There are only few days left until the feedback period closes on the European Commission’s proposal for a Cyber Resilience Act (“CRA”) – it isn’t too late to provide a response. Here we explain what this proposal is, why it is so important to the world of connected products and how you can share your thoughts with the Commission.
Background
On 15 September 2022, the Commission published its proposal for the CRA, laying down cybersecurity requirements for connected products, software and certain types of data processing.
The CRA is the first regulation of its kind. It seeks to impose horizontal cybersecurity requirements and more traditional product safety style concepts, such as conformity assessment and CE marking, together with recall and reporting obligations, to cyber risks posed by “products with digital elements“. Products with digital elements is defined in the proposal as “any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately”.
This is all to address the new risks and challenges that the Commission perceives are created by connected products and their software. We expect it to have a big impact on many businesses who will have to rethink the way they conceive, design, and manufacture connected products and software to ensure an adequate level of cybersecurity and a system to address possible vulnerabilities.
Feedback on the proposed CRA is open until 23 January 2023 – helpful links can be found at the end of this post.
Who and what will it apply to?
The CRA would establish obligations for manufacturers, importers, authorised representatives and distributors of products with digital elements, as well as persons that “substantially modify” products already placed on the market.
The CRA would apply to products with digital elements, which would include:
- Any device or group of inter-connected or related devices, one or more of which, pursuant to a program, perform automatic processing of digital data (e.g. smartphones, laptops, tablets, routers).
- Embedded software, (e.g. firmware, basic operating systems, network systems, storage and security management).
- Non-embedded software (standalone software), i.e. software that is additional to the primary function of the device on which it is downloaded, e.g. mobile apps.
The CRA would not apply to software provided as a service, except for the remote data processing solutions related to a product with digital elements.
What is being proposed?
There are several new requirements being suggested. We think the most notable of these are:
- Application of the CE marking model to deal with cyber risks. The draft proposal contains essential requirements for the design, development and production of in scope products. Compliance with the essential requirements would need to be demonstrated as part of the applicable conformity assessment process and the CE mark applied.
- Mandatory third-party conformity assessment for “critical” class products. The default conformity assessment procedure is the self-assessment process. However, products with digital elements classified as “critical” may need to undergo a mandatory third-party conformity assessment.
Specific rules on the conformity assessment of highly critical products with digital elements and high-risk AI systems also apply. On the one hand, to demonstrate conformity, highly critical products with digital elements will need to obtain a cybersecurity certificate. On the other hand, the conformity of high-risk AI systems can be demonstrated either through a self-assessment process or a third-party conformity assessment, depending on whether harmonised standards and technical specifications established under the EU AI Act are available and applied by the manufacturer.
- New post-market obligations continuing during the lifetime of the product. Manufacturers would have to handle vulnerabilities in line with the requirements set out in the CRA. This would include, for example, an obligation to provide security updates during the product’s lifetime or 5 years after the placement on the market, whichever is shorter.
- Report vulnerabilities and incidents to ENISA (the European Agency for Cybersecurity) within 24 hours from becoming aware of an actively exploited vulnerability or incident affecting the security of the product with digital element. Manufacturers would also have to inform end-users about incidents and indicate the measures they can take to mitigate the effects of the incident. In line with other product legislation, manufacturers would also have to take corrective measures to bring non-compliant products into conformity, recall or withdraw them as appropriate.
- There are also strong proposals for enforcement. Market surveillance authorities would have the power to take corrective actions and order the recall or withdrawal of non-compliant products with digital elements. In exceptional circumstances, the Commission can also request ENISA to carry out an evaluation of the compliance and, on the basis of ENISA’s evaluation, take corrective or restrictive measures (including requiring a product recall). This is a rather significant and important development in the context of product safety law as, typically, corrective actions against non-compliant products are taken by Member States’ competent authorities and not by the Commission.
- There is a significant focus on penalties. Under the proposed CRA, Member States would be able to impose administrative fines up to EUR 15 million or 2.5% of the worldwide annual turnover in case of non-compliance with the essential cybersecurity requirements. Such administrative fines are similar to those set out in the GDPR and the NIS2 Directive, but are a new and significant development in the area of product safety legislation, which typically does not provide for such thresholds. We believe this signals the importance the Commission is attaching to cybersecurity matters and that there will be high expectations from Member States in terms of enforcement.
How will it interact with other legislation and initiatives?
As the proposed CRA would introduce new requirements on products that are also subject to other EU legislation or will be covered by upcoming legislation, this proposal should be considered alongside other legislation and proposals aimed at dealing with risks and challenges posed by connected products. This includes:
- The upcoming ecodesign measures for mobile phones and tablets (see our blog here);
- the Act adopted under the Radio Equipment Directive on cybersecurity requirements;
- the proposed EU AI Act;
- the proposed EU Data Act; and
- the upcoming General Product Safety Regulation (see our blog here).
In addition, the proposed CRA should also be considered in the context of:
- The proposal to revise the Product Liability Directive; and
- The proposal for a new AI Liability Directive
as non-compliance with the CRA requirements may lead to liability claims under these two initiatives.
You can find helpful insights on the proposed revision of the Product Liability Directive and the new AI Liability Directive here and here.
What is the anticipated timeline?
The CRA proposal will be passed to the European Parliament and the Member States in the Council for negotiation, a process which normally takes 1.5-2 years. Depending on how this goes, if the law passes, it could enter into force in 2024/2025. There is currently a 2-year transition period proposed for the majority of the rules, but there is a shorter transition period proposed of 12 months for the new reporting obligations to ENISA. These time periods are relatively short given the extensive obligations that this will create.
Next steps
Given the breadth of the cybersecurity requirements the CRA is seeking to introduce and the products that would be in scope (smartphones, laptops, smart wearables, software, etc.), we recommend that, if this proposal impacts your business, there are two steps that you should consider taking:
- The first, which is most immediate, is if you have not already, putting your views in. The proposal is now nearing the end of its feedback period (closing on 23 January 2023). The feedback will be published on the proposal’s webpage and will be summarised by the Commission before being presented to the European Parliament and the Council, who will analyse the proposal separately in their respective preparatory bodies, before issuing negotiating mandates.
- The second is that, as the proposal progresses, you should evaluate the impact on your business. If it passes, the transition periods (unless extended) are short, so businesses should pre-emptively consider how they might comply with the new rules.
If you would like assistance preparing feedback or assessing the impact on your business of these proposed rules, please contact a member of the Cooley team.