Introduction

The European Union Council has enacted the Cyber Resilience Act (CRA) [2] [9], a significant legislative measure designed to establish cybersecurity standards for digital products, including Internet of Things (IoT) devices [2]. This initiative addresses the escalating threat of cyberattacks and aims to create a unified cybersecurity framework across the EU.

Description

The European Union Council has adopted the Cyber Resilience Act (CRA) [2] [9], a comprehensive initiative aimed at establishing cybersecurity requirements for products with digital elements [8], including connected devices such as smart doorbells [9], home cameras [8], fridges [8], TVs [8], smart coffee machines [1], speakers [2] [9], smartwatches [1], intelligent baby monitors [1], and toys [8]. This regulation responds to the rising threat of cyberattacks [6], which cost an estimated €5.5 trillion globally in 2021 [6]. The CRA seeks to create a coherent cybersecurity legislative framework that addresses existing gaps and clarifies connections between current laws, particularly for Internet of Things (IoT) devices [8] [9], while streamlining overlapping requirements from various EU member states [8].

The CRA establishes EU-wide cybersecurity and safety requirements for digital products, mandating that they maintain security throughout their lifecycle and across the supply chain [9], encompassing the design [9], development [2] [3] [4] [8] [9], production [1] [2] [3] [4] [5] [6] [7] [8] [9], and market availability of both hardware and software products [2] [3] [9]. Under the CRA, products are categorized based on their cybersecurity risk and functionality [5]. Critical products must undergo a rigorous conformity assessment and obtain a European cybersecurity certificate if a certification scheme exists [5]. Important Class II products require third-party assessments [5], while Important Class I products must comply with harmonized standards or undergo similar evaluations if such standards are not fully available [5]. Default products [1] [3] [4] [5] [8] [9], which do not fall into the Critical or Important categories [5], are still required to meet essential cybersecurity requirements through internal assessments [5].

Manufacturers face stringent obligations [5], including designing and producing products in line with essential cybersecurity requirements [5], conducting risk assessments to identify cyber risks [7], ensuring default data protection [7], providing timely information about vulnerabilities and patches [7], and preparing technical documentation and EU declarations of conformity [5]. They are also required to report any actively exploited vulnerabilities and incidents to a central office, specifically the European Union Agency for Cybersecurity [7], within 24 hours [7], which will notify the relevant national computer security incident response team [7]. Additionally, manufacturers must provide regular security updates throughout the product lifecycle to address security vulnerabilities and ensure that all products are developed in accordance with cybersecurity requirements. Distributors and importers are responsible for ensuring compliance, verifying conformity assessments [5], and taking corrective actions when necessary [5].

The CRA introduces essential cybersecurity requirements that are objective-oriented and technology-neutral [6], applicable across the EU market [6]. This legislation significantly influences how both private and public entities manage data privacy and security [6], mandating organizations to notify individuals of data breaches and implement robust data protection measures [6]. Products compliant with the CRA will bear the CE marking [2], signifying adherence to high standards for safety [9], health [2] [9], and cybersecurity within the European Economic Area (EEA) [9]. This labeling will assist consumers in identifying products that are directly or indirectly connected to other devices or networks and possess adequate cybersecurity features.

The CRA was first mentioned by EU Commission President von der Leyen in her State of the Union address in September 2021 and was referenced in the Council conclusions on the EU’s cyber posture in May 2022 [8]. The Commission presented the proposal for the act on 15 September 2022 [8], intending to complement the existing EU cybersecurity framework [8], including the NIS directive [8], NIS 2 directive [8], and the EU cybersecurity act [8]. A provisional agreement was reached between co-legislators on 30 November 2023 [8], following interinstitutional negotiations [8]. The CRA will enter into force 20 days after its publication in the Official Journal of the EU [4], with a transitional period of three years for compliance [4]. By approximately November 2027 [4], all products sold must meet the new cybersecurity standards and display the CE mark [4]. Certain obligations [4], such as reporting exploited IT vulnerabilities [4], will take effect in 21 months [4]. The enforcement of the CRA is set for the second half of 2024 [6], presenting challenges for compliance that may require assistance for many entities [6]. Non-compliance with the CRA can result in significant penalties [5], including financial fines of up to €15 million or 2.5% of total annual turnover [5], whichever is greater [7], as well as market restrictions and product recalls [5]. Certain exceptions may apply for devices already governed by existing EU laws [2], such as medical equipment [2] [9], aeronautical products [2] [5] [9], and payment cards [9]. The CRA utilizes existing standards [5], particularly from ISO [5], to create a comprehensive cybersecurity framework [5] [8], emphasizing the importance of identifying compliance gaps even when products meet certain standards [5].

Conclusion

The Cyber Resilience Act represents a pivotal step in fortifying the cybersecurity landscape within the European Union. By setting stringent requirements and establishing a unified framework, the CRA aims to mitigate the risks associated with digital products and IoT devices. As the act comes into force, organizations must adapt to these new standards, ensuring compliance to avoid significant penalties. The CRA not only enhances consumer protection but also sets a precedent for future cybersecurity legislation, potentially influencing global standards and practices.

References

[1] https://www.spiegel.de/netzwelt/gadgets/cyber-resilience-act-smarte-geraete-muessen-kuenftig-besser-vor-attacken-geschuetzt-werden-a-ff870c45-437d-498a-a8c8-c482b526ba65
[2] https://www.infosecurity-magazine.com/news/eu-adopts-cyber-resilience-act/
[3] https://www.lexisnexis.co.uk/legal/news/council-of-the-eu-adopts-cyber-resilience-act
[4] https://www.heise.de/en/news/EU-Council-launches-Cyber-Resilience-Act-9977203.html
[5] https://www.pwc.ch/en/insights/regulation/understanding-the-eu-cyber-resilience-act.html
[6] https://link22.eu/news/what-is-the-european-cyber-resilience-act/
[7] https://www.bankinfosecurity.com/european-council-adopts-cyber-resilience-act-a-26509
[8] https://brusselsmorning.com/eu-council-adopts-new-cybersecurity-law-for-digital-products/57858/
[9] https://cybellum.com/blog/eu-approves-cyber-resilience-act-for-connected-devices/