On September 15, 2022, the European Commission (EC) published a Proposal for a Cyber Resilience Act (CRA Proposal) that sets out new rules in the European Union (EU) for software and hardware products and their remote data processing solutions. The CRA Proposal introduces mandatory cybersecurity-related requirements and reporting obligations, including about product vulnerabilities, for manufacturers, importers, and distributors of such products. The potential sanctions include product withdrawal from the EU market and fines of up to EUR 15 million or 2.5 percent of total worldwide annual turnover for the preceding year.
The European Parliament and the Council of the EU will examine the CRA Proposal.1 The legislative process to formally adopt the CRA Proposal is likely to last a few years.
The CRA Proposal intends to fill in gaps in the EU-wide cybersecurity-related legislation landscape, which consists of rules on services provided by essential and important entities2 and a voluntary European cybersecurity certification framework.3 Compliance with the CRA Proposal may facilitate compliance with personal data security obligations under the EU General Data Protection Regulation and certain obligations under the Artificial Intelligence Act,4 which is currently in the pipeline.
The United Kingdom (UK) may soon enact similar legislation with the Product Security Bill, which will impose obligations on companies manufacturing, importing or distributing smart consumer products. In addition, on September 1, 2022, the UK Home Office launched a public call for information on addressing unauthorized access to online accounts and personal data, seeking input on where responsibility for ensuring better protection of personal data should lie. An announcement accompanying the call for information notes that this could be achieved through supplementing existing obligations under the Data Protection Act 2018 and UK General Data Protection Regulation.
The CRA Proposal applies to “products with digital elements” placed on the EU market. This term is defined as “any software or hardware products and their remote data processing solutions, including software or hardware components to be placed on the market separately, whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.” Among the examples of products subject to the CRA Proposal are photo editing and word processing products, smart speakers, hard drives, and games.
Within the products subject to the CRA Proposal, the EC identifies a group of critical products, which are divided into two classes:
- Class I products: standalone and embedded browsers, network interfaces, firewalls, and mobile device management software; and
- Class II for the products exposed to a greater cybersecurity risk: operating systems for servers, desktops and mobile devices, routers, modems intended for the connection to the internet, and switches intended for industrial use.
Excluded from the scope of the CRA Proposal are:
- Products that were placed on the EU market before the date of application of the CRA Proposal, provided that those products are not subject to substantial modifications in their design or intended purpose. However, the reporting obligations (further explained below) apply to all products irrespective of the date of their placement on the EU market.
- Software that is only made available on the EU market during a limited period for testing purposes.
- Medical devices,5 products covered by EU vehicle safety requirements,6 and products in the field of civil aviation that have a relevant certification.7
The CRA Proposal intends to apply to both EU and non-EU manufacturers, importers, and distributors of products with digital elements, as long as those products are placed on the EU market.
- Essential cybersecurity requirements. Manufacturers must comply with what the CRA Proposal defines as “essential cybersecurity requirements” (see Section 1 of Annex I of the CRA Proposal). Examples of such requirements include protection from unauthorized access, protecting the availability of essential functions, and designing, developing and producing the product in a way that limits attack surfaces.
- Cybersecurity risk assessment. Manufacturers must assess the cybersecurity risks associated with the product and take the outcome of that assessment into account during the entire life cycle of the product, from planning to maintenance.
- Conformity assessment. Before placing the product on the EU market, manufacturers must conduct a conformity assessment. Manufacturers can choose between different types of conformity assessments ranging from internal control for non-critical products to full quality assurance.
- Documentation. Manufacturers must implement appropriate policies and procedures, including coordinated vulnerability disclosure policies, and documentation of relevant cybersecurity aspects of the product, including vulnerabilities of which the manufacturer becomes aware.
- Reporting obligations. Manufacturers must notify (i) any actively exploited vulnerability contained in the product, and (ii) any incident impacting the product security, to the EU Agency for Cybersecurity (ENISA), within 24 hours of becoming aware of it. Manufacturers are also required to notify the product users without undue delay of the incident impacting the product security with an indication of corrective measures that the user can deploy to mitigate the impact where possible.
- Product vulnerability notification. Both importers and distributors must inform manufacturers about an identified vulnerability in a product without undue delay. Importers and distributors must also immediately inform the market surveillance authorities of the Member States (in which they made the product available on the market) about non-conformity of the product presenting a significant cybersecurity risk and any corrective measures taken.
Sweeps and Sanctions
- Sweeps. Market surveillance authorities may decide to conduct simultaneous coordinated control actions of specific products to verify compliance with the CRA Proposal.
- Fines. Companies may face administrative fines for: (i) non-compliance with essential cybersecurity requirements of up to EUR 15 million or 2.5 percent of their total worldwide annual turnover (whichever is greater), (ii) non-compliance with other obligations under the CRA Proposal of up to EUR 10 million or 2 percent of their total worldwide annual turnover (whichever is greater), and (iii) notification of incorrect, incomplete or misleading information to relevant bodies of up to EUR 5 million or 1 percent of their total worldwide annual turnover (whichever is greater).
- Product recall or withdrawal. In cases where the manufacturer’s non-compliance concerning conformity marking or technical documentation persists, market surveillance authorities may order the manufacturer to recall the product or to withdraw it from the EU market.
Once adopted, the CRA Proposal will significantly alter the regulatory landscape for manufacturers, importers, and distributors of software and hardware products in the EU. Companies should consider reviewing the scope of the CRA Proposal to assess whether their products could be impacted. If so, they should begin reviewing the obligations in the CRA Proposal to assess their potential impact. We will publish further alerts covering the next steps in adoption of the CRA Proposal as they occur.
 Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA and on information and communication technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act).
 Proposal for a Regulation of the European Parliament and of the Council laying down harmonized rules on artificial intelligence (Artificial Intelligence Act) and amending certain union legislative acts.