The European Union’s Cyber Resilience Act: A New Standard for Cybersecurity of Digital Products

The European Union recently adopted the Cyber Resilience Act (CRA), a piece of legislation that establishes mandatory cyber security requirements for products with digital elements. This piece of legislation aims to improve the cyber resilience of products placed on the European market, providing greater protection for consumers and businesses.

Scope of the Cyber Resilience Act

The CRA applies to a wide range of products with digital elements, including:

  • Internet of Things (IoT) connected devices: such as smart home appliances, wearable devices and home automation systems.
  • Standalone software: applications and programmes that operate independently on various devices.

However, there are some exemptions for products already regulated by specific EU regulations, such as:

  • Medical devices: regulated by Regulation (EU) 2017/745.
  • Motor vehicles: subject to Regulation (EU) 2018/858.

Obligations for Manufacturers

Manufacturers have a responsibility to ensure that their products meet essential IT security requirements during their entire life cycle. This implies:

  • Security by design: implementing security measures at an early stage of product development.
  • Risk assessments: conduct in-depth analyses to identify and mitigate potential vulnerabilities.
  • Security updates: providing timely patches and updates to address new and emerging threats.

Obligations for Importers and Distributors

Importers and distributors must ensure that the products they place on the market comply with the CRA. Their responsibilities include:

  • Verification of compliance: ensuring that manufacturers have carried out the necessary assessments.
  • Appropriate documentation: ensure that products are accompanied by all required information.

Compliance and CE Marking

To demonstrate compliance with the CRA, products must bear the CE marking. Manufacturers must:

  • Declaration of Conformity: prepare a document demonstrating compliance with the requirements.
  • Technical documentation: maintain detailed records of assessments and measures taken.

In some cases, a conformity assessment by a notified body may be required.

Sanctions and Enforcement

The CRA provides penalties for non-compliance, which may include:

  • Significant fines: financial penalties proportionate to the gravity of the infringement.
  • Withdrawal of products from the market: obligation to remove non-compliant products from circulation.

The national authorities of the EU Member States are responsible for enforcement and market surveillance.

Implications for companies

Companies must carefully assess the requirements of the CRA and take steps to ensure compliance. This may involve:

  • Changes to design and development processes: integrating security at an early stage.
  • Implementation of new security controls: take proactive measures to prevent threats.
  • Vulnerability management procedures: establishing processes to quickly identify and resolve security holes.

In summary, the Cyber Resilience Act represents a significant step towards strengthening the cyber security of products with digital elements in the EU by imposing clear obligations on manufacturers, importers and distributors to ensure a high level of protection for end users.