On 10 October 2024, the Council of the European Union (the “Council”) adopted the Cyber Resilience Act (the “CRA”), which aims to ensure that products with digital elements, such as smart fridges and connected home cameras, are safe to use before they are placed on the EU's internal market. The CRA is one of several legislative initiatives in the field of cybersecurity adopted in the context of the EU's Digital Decade. In this article, we briefly review what the Regulation means, which products are covered and what happens next.
The CRA aims to raise the level of cybersecurity of hardware and software products with digital elements in order to ensure that these products are safe to use before they are placed on the EU internal market. Pursuant to the CRA, the legislator intends to increase the resilience of the EU to cyberattacks against these types of products, closing gaps in the existing legislation, while concurrently increasing the understanding of, and access to, information on users of these products.
Among other things, the Regulation imposes various requirements on manufacturers, including the obligation to:
Although most of the obligations in the CRA fall on the manufacturer of a covered product, the CRA is relevant for all actors in the supply chain such as the importer and distributor of a covered product.
The Regulation covers any product (hardware, software, or Internet of Things (IoT) devices) that is directly or indirectly connected to another device or network and placed on the EU internal market.
This means, inter alia, that products such as smart fridges, speakers with Bluetooth functionality, laptops, and connected home cameras must fulfil the requirements of the Regulation before being placed on the internal market.
The requirements that a covered product must fulfil depend on the level of risk of the product and whether the product is considered critical or not.
According to the Regulation, a product with digital elements shall be considered critical if the adverse consequences of the exploitation of potential vulnerabilities in the product could be severe due to, inter alia, cybersecurity-related functions or a function that poses a significant risk of adverse effects in terms of its intensity and ability to disrupt, control or cause damage to a large number of other products or to the health, safety or protection of users through direct manipulation, such as a central system function.
The critical products are then further categorised into Class I and Class II, with products falling into Class II considered to pose an even more serious risk of negative consequences. Products with digital elements that do not fall into Class I or Class II are considered non-critical products.
The main difference between the different categories is how compliance with the common safety standards is ensured. While non-critical products can undergo self-assessment, Class I and II products must be assessed by an independent party.
The CRA contains rules on penalties for offences. The amount of the penalty that can be imposed depends on, among other things, the nature of the breach of the Regulation, as well as factors such as the gravity and consequences of the offence. The maximum penalty is EUR 15 million or, if the offence is committed by an undertaking, 2.5% of the undertaking's worldwide annual turnover in the preceding financial year.
The Council has now adopted the CRA and the Regulation will therefore be published in the Official Journal of the EU. This is expected to happen in the coming weeks. The CRA will enter into force 20 days after publication, with an implementation period of 36 months for most provisions. However, some rules may apply earlier.
Vinge continuously monitors news within the area. Please contact us if you have any questions.
