EU digital legislation

In order to demonstrate the conformity of products with digital elements with the requirements of the proposed Cyber Resilience Act (CRA-E), manufacturers must carry out a so-called conformity assessment procedure in accordance with Art. 24 (1) CRA-E. For this purpose, the CRA-E basically provides for three different types of procedures, for each of which information can be found in Annex VI. The procedures mentioned there are based on Decision 768/2008/EC, which aims to establish a common framework for legislation harmonizing the conditions for the marketing of products and provides for conformity assessment procedures for this purpose.

According to Art. 1 (c) of the planned Cyber Resilience Act (CRA-E) this regulation should also include provisions for vulnerability handling processes put in place by manufacturers. The purpose of these processes is to ensure the cybersecurity of products with digital elements during the whole life cycle.

The planned Cyber Resilience Act (CRA-E) aims to establish uniform EU cybersecurity requirements for products with digital elements in order to handle the growing threat of cyberattacks. For this purpose, the regulation stipulates numerous obligations that primarily affect the manufacturers of such products.

Being the last economic operator in the supply chain of products with digital elements, the distributor falls within the scope of the proposed Cyber Resilience Act (CRA-E) as well.

According to the definition in Art. 3 (21) CRA-E, a (legal) person can only fall under the term of the distributor if it makes a product with digital elements available on the Union market without affecting its properties and without being already qualified as a manufacturer or importer.

The role of the importer becomes relevant within the proposed Cyber Resilience Act (CRA-E) when he makes available a product with digital elements bearing the name or trademark of a (legal) person and being established outside the European Union on the Union market for the first time.

In comparison to the other economic operators, the manufacturer is subject to the most comprehensive obligations of the proposed CRA (CRA-E). This is probably because the manufacturer significantly controls the development of the product with digital elements, determines its characteristics and can thus influence the inherent cybersecurity risks. The specific obligations for manufacturers are set out in Art. 10 and 11 of the proposed CRA.

According to section II of the proposed CRA the regulation will apply to so-called economic operators such as manufacturers, authorised representatives, importers and distributors of products with digital elements.

The current proposal for a new European Cyber Resilience Act by the European Commission from 15th September 2022 (CRA) applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network (see recital 7 and Art. 2 (1) of the proposed CRA).