On 13 September 2023, negotiations began between European institutions to adopt the text of the EU Cyber Resilience Act (the “CRA”). If adopted, the CRA will impose a set of software security, cybersecurity, and vulnerability management requirements on products with digital elements (i.e., software or hardware products and their remote data processing solutions) placed on the EU market.
The CRA was first proposed in September 2022 by the EU Commission (“Commission”) to establish essential requirements for cybersecurity and vulnerability handling for products with digital elements placed on the EU market. After amendments were proposed by the European Council and the European Parliament on 19 July 2023, the text for the final version is now being debated.
Under the scope of the draft CRA are products with digital elements, including software or hardware and their remote data processing solutions. Certain products already subject to cybersecurity requirements in sectoral legislation are outside the scope of the CRA, such as medical devices, aviation or connected vehicles. Open-source software developed outside the course of a commercial activity also is not covered by the draft CRA. In addition, under the current draft, services such as Software-as-a-Service (SaaS) are only intended to be subject to the CRA if the product involves remote data processing solutions, and would be unable to perform properly without them.
Requirements for Manufacturers
In order to place a product with digital elements on the market, manufacturers would face several requirements, including:
- Carry out and document a cybersecurity risk assessment for the specific product;
- Implement the essential security mechanisms listed in Annex I of the draft CRA, including appropriate control mechanisms and measures to protect the confidentiality and integrity of data, and the availability of essential functions;
- Exercise due diligence when integrating components sourced from third parties, to ensure such components do not compromise the security of the product;
- Have effective vulnerability management processes in place, including policies for handling potential vulnerabilities reported from internal or external sources. Bug-bounty programs are encouraged;
- Prepare clear and understandable instructions for users;
- Conduct an internal conformity assessment to demonstrate compliance with the above requirements;
- Prepare an EU declaration of conformity and affix a CE marking to the product; and
- Prepare the technical documentation for the product, demonstrating compliance with the above requirements.
Manufacturers are required to continuously manage the cyber risks and vulnerabilities of the product, and to ensure the product remains in conformity with the CRA requirements.
Manufacturers will be required to, within 24 hours of becoming aware, report to the competent authority (see below) any actively exploited vulnerability, or any incident affecting the security of the product with digital elements. Manufacturers will also need to inform users about the incident without undue delay after becoming aware and, if applicable, about any corrective measures users can take. Vulnerabilities identified in third-party components will require manufacturers to notify the relevant party.
Critical Products with Digital Elements
Certain products listed in Annex III of the draft CRA are considered critical products with digital elements (i.e., products for which the exploitation of cyber vulnerabilities can lead to severe negative impact). Products deemed “critical” in the Commission’s draft include microprocessors, operating systems, and a number of cybersecurity functionalities such as firewalls or intrusion detection and prevention systems. Annex III divides products into two classes, according to the level of cyber risk.
Critical products with digital elements would be subject to stricter conformity procedures. For products listed in class I of Annex III, manufacturers may demonstrate compliance by applying harmonized standards, common specifications, or EU cybersecurity certification schemes. In the absence of those, a conformity assessment carried out by a third party will be required. Products listed in class II of Annex III will always require third-party conformity assessments.
Under the current draft, violations of the CRA will be fined with a maximum amount of either EUR 15 million or 2.5% of the total worldwide turnover of an entity for the preceding financial year, whichever is higher.
What’s New in the Council’s Version and Debated Topics
Topics that are currently being negotiated between the European institutions—with feedback from the industry—include:
- The applicability of the CRA to standalone software;
- The definition of the period within which manufacturers are expected to handle vulnerabilities;
- The applicability of the CRA to open-source software;
- The exact content of reporting obligations;
- The authority that should receive reports (ENISA or the Computer Security Incident Response Teams of the Member State where the manufacturer has its main establishment, designated in accordance with the provisions of the NIS2 Directive).
Once the final text is adopted, there will likely be a grace period before it takes effect. European institutions diverge on application dates, which should be set at between 12 and 24 months after entry into force for incident reporting requirements, and between 24 and 36 months after entry into force for other obligations. This means that, assuming adoption by mid-2024, the CRA would come into effect in 2025-2026 at the earliest.
What Businesses Should Be Doing Now
If adopted, the CRA will increase scrutiny over software and hardware security placed on the EU market. Investors, developers, and businesses relying on products likely to be subject to the CRA could benefit from conformity efforts at the early stages of development. Global companies might take a global, strategic approach to their compliance efforts. Preliminary compliance steps might include:
- Train relevant development teams and other stakeholders on the anticipated requirements of the draft CRA;
- Evaluate the scope of coverage of a business (e.g. how many products are likely to fall within the scope of the CRA);
- Critically assess product safety and vulnerability handling practices in view of the requirements in the draft CRA and other regulations in the world;
- Prepare the support documentation of the product in line with likely forthcoming obligations, especially around risk management and vulnerability management; and
- Assess processes in place for reporting of incidents and actively exploited vulnerabilities.
As noted in our Legal Update from 12 October 2023, regulators around the world—and especially in the United States and Europe—have been increasing regulation and scrutiny in software security. Similarly, increased regulation of the Internet of Things is a notable trend. For more information, please refer to our Legal Updates from 25 July 2023 and 22 December 2020.