Image of transparent glass of RPC building.
  1. Home >
  2. Snapshots >
  3. Technology/Digital >
  4. >
  5. European Cyber Resilience Act

SHARE:

European Cyber Resilience Act

Published on 21 December 2022

What is the impact of the proposed EU Cyber Resilience Act on businesses?

The question

What is the impact of the proposed EU Cyber Resilience Act on businesses? 

The key takeaway

The European Commission has recently proposed a regulation to standardise cybersecurity requirements for products with digital elements across the EU (the Cyber Resilience Act or CRA). The CRA would require manufacturers, importers and distributors to comply with certain obligations to limit and address cybersecurity risks throughout the life cycle of relevant products. 

The background

The European Commission recognises that the prevalence of connected devices across the EU has resulted in a massive increase in the risk of cyberattacks, with an estimated global annual cost of €5.5 trillion by 2021. As a result, the European Commission has proposed the CRA with the aim of protecting consumers across the EU from digital products with faulty security features. The proposal is part of a wider initiative to level up cybersecurity requirements across the EU, and will take effect alongside the Network and Information Security Directive ((EU) 2016/1148) (NIS Directive) which is also under review. 

The development

The CRA is intended to apply broadly to all products placed on the EU market with digital elements whose intended and reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. This includes software and hardware but will exclude software-as-a-service products which are regulated under the NIS Directive. 

The strictest obligations are on manufacturers of in-scope products who are required to ensure that products have been designed, developed and produced according to certain minimum standards set out in the CRA. Manufacturers must perform a conformity assessment and attach a CE marking to products. During the life of the product, manufacturers must quickly address vulnerabilities and notify users accordingly. 

Those who import in-scope products are required to ensure that the manufacturer has complied with its own obligations before placing the product on the EU market. Importers must cooperate with regulators and notify them of vulnerabilities. Distributors, too, have obligations under the CRA to ensure that manufacturers and importers have complied with their respective obligations. 

The CRA will need to be agreed by the European Parliament and the Council of Europe. After it comes into force, there will most likely be a two-year implementation period. 

Why is this important?

The CRA follows the recent trend in EU law for massive potential administrative fines – here, these are a maximum of either €15m or 2.5% of the total worldwide annual turnover for the preceding financial year, whichever is higher. This, in itself, should put businesses on notice. In addition, due to its extra-territorial application, UK businesses that place products on the UK and EU markets will have to grapple with two regulatory regimes. In the UK, the proposed Product Security and Telecommunications Infrastructure Bill (PSTIB) (covered in previous Snapshots) will also set standards on connected products. 

Any practical tips?

Businesses should monitor the progress of the CRA as it makes its way through the EU legislative procedure. Separately, it would be wise to conduct a preliminary assessment to determine to what extent a business is caught by the CRA, whether as manufacturer, importer or distributor.

Winter 2022