European Cyber Resilience Act: can new requirements for products strengthen your organization’s cybersecurity resilience?

Imagine waking up one day to discover that all your sensitive business data, including confidential financial information, customer data, and trade secrets, have been stolen. A nightmare scenario, isn’t it?

Unfortunately, this is a reality that many companies face as cyber threats continue to grow in scale, complexity, and impact.The good news is that the European Commission has introduced the European Cyber Resilience Act (CRA) to set common cybersecurity standards for digital products and connected services sold in the EU market.

The aim is to protect consumers and businesses from cyber incidents, making this the first ‘Internet of Things’ (IoT) legislation in the world. With this blog post, Publyon’s Junior Consultant Emmanuelle Ledure  provides an overview of the main threats and opportunities for European businesses, focusing on:

  • The objectives of the legislation.
  • The implications for providers of digital products and connected services.


What’s the objective of the European Cyber Resilience Act?

As different economic sectors have become more dependent on digital technologies in executing their businesses, the opportunities that digital connectivity brings also expose economies to cyber threats. The amount, complexity, scale, and impact of cybersecurity incidents are also growing.

The Cyber Resilience Act introduces rules to protect digital products that are not covered by any previous regulation. This way, it will be the first ‘Internet of Things’ (IoT) legislation in the world.


What are the implications of the European Cyber Resilience Act for your business?

Publyon has identified a number of essential requirements for hardware manufacturers, software developers, distributors and importers who place digital products or services on the EU market. The requirements proposed include:

  • an ‘appropriate’ level of cybersecurity;
  • the prohibition to sell products with any known vulnerability;
  • security by default configuration, protection from unauthorised access;
  • limitation of attack surfaces, and minimisation of incident impact.

The default category consists of low-risk products, covering 90% of the market, including smart toys, TVs or fridges, and would require companies to perform a self-assessment to ensure that a product meets cybersecurity standards. Furthermore, two categories for critical products are listed:

  1. The first category includes browsers, password managers, antiviruses, firewalls, virtual private networks (VPNs), network management, systems, physical network interfaces, routers, and chips used for entities falling under the NIS2 Directive.  Moreover, it also includes all operating systems, microprocessors and industrial IoT not covered in class II.
  2. The second category includes higher-risk products, such as desktop and mobile devices, virtualised operating systems, digital certificate issuers, general purpose microprocessors, card readers, robotic sensors, smart meters and all IoT, routers and firewalls for industrial use.

The main difference between the two categories is the compliance process. Moreover, the commission asks manufacturers to perform regular tests to identify vulnerabilities in their products.

Lastly, Member States would also have to put in place market surveillance bodies. The penalties for non-complying with the requirements can amount to €15 million or 2.5% of the annual turnover.

If you would like to know more about the impact of this legislation on your organisation, feel free to fill out the form at the end of this article to get in touch with our experts. 


Expert perspectives: how industry stakeholders are reacting to the European Cyber Resilience Act

The first overall reactions from the industry and other stakeholders to the initiative were positive. Consumers expect the products they purchase to be safe and secure.

Hence, creating greater awareness of the importance of these security requirements in products will result in customers considering key security criteria when making purchasing decisions.

However, to avoid confusion, the industry also warned that the legislation should encompass a clear definition, considering differences in the developmentfunctionality, and use of digital products. Different sectors also asked the Commission to consider existing vertical legislation for specific sectors and/or product groups.

Adding essential cybersecurity requirements risks excluding SMEs from the market. Businesses also need to know exactly what kind of technical specifications they must comply with to ensure adherence to CRA obligations.

Some companies are worried about the extra burden and compliance costs, making it harder for start-ups to compete with established companies. For instance, app developers warn of the extra costs of maintaining a cyber-resilient environment for the benefit of consumers. They prefer guidelines or recommendations.


Where are we in the EU process?

European Parliament

The European Parliament’s Industry, Research and Energy Committee (ITRE) has been appointed as the responsible committee, under the lead of MEP Nicola Danti (RE, Italy) as Rapporteur. On 19 July, MEPs from ITRE adopted Danti’s report and amended the proposal of the European Commission by including remote data processing solutions integrated into connected devices, for example cloud-enabled functionalities for smart appliances in the regulation’s scope.

Furthermore, the amended text of the European Cyber Resilience Act changes the entry into force to 36 months and mandates reporting obligations after 18 months. Manufacturers will have 12 months to comply with the European cybersecurity certification requirements. Under the certification schemes, highly critical products will have to meet the highest level of assurance, while critical products will have to meet a substantial level of assurance.

Moreover, manufacturers may provide security updates for a period longer than the expected product lifetime. The text includes the possibility for users to securely withdraw and remove their data permanently.

Finally, based on risk analysis, manufacturers will have to inform distributors and end users of the lack of compliance and, where available, the measures to mitigate cybersecurity risks. The European Parliament then adopted its position during the September plenary session, immediately kicking off a first round of Trilogues on 27 September.


Council of the EU

19 July marked a milestone in the EU legislative process because, in parallel to the Parliament’s ITRE Committee, the Council of the EU also reached a common position.  

Member States introduced highly critical product categories, which the Commission could amend at a later stage. They also changed the scope of products that need to comply with the Regulation. Moreover, Member States want competent national authorities (‘computer security incident response teams’ – CSIRTs) instead of the EU Agency for Cybersecurity (ENISA) to be in charge of the reporting obligations of vulnerabilities or incidents. ENISA will be tasked to establishing a single reporting.

The common position also amends the Commission’s proposal including support measures for micro, small and medium-sized enterprises and a simplified declaration of conformity.


Next steps for the European Cyber Resilience Act

The European Parliament and the Council of the EU engaged in their first round of Trilogue negotiations on 27 September. One of the most contentious items of the upcoming negotiations is the reporting obligations for manufacturers (Article 11).

Industry stakeholders have been arguing against the requirement to report an exploited vulnerability within 24 hours of becoming aware of this, as it could expose products to more cyberthreats. Furthermore, the provisions on the storing of data present another key negotiation point.

The European Parliament and the Commission propose to trust ENISA with the responsibility to hold the database of products’ exploited vulnerabilities. The Council rather wishes the national Computer Security Incident Response Teams (CSIRTs) to become the responsible authorities for the database.

More information on the ongoing negotiations will be circulated by ITRE, which is set to report back to the Committee members on 12 October. On the Council’s side, the Spanish Presidency ambitions to come to an agreement with the European Parliament by the end of the year. For this reason, the Presidency has scheduled technical meetings.


Learn more about our EU cyber-related services

Publyon offers tailor-made solutions to navigate the evolving policy environment at EU level and anticipate the impact of the EU cyber-related legislation on your organisation.

Would you like to know more about how your organisation can make the most out of this Regulation? Make sure you do not miss the latest developments by subscribing to our EU Digital Policy Updates.

Do you want to know more?

Do you need help getting a better understanding of what the European Cyber Resilience Act will mean for your organization?

Fill out the form below and our team of experts will get in touch with you.

    * required field