Insights Cyber Resilience Act: political agreement reached


The “Regulation on horizontal cybersecurity requirements for products with digital elements” (known as the “Cyber Resilience Act” (“CRA”)), proposed by the Commission in September 2022, seeks to protect consumers and businesses from connected products with inadequate security features, potentially making them vulnerable to hacks. It covers products with digital elements whose intended and reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. The CRA also identifies a wide subcategory of such products, critical products, such as password managers and firewalls, that are subject to stricter obligations. Products such as connected TVs, home cameras, connected alarms and Wi-Fi routers are in scope but the proposal extends to pure software as well.

Manufacturers are required, amongst other things, to ensure in-scope products are designed, developed and produced in accordance with a number of “essential requirements”, including requirements that they have an appropriate level of cybersecurity based on risk, and that they are free from known exploitable vulnerabilities (with a presumption of conformity where the product conforms to a harmonised standard). Further, during the lifetime of the product or for a period of five years from placing on the market (whichever is shorter), manufacturers must address vulnerabilities without delay, including by means of security updates, and take immediate action, or withdraw the product, if the manufacturer knows or has reason to believe the product does not comply with the essential requirements. There are obligations to carry out a conformity assessment procedure, draw up the relevant EU declaration of conformity and affix the CE marking.

There is also a requirement to notify the EU Agency for Cybersecurity (“ENISA”), without undue delay and in any event within 24 hours of becoming aware, of any actively exploited vulnerability or any incident having impact on the product’s security. Failure to comply with the essential requirements or the ENISA notification requirements can result in fines of up €15m or 2.5% of worldwide annual turnover for the preceding year, whichever is higher.

On 30 November 2023, the European Parliament and Council concluded their trilogue negotiations and reached a provisional agreement on the terms of the CRA. According to reports, changes to the Commission’s original proposal include those relating to products in scope, open source software, the period in which products must be supported, and the ENISA reporting obligations. As for the compromise on the support period, while the principle remains that support for a digital product should last for the duration of its expected lifetime, a support period of at least five years is stipulated, except for products which are expected to be in use for a shorter period. The ENISA reporting obligations have been the subject of debate over recent months on the grounds that requiring manufacturers to report unpatched vulnerabilities to which they have not yet found a solution would further entice malicious actors to focus on these vulnerabilities and would result in ENISA becoming the primary target of cyber-attacks. Parliament and the Council have agreed that a notification should be sent both to the national computer security incident response team in the Member State where the manufacturer is established and ENISA at the same time, but with the option of restricting the information sent to ENISA under certain conditions (e.g. where there is an imminent risk from further dissemination).

The text will be finalised over the coming weeks. It will then be submitted to Member States’ representatives for endorsement and then Parliament and the Council will each have to formally adopt it.

For more information, click here, here and here.