The EU’s Cyber Resilience Act (CRA) is on the verge of being officially adopted [8]. This groundbreaking Act aims to enhance cybersecurity for digital products throughout the EU, introducing mandatory requirements for hardware and software to protect against cyber threats. It is the first of its kind globally and has received political agreement from both the European Parliament and the Council.

Description

The CRA establishes cybersecurity measures for all digital products, with varying levels of security requirements based on risk. Less than 10% of products will undergo third-party assessments [2] [3]. Once implemented, all products entering the EU market must meet cybersecurity standards. Manufacturers will be responsible for implementing security measures throughout the product lifecycle and providing timely updates [3]. The Act aims to combat software supply chain attacks and safeguard small businesses and critical institutions [3]. It also holds manufacturers accountable for product safety, including recall and reporting obligations [6]. The agreed text requires formal adoption by both Parliament and Council [1], with a 36-month adaptation period for affected organizations and a 21-month grace period for incident reporting and vulnerability disclosure. The Act includes a 24-hour disclosure period for newly-discovered security flaws [5], five years of security patch support [5], and comprehensive documentation of security features [5]. Open source software is exempt from certain rules [5]. The Act covers all digitally connected products, making EU-wide cybersecurity requirements mandatory [4]. Key products such as routers and antiviruses are prioritized for cybersecurity. The Act also supports micro and small enterprises [4], stakeholder involvement, and the open-source community [4].

Conclusion

The CRA provides stronger protection for citizens and businesses while allowing flexibility for manufacturers and promoting innovation [4]. It addresses concerns about the impact on free and open source software, clarifying that non-monetized provision and development of such software are not considered commercial activities. However, challenges remain for businesses involved in monetizing software [7], requiring further clarification and efficient compliance processes. As the legislative phase concludes, attention will shift to developing implementation standards and facilitating compliance within the business community. OpenForum Europe expresses appreciation to the European Parliament [7], Council [1] [3] [5] [7] [8], and Commission for engaging with the free and open source software community and stakeholders in reaching this outcome.

References

[1] https://www.europarl.europa.eu/news/en/press-room/20231106IPR09007/cyber-resilience-accord-pour-renforcer-la-securite-des-produits-numeriques
[2] https://digital-strategy.ec.europa.eu/en/news/commission-welcomes-political-agreement-cyber-resilience-act
[3] https://cyprus.representation.ec.europa.eu/news/commission-welcomes-political-agreement-cyber-resilience-act-2023-12-01_en
[4] https://www.reneweuropegroup.eu/news/2023-12-01/renew-europe-led-cyber-resilience-act-to-become-new-international-point-on-reference-on-cybersecurity
[5] https://cyber.vumetric.com/security-news/2023/12/04/eu-lawmakers-finalize-cyber-security-rules-that-panicked-open-source-devs/
[6] https://products.cooley.com/2023/12/04/provisional-agreement-reached-on-proposed-eu-cyber-resilience-act/
[7] https://openforumeurope.org/eu-cyber-resilience-act-takes-a-leap-forward/
[8] https://www.infosecurity-magazine.com/news/eu-reach-agreement-cyber/