The EU Cyber Resilience Act: 6 Things You Need To Know

The European Cyber Resilience Act (CRA) will lead to the development and implementation of common cybersecurity standards for products with a “digital element” in the European Union.

Whilst the newly adopted and updated Network Information Security Directive (NIS 2) targets a broad concept of critical infrastructure and the Digital Operations Resilience Act (DORA) focuses on the financial services sector, the CRA takes a horizontal approach. It imposes obligations across the connected hardware and software ecosystem, implementing a range of security-related obligations on manufacturers, importers and distributors of covered products.

This overview aims to help you assess if and how you are covered by the CRA by answering the following questions:

1. What products are impacted by the CRA?
2. Who is impacted by the CRA?
3. What obligations apply?
4. What measures will importers and distributors have to take?
5. What are the incident reporting requirements?
6. What are the consequences of noncompliance?

Operators should start assessing whether they fall under the scope of the CRA. If necessary, they should determine which additional security measures and processes to implement related to their products, keeping in mind that more guidance and technical standards will be forthcoming in the months and years ahead.

1. What products are impacted?

Products with digital elements. The CRA introduces the concept of “products with digital elements” (“PDE”). It defines them as software or hardware products and associated remote data processing solutions, including software or hardware components placed on the market separately. The concept of remote data processing solutions covers software that:

• Allows data processing at a distance.
• Is designed and developed by or on behalf of the manufacturer of the PDE.
• Is critical to ensure the PDE performs one of its functions. The Internet of Things (IoT) is clearly targeted.

Making available on the market. The CRA only applies if the PDE is made available on the market. That means it must be supplied for distribution or use on the EU market in the course of a commercial activity, whether in return for payment or free of charge.

Reasonably foreseeable use. For the CRA to apply, the use of the PDE shall include a direct or indirect logical or physical connection to a device or network. However, this use, including a connection to a device or network, shall not necessarily be the intended purpose as communicated by the manufacturer. It may be the purpose, which is likely to result from reasonably foreseeable human behaviour or technical operations or interactions.

Exclusions. The CRA does not apply to the product categories listed below (these types of products are already covered by sector-specific legislation that addresses cybersecurity risks and requirements):

• Medical devices.
• Motor vehicles.
• Military hardware.
• Certified aviation products.
• Marine equipment.
• Spare parts made available on the market to replace identical components that are manufactured according to the same specifications as the components that they are intended to replace.
• Digital elements developed or modified exclusively for national security or defence purposes.

How is software impacted? Software falls within the definition of PDE and is covered by the CRA. Specific provisions apply to cloud solutions and open-source components, as explained below.

Cloud solutions may be covered by the CRA if they meet the definition of remote data processing solutions The CRA does not apply to cloud solutions that do not fall within this definition, including SaaS, PaaS and IaaS. These solutions may still be covered by Directive (EU) 2022/2555 (NIS 2 Directive).

For additional information concerning the NIS 2 Directive, please refer to our note available here.

Is open-source software affected? The CRA does not provide a general open-source exemption from its obligations. It defines free and open-source software (“FOSS”) and includes a category of open-source stewards. This category covers actors supporting the development of PDEs qualifying as FOSS and intended for commercial activities, and that ensures the viability of those products. These are subject to obligations such as establishing cybersecurity policies, encouraging responsible disclosure of vulnerabilities and working with authorities to address security risks.

For a sector-specific comparison relating to smart medical devices, please see Global Authorities Ramp Up Medical Device Cybersecurity Expectations: What Medical Device Companies Need to Know.

2. Who is impacted by the CRA?

The CRA applies to the entirety of a product’s supply chain, encompassing:

• Manufacturers (which includes operators carrying out substantial modifications of covered products).
• Importers.
• Distributors

The goal is to enhance consumer trust and customer safety. It applies regardless of the place of establishment of these actors to the extent the PDEs are made available on the EU market.

3. What obligations apply?

PDEs classification and resulting conformity assessment obligations. The CRA establishes a classification of PDEs. The cybersecurity measures set out in the CRA apply to all PDEs, but the classification of the product changes the process for certifying compliance with these measures.

• Default category of PDEs: PDEs that do not fall under either the important PDEs category or the critical PDEs category will be in the default category.
• Important PDEs: This category includes products that either:
  • Primarily perform functions critical to the cybersecurity of other products, networks or services or
  • Perform a function which carries a significant risk of adverse effects in its intensity and ability to disrupt, control or cause damage to a large number of other products or to the health, security or safety of its users. That could happen through direct manipulation, such as a central system function, including network management, configuration control, virtualization or processing of personal data.
  • Annex III of the CRA provides for two sub-classes of Important PDEs. The recitals to the CRA clarify that an incident involving PDEs of class II (e.g., firewalls, tamper-resistant microprocessors) might lead to greater negative impacts than an incident involving important PDEs of class I (e.g., password managers, antivirus software, identity management systems, operating systems, routers, and smart home virtual assistants).
• Critical PDEs: Critical PDEs will be Important PDEs. However, the criteria promoting a product to a Critical PDE are:
  • There is a critical dependency of essential entities referred to in Article 3 of Directive (EU) 2022/2555 on this category of PDE (available here) or
  • Incidents and exploited vulnerabilities concerning the category of PDE can lead to serious disruptions to critical supply chains across the internal market. These critical PDEs are covered by Annex IV of the CRA (e.g., hardware devices with security boxes, smart meter gateways within smart metering systems and other devices for advanced security purposes, including for secure crypto processing, smartcards or similar devices).

Manufacturers will have to ensure their PDEs comply with the CRA before commercialising them. Whereas manufacturers of the Default category of PDEs will be able to carry out a self-conformity assessment, manufacturers of Important and Critical PDEs will need to go through a third-party conformity assessment (Critical PDEs being subject to stricter conformity assessment procedures than class II Important PDEs and class II Important PDEs being subject to stricter procedures than class I Important PDEs).

To demonstrate a level of conformity, manufacturers will be required to link an EU declaration of conformity with the PDE. The CRA provides for a presumption of conformity with essential requirements if a given PDE complies with harmonised technical standards.

The EU Commission will issue a standardisation request to the EU standards bodies so that the required technical cybersecurity standards can be identified and developed, as necessary. The European Union Agency for Cybersecurity (ENISA) has already issued a report that maps existing cybersecurity standards against the CRA requirements and identifies possible gaps.

What measures will affected manufacturers need to take? The cybersecurity and other obligations applicable to all PDEs are set out in Articles 13, 14 and Annex I. These include a mix of product requirements, information obligations and adoption of internal processes. For example, manufacturers shall undertake the following:

• Cyber Risk Management: The CRA requires that a cyber risk assessment be conducted before a PDE is placed on the market. It also imposes due diligence requirements regarding third-party suppliers of components. Annex 1 outlines a number of ‘essential’ cybersecurity requirements that must be in place before a product goes to market.
• Vulnerability Management: During the PDE market life cycle, manufacturers will be required to effectively manage product vulnerabilities, including through regular testing, patch management, responsible disclosure programmes and clear documentation. Manufacturers will have to define a support period that reflects the time the product is expected to be in use, and to provide security updates during that period. Such support period cannot be shorter than five years, except for products that are expected to be in use for a shorter period of time (in which case the support period corresponds to the expected period of use).
• Appointed Representative: Under the CRA, an authorised representative may perform specific tasks on behalf of the organisation, including acting as the point of contact with the market surveillance authorities. However, certain internal risk assessment activities can only be performed by the organisation itself.
• Record Keeping: Manufacturers will be required to collate and update information associated with the product manufacture and component parts of the PDE. The CRA also requires manufacturers to retain records for 10 years after the PDE is placed on the market.

4. What measures will importers and distributors have to take?

Distributors and importers are also within the scope of the CRA. Under the current proposal, they will be required to confirm the completion of the relevant certificate of conformity has been carried out by the manufacturer, prior to the PDE being placed on the EU market.

In the event a significant vulnerability is identified or if they have reason to believe a PDE may present a significant cybersecurity risk, importers and distributors will be required to inform both manufacturers and market surveillance authorities.

5. What are the incident reporting requirements?

Manufacturers will be required to notify ENISA and the CERT teams of an actively exploited vulnerability (i.e., there is evidence that a malicious actor has exploited the vulnerability) or a severe incident having an impact on the security of the PDE (i.e., it negatively affects the protection of the availability, authenticity, integrity or confidentiality of sensitive or important data or functions; or it has led or is capable of leading to the introduction or execution of malicious code) within 24 hours of becoming aware of the issue. In the recitals to the CRA, the EU legislature encourages national single-entry points enabling multiple reporting required under other EU regulations, including notifications of personal data breach as required under the GDPR.

If the event impacts service delivery relating to critical infrastructure, requirements under NIS2 may also be triggered.

6. What are the consequences of noncompliance?

Market surveillance. Each Member State will designate one or several market surveillance authorities responsible for enforcing the CRA at the national level. The CRA specifies that for PDEs that would also be classified as “high-risk AI systems” under the AI Act, the national market surveillance authority under the CRA and the AI Act shall be the same. The CRA also establishes an administrative cooperation group at the EU level (ADCO) which will be composed of all national market surveillance authorities and representatives from the EU Commission and will be responsible for ensuring a uniform application of the CRA throughout the EU.

Sanctions. The CRA will introduce a sanctions regime for noncompliance. The potential maximum fines for noncompliance would range from €5–€15 million or 1%– 2.5% of global annual turnover, whichever is greater. The CRA categorises breaches as relating to:

• Breach of essential requirements giving rise to the higher fines,
• Breach of other requirements under the CRA or
• Failure to provide accurate information.

Where non-compliance with the CRA may also involve a personal data breach, it is unclear whether fines will be imposed under the GDPR as well as under the CRA.

Next Steps

The European Parliament approved the CRA on 12 March 2024. Once formally adopted by the Council, it will be published in the Official Journal of the European Union and will enter into force within 20 days of this publication. Most of the CRA will be applicable within 36 months from the date of its entry into force. The exceptions are:

• Manufacturers’ reporting obligations provided under Article 14, which apply 21 months from the entry into force, and
• Provisions concerning notification of conformity assessment bodies, which apply 18 months from the entry into force.

Guidance from the EU Commission is expected in relation to the scope of the CRA, in particular concerning the application of the CRA to software, the application of support periods in relation to particular categories of PDEs, the interaction of the CRA with other EU laws, and the concept of substantial modification. The EU Commission is also expected to issue standardisation requests to standardisation organizations.

Intersection with the EU AI Act

PDEs classified as “high-risk AI systems” under the AI Act should comply with the essential requirements set out in the CRA. The CRA specifies that where high-risk AI systems fulfil the essential requirements of the CRA, they should also be deemed to comply with the cybersecurity requirements set under the AI Act.

In terms of conformity assessment, the CRA provides that PDEs, which are high-risk AI systems, shall be subject to the AI Act conformity assessment procedure, except for important PDEs and critical PDEs.

***

Orrick advises global manufacturers and distributors on growing with cybersecurity in mind, day-to-day business functions and preparing for and responding to cybersecurity incidents around the globe. Contact one of the authors (Julia Apostle, Kelly Hagedorn, or Rami Kawkabani) or other members of the Orrick team if you have questions.