The Cyber Resilience Act (Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) No 2019/1020 and Directive (EU) 2020/1828 (the “CRA”) has been published today in the EU Official Gazette (20/11/2024) and will reinforce the safety of Digital products in the EU market.
You will find below all you need to know about this new Regulation.
1. Introduction
We are surrounded by connected products in our daily life: they can be found in our pockets, on our wrists, in our garages, and even in our very homes (such as connected doorbells and baby monitors).
However these hardware and software products are increasingly the target of cyber-attacks.
The CRA introduces a new regulatory system to ensure that digital products on the EU market are secure from cyberattacks and other vulnerabilities. This new Regulation is based on the New Legislative Framework, which governs product safety laws.
2. Scope
The CRA applies to all products with digital elements that are made available on the market of the European Union and “whose intended purpose or reasonably foreseeable use includes a direct or indirect data connection to a device or network”.
Are however excluded :
- Services that are not linked to a specific product. This means that services such as Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) would normally be excluded from the CRA. However, if these services are necessary for the product with digital elements to fulfil one of its functions (for example, cloud services for use in smart homes) these services can still fall within the scope of the CRA.
- Free software and open source software.
3. Essential requirements
Under Article 6 of the CRA, products with digital elements must meet essential cybersecurity requirements, be properly installed, maintained, used in accordance with their intended purpose, and, where applicable, the necessary security updates must be installed.
You will find below a synthetic overview of the obligations that apply to the various economic operators along the supply chain.
3.1. Obligations of manufacturers
Manufacturers must ensure that products to be placed on the market are designed, developed and manufactured in accordance with the ‘essential requirements’.
In order to ensure that a product complies with the essential requirements, manufacturers have to:
- Carry out a cybersecurity risk assessment that has to be included in the technical documentation of the product;
- Subject the product to a conformity assessment procedure, issue a declaration of conformity and affix the CE marking.
According to the essential requirements, products with digital elements must notably (Annex I):
- be delivered with a secure default configuration, including the possibility to reset the product to its original state ;
- ensure protection against unauthorised access through appropriate control mechanisms such as authentication, identity or access management systems;
- protect the confidentiality and integrity of stored and processed data;
- work according to the principle of data minimisation;
- ensure to limit attack surfaces, including external interfaces;
- ensure a reduction of the impact of an incident using appropriate exploitation mitigation mechanisms and techniques;
- provide security related information by recording and/or monitoring relevant internal activity;
- ensure that vulnerabilities can be addressed through security updates.
The manufacturer also has to set up a procedure for the effective treatment of vulnerabilities.
If the manufacturer has reason to believe that the product does not comply with the essential requirements of the CRA, it must take corrective action and, if necessary, withdraw the product from the market or recall it.
If the manufacturer becomes aware of an actively exploited vulnerability, he must report it to the Computer Security Incident Response Team.
3.2. Obligations of importers
Importers are responsible for ensuring that manufacturers have fulfilled their obligations before placing products on the EU market. They must also report cybersecurity risks and vulnerabilities to manufacturers and relevant authorities and may be required to take action, such as recalling products if they fail to meet security standards.
3.3. Obligations of distributors
Distributors must verify that both manufacturers and importers have fulfilled their obligations to provide the technical information and instructions and the declaration of conformity. If a distributor becomes aware of non-compliance to the essential requirements, they are required to take corrective measures or withdraw/ recall the product from the market.
4. Sanctions
The CRA includes a tiered system of penalties for non-compliance :
- For example, in case of non-compliance with the essential requirements, the CRA provides for fines of up to 15 million EUR or up to 2.5% of the company's total worldwide annual turnover in the previous financial year ;
- For violations of other obligations under the regulation, the CRA provides for fines of up to 10 million EUR or up to 2% of the total worldwide annual turnover of the previous financial year.
5. Entry into force
The CRA will enter into force on the twentieth day following its publication in the Official Journal, namely on 10 December 2024.
The CRA will apply from 24 months after the date of entry into force of the Regulation (namely on 10 December 2026) with the exception of Article 11 on reporting obligations of manufacturers that will apply 12 months after the date of entry into force of the Regulation (namely on 10 December 2025).
Consequently, and given the amount of the fines for non-compliance, it is important to take these changes into account to conduct cybersecurity risk assessments and to establish new procedures in order to effectively prepare for the Cyber Resilience Act.