Provisional agreement on the text of the proposed new European Union Cyber Resilience Act (CRA) was reached by the EU institutions on 30 November 2023. The first regulation of its kind, the CRA seeks to impose new cybersecurity requirements, as well as requirements for conformity assessment and CE marking to demonstrate compliance with the new requirements, together with recall and reporting obligations, on ‘products with digital elements’. This is a broad concept that covers connected products, software and certain types of data processing.
Key highlights
While we are waiting for the full text of the provisional agreement to become available, we have listed some key highlights below.
New essential requirements and conformity assessment
We understand that the main elements of the European Commission’s proposal have been retained, such as requirements that ‘products with digital elements’ comply with new essential cybersecurity requirements. Compliance will need to be demonstrated as part of the applicable conformity assessment process, a declaration of conformity will need to be drawn up, and the CE mark will need to be applied.
Post-market requirements
The new rules also will impose post-market obligations, such as those to handle vulnerabilities, and a market surveillance framework will be established.
Scope and lists of ‘critical’ products
Under the Commission’s draft legislative proposal, the scope would include ‘products with digital elements’ – defined as any ‘software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately’ – that are connected directly or indirectly to another device or network. The Commission also proposed a number of exceptions. We understand that amendments have been made to the scope that include adjustments to the application for certain open-source software. There also have been changes to the lists of ‘critical’ products – which can impact the type of conformity assessment process required for a particular product.
Software updates
There will be a requirement for manufacturers of ‘products with digital elements’ to continue to provide security updates. One of the issues we’ve been following in the negotiations is the period for which security updates would need to be provided. While we are keen to see the agreed text to get into the detail for this one, indications are that the agreed text will require security updates be provided for at least five years, except for products that are expected to be in use for a shorter period of time, in which case that shorter period would apply. In addition, there would be requirements surrounding how security updates are supplied – around automatic installation and unbundling of security and functionality updates.
Reporting obligations
This was another hot issue in the negotiations. Under the Commission’s proposal, reports of actively exploited vulnerabilities and incidents would need to be made to the European Union Agency for Cybersecurity (ENISA) within 24 hours of the manufacturer becoming aware of any such incident. Under the provisional agreement, it looks like reports would be made to the national computer security incident response teams (CSIRTs) of EU member states. ENISA still will have a role in the process, but with potential restrictions on the information it receives in certain cases.
Transition period
A 36-month transition period has been agreed. However, obligations to report certain incidents and vulnerabilities will apply sooner, after 21 months following the entry into force of the CRA.
A lot of issues will need to be unpacked when the text of the provisional agreement becomes publicly available, which is expected in the coming weeks or early in 2024.
What’s next?
The provisional agreement still needs to be formally approved by the European Parliament and Council, and it’s possible there could be changes along the way (usually legal linguistic amendments, but theoretically other changes also could pass). The text of the legislation will then be signed, be published in the Official Journal of the European Union and enter into force 20 days later to complete the lawmaking process.
In terms of timing, we’d expect this lawmaking process to be completed between the first and second quarters of 2024, with the new requirements starting to apply beginning in Q1 or Q2 2027, and obligations to report incidents and vulnerabilities applying between Q4 2025 and Q1 2026.
Where can I find out more?
The European Commission, Parliament and Council issued press releases after the trilogue agreement was reached. We’ll publish more analysis on our blog when the text of the provisional agreement is available.