Cyber Resilience Act - Overview of new cybersecurity requirements for products with digital elements

In September 2022, the European Commission published its proposal for the Cyber Resilience Act ("CRA", Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020). This is an EU regulation that will be directly applicable in all Member States once it enters into force and does not require any further transposition acts. The proposal aims to further advance the European data strategy and eliminate the legislative patchwork in the field of cybersecurity in the European single market.

Aim of the Regulation

With the CRA, the European legislator aims to introduce horizontal security requirements for "products with digital elements" in order to strengthen cybersecurity for the range of all tangible products with digital elements and associated services throughout the supply chain. The term “product with digital elements” means any software or hardware product and its data processing solutions. It bears a close resemblance to the concept of digital products in Section 327 (1) sentence 1 of the German Civil Code (BGB), which has already found its way into German law as part of the Digital Content Directive ((EU) 2019/770) transposition. In factual terms, the proposed CRA covers any everyday object that has a digital function. Services, such as software-as-a-service (SaaS), on the other hand, are generally not covered by the scope of the regulation. The same applies to medical devices as well as those related to aviation safety and to the requirements for motor vehicles, as the European legislator has already issued comprehensive provision on cybersecurity in more specific regulations in this regard. With manufacturers, importers and distributors as the addressees of the regulation, the personal scope of application includes all actors in a supply chain. The ultimate aim is to minimize cybersecurity risks of products with digital elements and to ensure safe use for businesses and consumers throughout the European single market.

Relevant provisions

To achieve these goals, a variety of new obligations is imposed on manufacturers, distributors and importers of products with digital elements. These are laid down in Art. 10 et seq. of the proposed CRA and vary depending on the actor and the criticality of the product.

For example, manufacturers are to be required to take cybersecurity requirements into account when designing, developing and manufacturing products with digital elements, and to conduct a cybersecurity risk assessment for this purpose. Annex I of the proposed CRA contains a list of specific requirements that are reminiscent of the data protection principles set out in Article 5(1) of the GDPR and the provisions on privacy by design and privacy by default set out in Article 25 of the GDPR. In order to demonstrate the compliance of the products with these cybersecurity requirements, a conformity assessment procedure is to be carried out, which is based on the risk level of the product. The proposed CRA distinguishes between normal, critical, and highly critical products, and provides stricter procedures for high-risk products. Furthermore, manufacturers are required to continuously review their products with regard to vulnerabilities and risks and to develop appropriate procedures and strategies for this purpose. In addition, in the event of an incident that affects the security of the product, the authorities and users must be notified immediately and appropriate corrective or mitigating measures must be taken. Furthermore, manufacturers are required to prepare technical documentation regarding the fulfilment of the relevant cybersecurity requirements and the means used for this purpose before introducing a product on the market. The manufacturers are also required to monitor and address vulnerabilities in their products for a period of up to five years after market launch, including, for example, the supply of security updates. In view of the longevity of many technical products, the shortness of this period has already triggered a great deal of criticism in the legal literature. It therefore remains to be seen whether this period will be adjusted in the further course of the legislative process.

Importers and distributors are also subject to comprehensive inspection obligations: For example, importers must always ensure that a complete check of cybersecurity requirements is carried out before putting a product onto the European market, must inform manufacturers in the event of vulnerabilities and, if necessary, notify market surveillance authorities in the event of significant cybersecurity risks. Distributors, on the other hand, are only required to verify that the product bears the CE marking and that it is accompanied by the necessary technical information, the declaration of conformity, and the importer's contact information. Other persons who substantially modify a product are considered manufacturers and are therefore subject to the obligations mentioned above.

Monitoring by the authorities

To monitor compliance with these obligations, member states will be required to designate market surveillance authorities. These authorities will monitor compliance with the cybersecurity requirements and cooperate with the EU Commission and ENISA for this purpose. In addition, they will also exchange information with data protection authorities. The powers of the market surveillance authorities include the initiation of investigations and the imposition of measures to bring products back into conformity, up to product recalls. Furthermore, they may carry out coordinated control actions (so-called "sweeps"), which apparently mean the simulated cyber-attacks. The requirements for such measures, which have not yet been adequately defined, have also been met with widespread criticism.

Penalties

The Cyber Resilience Act features a penalty scheme that is similar to that of the GDPR. Penalties are to be "effective, proportionate and dissuasive" according to Art. 53 (1) (2) CRA. Fines for non-compliance with the essential cybersecurity requirements for manufacturers can be as high as €15 million or 2.5% of the preceding year's annual worldwide turnover, whichever is higher. For all other violations by any of the addressees, fines of up to €10 million or 2% of total annual turnover are proposed. If incorrect, incomplete or misleading information is provided in the course of official investigations, fines of €5 million or 1% of total annual turnover may be imposed.

Current status, outlook and recommendations

The Cyber Resilience Act is still at the beginning of the legislative process. Currently, only a first draft is available. Feedback submissions on the existing draft closed on January 9, 2023. In addition, amendments are expected to be proposed by the European Parliament and the European Council.

After the final version of the Act comes into force, there will initially be a transitional period of 24 months. This does not include the obligation for manufacturers to report security incidents, which already applies after 12 months. Nevertheless, we advise keeping an eye on the further course of the legislative process and to respond to the extensive requirements of the CRA at an early stage as well as to take into account the additional economic and bureaucratic effort in the development processes of new products at an early stage.