On September 15, 2022, the European Commission published its Proposal for a Cyber Resilience Act (CRA) which sets out new requirements for hardware and software products in the EU.
The CRA applies to hardware and software that contain digital components and whose intended use includes a connection to a device or network and applies to all digital products placed on the EU market (including imported products).
Main Requirements
- Digital products are broken down into certain risk allocations, with Class II critical products including identity management software, password managers, VPNs, network traffic monitoring systems, and remote access software.
- Class II critical products include microprocessors, routers, IOT devices, smart meters, and operating systems.
- Manufacturers will need to assess the cyber risk of their digital hardware and software and take continued action to fix problems during the lifetime of the product. In addition, before placing any digital product on the market, manufacturers will be required to conduct a formal ‘conformity assessment’ of such product and implement appropriate policies and procedures documenting relevant cybersecurity aspects of the products.
- Companies will have to notify the EU cybersecurity agency (ENISA) of any exploited vulnerability within the product, and any incident impacting product security, within 24 hours of becoming aware. Manufacturers will also be required to notify users of any incident impacting product security without delay. These notice requirements apply regardless of whether the incident would constitute a data breach under applicable privacy laws.
- EU importers and distributors of products will need to verify that digital products conform with the CRA.
- EU Member State authorities will be permitted to monitor compliance with the CRA, and maximum fines of up to EUR 15 million (approx. $15mm) or 2.5% of global annual turnover, whichever is higher) can be applied.
Additional Provisions
- The CRA specifies further cybersecurity requirements for products, including requirements for products to be delivered with a secure by default configuration, ensure appropriate access control mechanisms, protect availability of essential functions (including protection against, and mitigation of, denial of service acts), and be designed to reduce the impact of a security incident.
- The CRA also requires manufacturers of digital products to comply with various vulnerability handling requirements, including identifying and documenting vulnerabilities in the product and addressing and remediating them without delay.
- Certain information and instructions are required to be provided to users of digital products, including the full contact details of the manufacturer, a point of contact where vulnerabilities can be reported and received, disclosure of cyber security risks, and detailed instructions (or a website URL referring to such detailed instructions) on security-related aspects of the product.
Next Steps
The draft proposal will not be examined by the European Parliament and Council of the EU. It is likely to take some years before the CRA is adopted, but once it is companies will have two years to implement its requirements.