Imagine waking up one day to discover that all your sensitive business data, including confidential financial information, customer data, and trade secrets, have been stolen. A nightmare scenario, isn’t it? Unfortunately, this is a reality that many companies face, as cyber threats continue to grow in scale, complexity, and impact. The good news is that the European Commission introduced the European Cyber Resilience Act (CRA) to set common cybersecurity standards for digital products and connected services sold in the EU market.
The aim of the CRA is to protect consumers and businesses from cyber incidents, making this the first ‘Internet of Things’ (IoT) legislation in the world. With this blog post, Publyon provides an overview of the main threats and opportunities for European businesses, focusing on:
- The objectives of the legislation.
- The implications for providers of digital products and connected services.
What’s the objective of the European Cyber Resilience Act?
As different economic sectors have become more dependent on digital technologies to pursue their business activities, the opportunities that digital connectivity brings expose economies to cyber threats. In parallel,the amount, complexity, scale, and impact of cybersecurity incidents are growing – a true challenge for European businesses that want to capitalise on digital tools to boost their competitiveness.
Therefore, the Cyber Resilience Act introduces rules to protect digital products that are not covered by any previous regulation. This way, it will be the first ‘Internet of Things’ (IoT) legislation in the world. The CRA hereby seeks to protect European businesses from cyber threats, as much as consumers, by harmonising rules through a solid legislative framework and common cybersecurity obligations across the EU.
What are the implications of the European Cyber Resilience Act for your business?
Publyon has identified a number of essential requirements for hardware manufacturers, software developers, distributors and importers who place digital products or services on the EU market. The requirements proposed include:
- an ‘appropriate’ level of cybersecurity;
- the prohibition to sell products with any known vulnerability;
- security by default configuration, protection from unauthorised access;
- limitation of attack surfaces, and minimisation of incident impact.
The default category consists of low-risk products, covering 90% of the market, including smart toys, TVs, or fridges, and would require companies to perform a self-assessment to ensure that a product meets cybersecurity standards. Furthermore, two categories for critical products are listed:
- The first category includes browsers, password managers, antiviruses, firewalls, virtual private networks (VPNs), network management systems, physical network interfaces, routers, and chips used for entities falling under the NIS2 Directive. Moreover, it also includes all operating systems, microprocessors and industrial IoT not covered in class II.
- The second category includes higher-risk products, such as desktop and mobile devices, virtualised operating systems, digital certificate issuers, general-purpose microprocessors, card readers, robotic sensors, smart meters and all IoT, routers and firewalls for industrial use.
The main difference between the two categories is the compliance process. For both categories, the European Commission asks manufacturers to perform regular tests to identify vulnerabilities in their products.
Lastly, Member States will also have to put in place market surveillance bodies. The penalties for non-complying with the requirements can amount to €15 million or 2.5% of the annual turnover.
If you would like to know more about the impact of this legislation on your organisation, we invite you to fill out the form at the end of this article to get in touch with our experts.
Expert perspectives: how industry stakeholders are reacting to the European Cyber Resilience Act
Reactions from the industry are overall positive, while consumers expect the products they purchase to be safe and secure.
Businesses need to be aware of the technical specifications they must comply with to ensure adherence to CRA obligations. Some companies are worried about the extra burden and compliance costs created by the CRA, making it harder for startups to compete with established companies. For instance, app developers warn of the extra costs of maintaining a cyber-resilient environment for the benefit of consumers. They prefer guidelines or recommendations.
Next steps
The CRA’s legislative process came to an end on 12 March 2024 when its final version was green-lighted by the European Parliament. The Council and Parliament had previously reached an agreement on the final text in December 2023.
The text now awaits to be formally adopted by the Council in the coming months, before it can be published in the Official Journal of the EU and subsequently enter into force. Following its entry into force, businesses will have up to 36 months to adapt to the CRA’s requirements, except for the compliance with reporting obligations concerning actively exploited vulnerabilities and severe incidents on the safety of products with digital elements, which should be applied latest 21 months after the entry into force of the CRA. Provisions on the notification of conformity of assessment bodies should apply after 18 months.
The European Commission has the power to adopt delegated acts for a period until five years after it enters into force. As such, one year exactly after the entry into force of the CRA, the Commission is expected to adopt an implementing act which will specify the technical description of certain categories of products with digital elements set out in the annexes.
Additional implementing legislation is expected to be published throughout these five years, which will directly affect businesses, too. It therefore remains important for your business to stay updated with the secondary legislation stemming from the CRA and anticipate the obligations it will set on your organisation’s products and activities.
Learn more about our EU cyber-related services
Publyon offers tailor-made solutions to navigate the evolving policy environment at the EU level and anticipate the impact of the EU cyber-related legislation on your organisation.
Would you like to know more about how your organisation can make the most out of this Regulation and what additional implementing legislation your business can expect? Make sure you do not miss the latest developments by subscribing to our EU Digital Policy Updates.
If you are intrigued by the EU’s latest efforts regarding cybersecurity, you can use the contact form below to reach out to us.
