The proposed Cyber Resilience Act seeks to establish fundamental requirements for all products with digital elements and thereby ensure greater cybersecurity
On 15 September 2022, the European Commission presented its proposal for the Cyber Resilience Act (Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020, the “Draft CRA“).
In this article we summarise the essential contents of the Draft CRA.
In September 2021, the European Commission announced the proposed legislation. The rationale behind the proposal was that increasingly frequent cyber-attacks are causing immense financial damage as well as compromising the security of both companies and citizens based in the European Union.
The Draft CRA sets out certain conditions that will apply to products with digital elements and will require such products to meet cybersecurity requirements throughout their product lifecycle. In addition, increased transparency requirements are intended to ensure that user groups take cybersecurity characteristics into account when selecting and using products and therefore be better protected against cyberattacks.
Scope of the Draft CRA
The material scope of the Draft CRA is broad and covers all products with digital elements whose intended or foreseeable use is to establish a direct and/or indirect link of any kind to a device and/or network. According to the proposed definition, all software and hardware products and their related data processing operations are covered.
The products in scope are also divided into two categories, based on predicted levels of cybersecurity risk for the product in question. Stricter requirements apply to products that are deemed more critical.
The Draft CRA does not explicitly stipulate a territorial scope of application, and the recitals do not provide any information in this regard either. This creates a fair degree of uncertainty as to whether or not companies outside the European Union would be required to comply with its provisions and, if so, which ones. Nevertheless, the Draft CRA appears to indicate that extraterritorial applicability is intended.
In addition, products that are already the subject of other European legislation, such as medical devices, are explicitly excluded from the scope of the Draft CRA. With regard to those products, the European Commission assumes that the requirements of the Draft CRA are already sufficiently included in the specific legislation applicable to them.
Obligations of economic operators
The Draft CRA lays out different obligations for entities depending on their classification as either a manufacturer, importer or distributor.
However, the fundamental objective remains the same for all three types of entity: namely that the relevant products comply with the “essential cybersecurity requirements and obligations“, which are primarily set forth in Annex 1 of the Draft CRA. These include, in particular, the development, production and placing on the market of the products concerned in accordance with certain legal and technical parameters, as well as effective vulnerability handling mechanisms. For the most part, the obligations are not only to be complied with on a one-off basis, but over a period of up to five years, starting with the placing on the market of a product.
For the implementation of these requirements, the Draft CRA provides for a transition period of 24 months (and in some parts of just 12 months), which would commence when the finalised Cyber Resilience Act comes into force. This is likely to present significant challenges for many companies given that product development and manufacturing cycles are planned over a significantly longer period. Changing product development plans is likely to be costly and may also disrupt the release dates of new products.
Conformity of the products with digital elements
Products subject to the Draft CRA are required to meet certain cybersecurity characteristics. However, in line with the harmonisation efforts of European legislation, it may be possible to rely on existing European standards for this purpose. If the products meet the characteristics specified in such existing standards, it is presumed that they also meet the characteristics of the Draft CRA, although presumptions of this kind may be disputed at any time. In the absence of such standards, the European Commission may elect to adopt such standards itself.
To demonstrate compliance with their obligations, manufacturers are required to conduct a so-called conformity assessment. Depending on the risk classification of the product in question there are different procedures and methods that may be applied, with products considered to be of particular high risk being subject to stricter requirements. The procedures range from internal control measures to full quality assurance. For each of these procedures, the Draft CRA contains checklists with specifications that must all be met in order to successfully pass.
Competent bodies and regulatory powers
The Draft CRA also provides for extensive participation by public authorities. Accordingly, the European Commission, ENISA (European Union Agency for Cybersecurity) and national authorities are granted comprehensive market monitoring, investigative and regulatory powers. For cross-border matters, the Draft CRA also addresses the different procedures and principles for these authorities to cooperate with each other if disagreements arise in the interpretation and application of the law.
Authorities are also provided with the power to carry out so-called “sweeps”, which appear to be particularly striking and drastic. Sweeps are unannounced and coordinated, involving area-wide monitoring and control measures that are intended to provide information as to whether or not the requirements of the Draft CRA are being complied with. It is particularly important to note that sweeps may apparently be carried out simultaneously by several authorities in close coordination, thus enabling the investigation of cross-border matters. It is unclear how the rights and freedoms of citizens who own products that are the subject of a sweep and are actively using them will be protected in the process.
Risks of administrative fines
The Draft CRA provides for a phased concept of administrative fines for non-compliance with certain legal requirements, which follows the model of recent European legislation and is intended primarily as a deterrent. Administrative fines for violations of the Draft CRA can reach a maximum amount of either EUR 15 million or 2.5 % of the total worldwide annual turnover for the preceding financial year – whichever is higher.
In this context, significant legal uncertainties are likely to arise, mainly because the methods for imposing administrative fines will be left to Member States to implement. Although the Draft CRA specifies certain parameters, in particular criteria for the calculation of administrative fines, the proposed regulation raises considerable concerns with regard to the uniform interpretation and application of the rules on administrative fines throughout the EU.
The Draft CRA is a part of a series of previously enacted European legislation and proposed legislation that follows on from the European Commission’s digitalisation strategy.
Due to the recognised and steadily growing importance of cybersecurity and increasing public attention being given to this topic, the regulatory approach set out in the Draft CRA is certainly to be welcomed. Nevertheless, the Draft CRA in its current version presents considerable challenges to numerous market stakeholders and has the potential to cause uncertainties should it become law in its current form. Many of the provisions are vague and open to a wide range of different interpretation and many also risk significant interference with the freedom of market stakeholders to conduct a business.
Given the potentially profound implications for product design and development, organisations will need to keep a close eye on progress of the draft CRA and may also want to consider advocacy to the European Commission in relation to any specific concerns through relevant trade bodies and associations.