EU digital legislation
CRA-Update – Episode 2: Who falls within the scope of the proposed CRA?
According to section II of the proposed CRA the regulation will apply to so-called economic operators such as manufacturers, authorised representatives, importers and distributors of products with digital elements.
The reason for that is the EU Commission’s objective to set up obligations for economic operators in relation to the placement on the market of products with digital elements, as adequate for their role and responsibilities on the supply chain. The majority of the obligations are imposed on the manufacturer since he significantly controls the development of the product with digital elements, determines its characteristics and can thus influence the inherent cybersecurity risks.
The manufacturer is defined in Art. 3 point (18) of the proposed CRA as “any natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under his or her name or trademark, whether for payment or free of charge.” Therefore, not only the commissioned product developer but also the client is covered by the definition.
Pursuant to Art. 12 (3) of the proposed CRA, the manufacturer may appoint an authorised representative (see Art. 3 point (19) of the proposed CRA) for the performance of tasks, such as the cooperation with the market surveillance authorities. In particular, the manufacturer will make use of this possibility if he is located outside the EU and also does not operate an establishment in the Union, so that the authorised representative can perform the communication with the market surveillance authorities on his behalf.
The regulation also sets up obligations for the importer who is defined in Art. 3 point (20) of the proposed CRA as “any natural or legal person established in the Union who places on the market a product with digital elements that bears the name or trademark of a natural or legal person established outside the Union.” The term “placing on the market” means “the first making available of a product with digital elements on the Union market” whereas “making available on the market” is defined as “any supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge.” In this respect, the person of the importer becomes relevant if the importer purchases a product with digital elements from a manufacturer located outside the EU and imports it into the Union.
The proposed CRA also imposes obligations on distributors that are defined in Art. 3 point (21) of the proposed CRA as “any natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the Union market without affecting its properties.” This includes companies that sell products with digital elements to end customers. In this context, the regulation does not distinguish between B2B or B2C users of products with digital elements. This is mainly because it is not necessary in view of the purpose of the regulation to increase cybersecurity and to enable users to use such products in a secure manner. After all, both companies and consumers come into contact with the products covered by the regulation in equal measure (see recital 1 and 2 of the proposed CRA).
Practical recommendations:
Due to the exact definitions of the economic operators that are addressed by the CRA, we recommend checking at an early stage whether companies fall within the scope of this regulation since it imposes different obligations so that the measures to be undertaken vary from addressee to addressee. In addition, the ongoing legislative process should be followed with regard to possible adjustments in the personal scope of application because changes to the draft regulation are still to be expected.
In our CRA-Update series, we regularly present information on the proposed Cyber Resilience Act and keep you informed about changes in the ongoing legislative process. In each of our articles, we give you a brief overview of a specific topic, presenting the most important aspects and practical implications.
CRA-Update
CRA-Update – Episode 10: Penalties under the CRA-E
With the proposed Cyber Resilience Act (CRA-E), the European Commission has set itself the goal of strengthening the security of products with digital elements with horizontal legal requirements in order to better protect the European internal market from growing cyber threats. Concerning this matter, the regulation contains a large number of obligations that apply to all economic operators in a product supply chain, namely manufacturers, importers and distributors.
CRA-Update – Episode 9: Surveillance authorities
The Commission's draft for the Cyber Resilience Act (CRA-E) mentions different authorities with different tasks for monitoring and compliance with the standards of the regulation.
CRA-Update – Episode 8: The conformity assessment procedure
In order to demonstrate the conformity of products with digital elements with the requirements of the proposed Cyber Resilience Act (CRA-E), manufacturers must carry out a so-called conformity assessment procedure in accordance with Art. 24 (1) CRA-E. For this purpose, the CRA-E basically provides for three different types of procedures, for each of which information can be found in Annex VI. The procedures mentioned there are based on Decision 768/2008/EC, which aims to establish a common framework for legislation harmonizing the conditions for the marketing of products and provides for conformity assessment procedures for this purpose.
CRA-Update – Episode 7: What are vulnerability handling processes put in place by manufacturers and when are they compliant under the CRA?
According to Art. 1 (c) of the planned Cyber Resilience Act (CRA-E) this regulation should also include provisions for vulnerability handling processes put in place by manufacturers. The purpose of these processes is to ensure the cybersecurity of products with digital elements during the whole life cycle.
CRA-Update – Episode 6: When is a product with digital elements in conformity with the requirements of the CRA-E?
The planned Cyber Resilience Act (CRA-E) aims to establish uniform EU cybersecurity requirements for products with digital elements in order to handle the growing threat of cyberattacks. For this purpose, the regulation stipulates numerous obligations that primarily affect the manufacturers of such products.
CRA-Update – Episode 5: What are the obligations of the distributor under the CRA-E?
Being the last economic operator in the supply chain of products with digital elements, the distributor falls within the scope of the proposed Cyber Resilience Act (CRA-E) as well.
According to the definition in Art. 3 (21) CRA-E, a (legal) person can only fall under the term of the distributor if it makes a product with digital elements available on the Union market without affecting its properties and without being already qualified as a manufacturer or importer.
CRA-Update – Episode 4: What are the obligations of the importer under the CRA-E?
The role of the importer becomes relevant within the proposed Cyber Resilience Act (CRA-E) when he makes available a product with digital elements bearing the name or trademark of a (legal) person and being established outside the European Union on the Union market for the first time.
CRA-Update – Episode 3: What are the obligations of the manufacturer under the CRA-E?
In comparison to the other economic operators, the manufacturer is subject to the most comprehensive obligations of the proposed CRA (CRA-E). This is probably because the manufacturer significantly controls the development of the product with digital elements, determines its characteristics and can thus influence the inherent cybersecurity risks. The specific obligations for manufacturers are set out in Art. 10 and 11 of the proposed CRA.
CRA-Update – Episode 1: Which products fall within the scope of the proposed CRA?
The current proposal for a new European Cyber Resilience Act by the European Commission from 15th September 2022 (CRA) applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network (see recital 7 and Art. 2 (1) of the proposed CRA).