EU digital legislation

CRA-Update – Episode 10: Penalties under the CRA-E

With the proposed Cyber Resilience Act (CRA-E), the European Commission has set itself the goal of strengthening the security of products with digital elements with horizontal legal requirements in order to better protect the European internal market from growing cyber threats. Concerning this matter, the regulation contains a large number of obligations that apply to all economic operators in a product supply chain, namely manufacturers, importers and distributors.

In order to ensure compliance with these obligations in practice, the regulation also provides for the possibility of penalties that can be imposed on economic operators in the event of non-compliance with the legal requirements.

However, the CRA-E leaves the Member States a great deal of leeway in terms of the legal structure. According to Art. 53 (1) CRA-E, they shall lay down the rules on penalties and take the measures necessary for enforcement. With the wording in Art. 53 (1) CRA-E that the penalties shall be effective, proportionate and dissuasive and with the upper limits for fines specified in Art. 53 (3–5) CRA-E, the regulation provides a framework that must be filled in by national law. A corresponding requirement for fines is already known in Art. 83 (1) GDPR.

The competent market surveillance authority in whose Member State the affected product with digital elements was made available on the market is responsible for issuing penalties and imposing fines. However, this does not necessarily mean that a manufacturer, for example, has to fear high fines in all Member States. According to Art. 53 (6) lit. b) CRA-E, when assessing a fine, it must also be taken into account whether other market surveillance authorities have already imposed fines for a similar infringement. What is interesting here is that reference is made to "similar" infringements – thus the same infringement does not have to have already been sanctioned once.

The upper limits for the amount of fines are set out in Art. 53 (3 - 5) CRA-E. The highest fines can be imposed for non-compliance with the requirements in Annex I or for breaches of the manufacturer's obligations in Art. 10 and 11 CRA-E. Fines of up to €15,000,000 or up to 2.5% of the previous year's total global turnover are possible.

In the event of breaches of the other obligations of the CRA-E, fines of up to €10,000,000 or 2% of the previous year's global turnover are possible in accordance with Art. 53 (4) CRA-E. This will primarily affect importers and distributors, whose obligations are set out in Art. 13 and 14 CRA-E.

In addition, incorrect, incomplete or misleading information to notified bodies and market surveillance authorities may result in fines of up to €5,000,000 or up to 1% of the previous year's global turnover, Art. 53 (5) CRA-E.

The amount of the fine depends on the nature, gravity and duration of the infringement and its consequences in accordance with Art. 53 (6) CRA-E. These criteria are likely to be familiar to the addressees from other EU regulations, such as the GDPR or the Digital Services Act.

Possible changes in the final version of the CRA-E

Based on the Commission's proposal for a regulation, the European Parliament's Committee on Industry, Research and Energy (ITRE) and the Council of the European Union have also published drafts. The legislative process is currently undergoing final coordination.

In principle, the aforementioned provisions on fines in the CRA-E have not changed. In its draft, the ITRE has also included in Art. 53 CRA-E that the financial resources of SMEs are taken into account when calculating a fine. In addition, the Commission shall ensure that those rules and measures are applied uniformly throughout the EU, which is probably intended to prevent the penalties imposed from differing greatly from one another. Furthermore, Art. 53a CRA-E was introduced, according to which the revenue from the penalties shall be allocated to projects raising the level of cybersecurity within the Union.

The Council has not deviated from the Commission draft in Art. 53 CRA-E apart from a few linguistic changes.

Practical recommendations

As the European legislator grants the member states regulatory competence regarding the penalties of the CRA, it remains to be seen whether the German legislator will maintain the framework of the CRA-E or deviate from it. Nevertheless, the provisions of the CRA-E should be taken into account as a general benchmark, as the majority of member states are likely to implement the provisions in full. Consequently, the requirements of the CRA-E and the further legislative process should already be taken into account now in order to avoid the risk of fines in the future.

In our CRA-Update series, we regularly present information on the proposed Cyber Resilience Act and keep you informed about changes in the ongoing legislative process. In each of our articles, we give you a brief overview of a specific topic, presenting the most important aspects and practical implications.

Lawyer, Associate
Alexander Weiss
Lawyer, Associate
Alexander Weiss

Go back

CRA-Update

CRA-Update – Episode 10: Penalties under the CRA-E

With the proposed Cyber Resilience Act (CRA-E), the European Commission has set itself the goal of strengthening the security of products with digital elements with horizontal legal requirements in order to better protect the European internal market from growing cyber threats. Concerning this matter, the regulation contains a large number of obligations that apply to all economic operators in a product supply chain, namely manufacturers, importers and distributors.

CRA-Update – Episode 9: Surveillance authorities

The Commission's draft for the Cyber Resilience Act (CRA-E) mentions different authorities with different tasks for monitoring and compliance with the standards of the regulation.

CRA-Update – Episode 8: The conformity assessment procedure

In order to demonstrate the conformity of products with digital elements with the requirements of the proposed Cyber Resilience Act (CRA-E), manufacturers must carry out a so-called conformity assessment procedure in accordance with Art. 24 (1) CRA-E. For this purpose, the CRA-E basically provides for three different types of procedures, for each of which information can be found in Annex VI. The procedures mentioned there are based on Decision 768/2008/EC, which aims to establish a common framework for legislation harmonizing the conditions for the marketing of products and provides for conformity assessment procedures for this purpose.

CRA-Update – Episode 7: What are vulnerability handling processes put in place by manufacturers and when are they compliant under the CRA?

According to Art. 1 (c) of the planned Cyber Resilience Act (CRA-E) this regulation should also include provisions for vulnerability handling processes put in place by manufacturers. The purpose of these processes is to ensure the cybersecurity of products with digital elements during the whole life cycle.

CRA-Update – Episode 6: When is a product with digital elements in conformity with the requirements of the CRA-E?

The planned Cyber Resilience Act (CRA-E) aims to establish uniform EU cybersecurity requirements for products with digital elements in order to handle the growing threat of cyberattacks. For this purpose, the regulation stipulates numerous obligations that primarily affect the manufacturers of such products.

 

CRA-Update – Episode 5: What are the obligations of the distributor under the CRA-E?

Being the last economic operator in the supply chain of products with digital elements, the distributor falls within the scope of the proposed Cyber Resilience Act (CRA-E) as well.

According to the definition in Art. 3 (21) CRA-E, a (legal) person can only fall under the term of the distributor if it makes a product with digital elements available on the Union market without affecting its properties and without being already qualified as a manufacturer or importer.

CRA-Update – Episode 4: What are the obligations of the importer under the CRA-E?

The role of the importer becomes relevant within the proposed Cyber Resilience Act (CRA-E) when he makes available a product with digital elements bearing the name or trademark of a (legal) person and being established outside the European Union on the Union market for the first time.

CRA-Update – Episode 3: What are the obligations of the manufacturer under the CRA-E?

In comparison to the other economic operators, the manufacturer is subject to the most comprehensive obligations of the proposed CRA (CRA-E). This is probably because the manufacturer significantly controls the development of the product with digital elements, determines its characteristics and can thus influence the inherent cybersecurity risks. The specific obligations for manufacturers are set out in Art. 10 and 11 of the proposed CRA.

CRA-Update – Episode 2: Who falls within the scope of the proposed CRA?

According to section II of the proposed CRA the regulation will apply to so-called economic operators such as manufacturers, authorised representatives, importers and distributors of products with digital elements.

CRA-Update – Episode 1: Which products fall within the scope of the proposed CRA?

The current proposal for a new European Cyber Resilience Act by the European Commission from 15th September 2022 (CRA) applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network (see recital 7 and Art. 2 (1) of the proposed CRA).