First introduced in December 2020 by the European Commission, the European Cyber Resilience Act (“ CRA”) regulation was published in the Official Journal on November 20th. It will come into force on December 10, 2024, but will not be immediately applicable. Most obligations will only apply as from December 2027, with the exception, for example, of serious incident notification obligations, which will apply from September 2026. The CRA will apply to all member states and the companies operating in them.
The official regulation is available here: Regulation – 2024/2847 – EN – EUR-Lex
The purpose of this regulation is to reinforce the cybersecurity of “products with digital components”. This includes connected devices (watches, connected toys, voice assistants etc.) and certain software (operating systems, firewalls, etc.), whether or not they are integrated into physical devices. Software made available in SaaS mode is excluded from the CRA in certain cases.
The CRA imposes new obligations not only on manufacturers, but also on all those involved in the design, development and sale of a product containing digital elements. For example, manufacturers must ensure that vulnerabilities in their products are dealt with for at least 5 years (unless the product’s lifespan is shorter), while importers and distributors of digitally-enabled products must check the conformity of documentation provided upstream of the production chain. Certain products (such as smart cards, connected toys or security software) are subject to specific reinforced measures due to their criticality.
DLA Piper’s team of intellectual property, data protection & cybersecurity and technology lawyers will publish articles to help you understand these new regulations. Don’t hesitate to follow us so you don’t miss them or contact us if you have any questions!