On October 10, 2024, the Council of Ministers adopted the final draft of the Cyber Resilience Act (CRA). The regulation will soon be published in the Official Journal of the European Union and will then enter into force the following day.

We have taken a look at the current text of the regulation and compared it with the European Commission's original draft. We have listed the most important changes for you below:

1. Scope

Two further exceptions to the scope of application have been added to Art. 2 CRA. Accordingly, equipment that falls within the scope of the Marine Equipment Directive (Directive 2014/90/EU) are excluded from the CRA.

In addition, according to Art. 2 (6) CRA, the regulation does not apply to spare parts made available on the market to replace identical components in products with digital elements. This takes into account the fact that the component to be replaced already has the required level of cybersecurity and that another assessment of the identical spare part is therefore no longer necessary.

2. Open-source software

The Commission draft included the commercial use of open-source software in the scope of the CRA. This triggered considerable criticism in the open-source community, which apparently found an audience with the regulator. The final text of the regulation deals more decidedly with the topic of open-source software and limits the scope to free and open-source software that is made available on the market and thus made available for distribution or use in the course of a business activity (Recital 18, sentence 3 CRA). The provision of such software, which is not monetized, is not considered a business activity, nor is the development of open-source software by non-profit organizations.

Another significant amendment can be found in Art. 3 (14) CRA with the introduction of the open-source software steward as a legal person that is not a product manufacturer, but rather aims to sustainably support the development of open-source software for commercial activities. Art. 24 CRA imposes obligations on the open-source software stewards. These include the documentation of a cybersecurity policy, which, in addition to the development of a secure product, should also ensure that developers deal effectively with vulnerabilities and share information within the open-source community.

The background to the creation of this new legal person is the aim of ensuring that certain regulatory requirements for cybersecurity are also met in the development of commercial open-source software.

3. New risk categories for products

The Commission draft already provided for different risk categories for products with digital elements, including critical products with digital elements, which were divided into classes I (e.g. passwords and antivirus programs) and II (e.g. chip cards). According to Art. 24 (2) and (3) CRA-E, a stricter conformity assessment procedure applied to critical products with digital elements. In addition, the Commission draft also provided for the category of highly critical products with digital elements, which were to be specified by delegated act. In addition, Art. 8 of the CRA draft also included the category of high-risk AI-systems, whose conformity was regulated by both the CRA draft and the AI regulation.

In contrast, the final version of the CRA has the risk categories “important products”, “critical products” and “high-risk AI-systems”.

Important products with digital elements have a core function of a product category listed in Annex III and are subject to a stricter conformity assessment procedure according to Art. 32 (2) and (3) CRA. These include, for example, password managers, anti-virus programs, operating systems or firewalls. These products are also subdivided into classes I and II and essentially correspond to the “critical products” mentioned in the Commission draft.

In the final CRA, the term critical products includes products listed in Annex IV (e.g. hardware devices with security boxes, devices for advanced security purposes, or smartcards and similar devices). In this regard, the Commission is empowered to supplement Annex IV with further product categories.

The regulations on high-risk AI systems have essentially remained the same.

4. Support period

The final text of the regulation defines in Art. 3 No. 20 CRA a so-called support period during which the manufacturer must ensure that the vulnerabilities of the product are effectively treated with digital elements. This regulation is certainly a response to the criticism resulting from the unclear provision in the Commission draft regarding the period for addressing vulnerabilities, which was set at a flat rate of five years or for the expected product lifespan, whichever was shorter. Art. 13 (8) CRA now stipulates for the manufacturer that the support period shall be at least five years, unless the expected useful life is shorter. Nevertheless, the manufacturer is required to define the support period itself based on certain criteria (e.g. duration of expected use, user expectations, type of product, periods for similar products, guidelines of the Group on Administrative Cooperation and the Commission). However, the requirement to ensure vulnerability handling throughout the entire product life cycle remains in place.

5. Further obligations for manufacturers

The catalog of obligations for the manufacturer has grown somewhat in the final version of the CRA. For example, the criteria for assessing cybersecurity risk for manufacturers are now specified in Art. 13 (3) CRA (including an assessment of cybersecurity risks based on the intended purpose and reasonably foreseeable product use). In addition, according to Art. 13 (15) CRA, there is an obligation to bear a type, batch or serial number to the product with digital elements or to indicate this in the accompanying documentation.

6. Single reporting platform

Art. 16 CRA contains another new element. In order to simplify the reporting obligations, the ENISA is setting up a single reporting platform through which the manufacturer has to report actively exploited vulnerabilities.

7. Privileges for SMEs

Like other European regulations, the CRA now also contains privileges for micro, small and medium-sized enterprises (SMEs). For example, Member States may organize special awareness-raising and training activities for the application of the regulation (Art. 33 (1) (a) CRA) or set up cyber resilience regulatory sandboxes to help SMEs comply with the CRA's obligations. Furthermore, the submission of technical documentation in a simplified format is sufficient for SMEs (Art. 33 (5) CRA), which is yet to be determined by the Commission by means of an implementing act.

8. Possibility of representative actions

Pursuant to Art. 65 CRA, the Representative Action Directive (EU 2020/1828) applies if economic operators violate the provisions of the CRA. This allows consumer associations to bring representative actions for violations of the CRA if the collective interests of consumers are affected. It is therefore all the more important for economic operators to ensure long-term compliance with the CRA requirements.

9. Application of the regulation

In the Commission's draft, it was originally intended that the CRA would apply 24 months after entry into force. In the final version, this period was increased to 36 months (Art. 71 (2) CRA).

The provisions of Chapter IV on the notification of conformity assessment bodies will apply after just 18 months. These include the designation of the notifying authorities and the establishment of the conformity assessment bodies.

The manufacturer's reporting obligations as set out in Art. 14 CRA will apply 21 months after the entry into force.

Practical recommendations

Now that the final text of the regulation has been published and will shortly be appearing in the Official Journal, the final scope of application and the obligations for the addressees are now clear. Even though the majority of the provisions will not apply for another three years, we advise companies that are affected by the applicability of the CRA to familiarize themselves with the provisions of the regulation and adapt their existing processes.

In our CRA-Update series, we regularly present information on the Cyber Resilience Act and keep you informed about changes in the ongoing legislative process. In each of our articles, we give you a brief overview of a specific topic, presenting the most important aspects and practical implications.

On November 21, 2024, we will be hosting our webinar “Cyber Resilience Act im Überblick: Was gilt für wen und wo?” in German. In this first webinar, you will learn everything there is to know about the scope of the CRA. We will shed light on what the CRA is exactly and how it differs from other regulations.