On September 15, 2022, the European Commission published the final draft of the proposed Cybersecurity Resilience Act (“CRA“), which aims at setting common cybersecurity standards for manufacturers, distributors, and importers, involved in the distribution of “products with digital elements” within the European Union.
Background
As the global economy has become more dependent on digital technologies, the opportunities that digital connectivity brings also expose economies to cyberattack threats. Such cyberattacks on hardware and software products led to an estimated global loss of €5.5 trillion until 2021. While existing EU legislation applies to certain products with digital elements, most of the hardware and software products’ cybersecurity features are currently not covered by any European legislation.
In addition, businesses and consumers are not provided with sufficient and accurate information regarding the security aspects of products and therefore fail to understand the cyber risks related to each such product.
The CRA aims to both strengthen the security of products marketed and sold within the EU while providing the consumers with sufficient information allowing them to choose well-secured products.
Scope of the CRA
The proposed CRA will apply to all products with digital elements whose intended, or reasonably foreseeable use, includes a data connection to a device or network.
The obligations within the scope of the CRA are established for ‘economic operators’, from manufacturers to distributors and importers, in accordance with their role and responsibilities in the supply chain.
The CRA broadly defines a ‘product’ as any software or hardware together with any independent digital component integrated or connected to it. Thus, the CRA may apply to a wide range of products, such as computers, phones, operating systems, household appliances, navigation systems, baby monitors, smart watches, virtual assistance devices, toys with digital components, etc., at both hardware as well as software levels. The CRA excludes products whose security aspects are already regulated under other regulations, e.g., medical devices, vehicles, and aviation-related products.
Cyber Security and Disclosure Requirements
All products within the scope of the CRA must comply with the essential cybersecurity requirements to ensure the confidentiality, integrity, and availability of the data processed in such products. Manufacturers must consider and implement various security measures and controls guaranteeing, inter alia, the secured design of the product, vulnerability mitigation, unauthorized access prevention, data encryption, security hardening, limiting attack surfaces, and backups. In addition, where applicable, the products should enable automatic security updates and patch management.
Further, any product must be accompanied by information and instructions detailing the vulnerabilities and risks presented by the use of the product, the security features and measures implemented in the product, and information regarding the manner in which the user would be able to update such security features.
Conformity Assessment
The CRA requires manufacturers to conduct a conformity assessment to identify relevant cybersecurity risks and demonstrate whether the specified requirements relating to a product have been fulfilled. Depending on the criticality of the reviewed product, the assessment could be done via self-assessment or a third-party conformity assessment. Following the successful completion of the assessment, the manufacturer would draw up an EU declaration of conformity and be able to affix the CE marking so that the product can move freely within the internal market.
Enforcement and Penalties
The proposed penalties in case of non-compliance may scale up to the higher of €15M or 2.5% of worldwide annual turnover.
Effective Date and Application
The CRA is open for public consultation until November 15, 2022. Once adopted, economic operators and the Member States will have two years to adapt to the new requirements (excluding the disclosure requirements, which shall become effective after one year). Therefore, we can assume that the CRA will become effective by 2025.
This document is intended to provide only a general background regarding this matter. This document should not be regarded as setting out binding legal advice but rather as a practical overview that is based on our understanding. APM & Co. is not licensed to practice law outside of Israel.
Please let us know if you have any further questions,
APM Technology and Regulation Team.