines for non-compliance could run up to €15 million or 2.5% of global turnover. Products that are covered by existing regulations such as medical products, cars and defense products will be exempt from the CRA.
Manufacturers of both hardware and software would be required to report any actively exploited cyber vulnerabilities to the European Union Agency for Cybersecurity (ENISA) within 24 hours of the breach.
The trilogue negotiating procedure between the European Commission, Council, and Parliament should begin during the Fall of 2023.
For more information, please contact the Commercial Service at the US Mission to the EU at Office.BrusselsEC@trade.gov
Additional Resources:
European Cyber Resilience Act (CRA) – European Commission
European Cyber Resilience Act – European Parliament briefing