The Cyber Resilience Act (“CRA”) addresses
cybersecurity gaps in products with digital elements by mandating
compliance with EU-wide standards. Adopted by the Council on
October 10, 2024, it establishes obligations for manufacturers,
enhances consumer safety, and aligns with other EU regulations to
mitigate cyber risks and strengthen resilience.
The rise of digitalization and technologies such as low-cost
sensors, embedded systems, and software has fueled the development
of the Internet of Things (“IoT“).
Products with digital elements are now ubiquitous, ranging from
household appliances to toys. To enhance the security of such
products, the European Parliament approved the Cyber Resilience Act
(“CRA“) on March 12, 2024, aiming to
protect consumers and businesses from cyber incidents.
Following the Council’s adoption on October 10, 2024, the
CRA will be signed by the presidents of the Council and the
European Parliament and published in the EU’s official journal.
As an EU regulation, it will apply directly in all Member States.
It will take effect 20 days after publication, with full
application after 36 months, although some provisions will take
effect earlier.
Background
Before the CRA, the EU had undertaken significant initiatives to
strengthen cybersecurity. The EU Cybersecurity Strategy for the
Digital Decade(“Strategy“) announced the
CRA and complemented related legislation, particularly the
Directive on Measures for a High Common Level of Cybersecurity
Across the Union (“NIS2“).
1. Cybersecurity Strategy for the Digital
Decade
Published on December 14, 2020, the Strategy set out to ensure
that all internet-connected products are secure and resilient
against cyber incidents. Key objectives include establishing
ultra-secure communication networks based on quantum technology,
creating a self-sufficient technology supply chain, and adopting
IoT security standards. Other measures include the creation of a
European Cyber Shield through Security Operations Centers and
initiatives to boost cybersecurity education, supported by the
European Union Agency for Cybersecurity
(“ENISA“), established in 2004, which
contributes to the EU’s cybersecurity policy and develops
certification schemes to increase trust in digital products and
services. The approval of the CRA has further reinforced
ENISA’s activities.
2. NIS2 Directive
Effective from 2023, NIS2 updates earlier EU cybersecurity
rules. It requires Member States to establish Computer Security
Incident Response Teams and a Network and Information Systems
(“NIS“) authority to enhance
cybersecurity across the EU. It also establishes a Cooperation
Group to strengthen cooperation among Member States, ensure
strategic information sharing and promote a security culture in
critical sectors such as energy, transport, banking, health and
digital infrastructure. Unlike CRA, which focuses on products with
digital elements, NIS2 addresses the broader operational resilience
of network and information systems.
About the Cyber Resilience Act
The CRA aims to reduce vulnerabilities in products with digital
elements, clarify manufacturers’ responsibilities, increase
users’ security awareness and harmonize cross-border security
standards. It applies to most digital products, excluding certain
categories such as medical devices and automobiles, which are
governed by their own cybersecurity regulations.
Key Objectives:
- Introduce digital products with fewer vulnerabilities and
ensure regular security updates. - Enhance user access to cybersecurity features for safer
usage. - Establish EU-wide cybersecurity standards.
- Strengthen cross-border product security by clarifying supply
chain requirements.
Scope and Application:
The CRA applies to all products directly or indirectly linked to
a device or network, with limited exceptions. The CRA primarily
addresses two key issues:
- Inadequate cybersecurity in products and the lack of regular
security updates, - Challenges for consumers in identifying safe products.
Additionally, the CRA mandates that manufacturers develop
products with digital elements in compliance with the
regulation’s cybersecurity standards. These products include,
but are not limited to, user devices, operating systems, hardware
components, IoT devices, identity management software, privileged
access management software, standalone and embedded browsers,
password managers, malware detection and removal software, and
products with digital elements that function as virtual private
networks (VPNs).
Although the CRA lacks explicit territorial scope provisions,
its references to products “placed on the EU market”
indicate its application to all products sold or used within the
EU.
CRA and the AI Act
High-risk AI systems classified under the AI Act are subject to
CRA cybersecurity requirements. Products meeting CRA standards are
deemed compliant with corresponding AI Act provisions. This
alignment ensures that products integrating high-risk AI systems
satisfy both regulations.
Violations and Penalties
The CRA defines “economic operators” as manufacturers,
importers, authorised representatives and distributors who are
responsible for meeting compliance requirements. Member States must
enforce penalties for violations, ensuring they are deterrent,
effective, and proportionate. Fines include:
- €15 million or 2.5% of annual turnover for non-compliance
with essential requirements. - €10 million or 2% of annual turnover for other
violations. - €5 million or 1% of annual turnover for providing
misleading, incorrect or incomplete information.
Administrative fines and corrective measures will be
proportional to the operator’s size and market impact. In
addition to fines, other corrective or restrictive actions may also
be imposed.
The Importance of CRA
Cyberattacks can have severe consequences for businesses and
individuals. The CRA addresses critical cybersecurity gaps,
protecting companies from penalties and mitigating the risks of
damaging cyber incidents. Examples of significant global
cyberattacks include:
- Pegasus Spyware: Used to monitor activists,
journalists, and human rights advocates. - WannaCry Ransomware: A virus that encrypted
files and spread across 99 countries. - VSA Supply Chain Attack: Attackers exploited a
vulnerability in a widely-used software platform, deploying
ransomware across its clients’ systems.
Conclusion
The CRA establishes comprehensive security obligations for
economic operators, enhancing the safety of digital products,
bolstering businesses’ resilience against cyber threats, and
promoting compliance through deterrent penalties. By addressing
vulnerabilities in digital products, the CRA marks a significant
step toward a secure digital future.
References
Cyber Resilience Act. (2024, March 12). Retrieved from European
Parliament:
https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html
Cyber resilience act: Council adopts new law on security
requirements for digital products. (2024, October 10). Retrieved
from Council of the EU:
https://www.consilium.europa.eu/en/press/press-releases/2024/10/10/cyber-resilience-act-council-adopts-new-law-on-security-requirements-for-digital-products/
Directive on measures for a high common level of cybersecurity
across the Union (NIS2 Directive). (2023, September 14). Retrieved
from European Commission:
https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
Directive on Measures for a High Common Level of Cybersecurity
Across the Union. (2022). Retrieved from Eur-Lex:
https://eur-lex.europa.eu/eli/dir/2022/2555
EU Cyber Resilience Act. (2024, July 8). Retrieved from European
Commission:
https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
European Union Agency for Cybersecurity (ENISA). (n.d.).
Retrieved from European Union:
https://european-union.europa.eu/institutions-law-budget/institutions-and-bodies/search-all-eu-institutions-and-bodies/european-union-agency-cybersecurity-enisa_en
NIS Cooperation Group. (2024, September 19). Retrieved from
European Commission:
https://digital-strategy.ec.europa.eu/en/policies/nis-cooperation-group
The EU’s Cybersecurity Strategy for the Digital Decade.
(2020, December 14). Retrieved from European Commission.
The European Cyber Resilience Act (CRA). (n.d.). Retrieved from
The European Cyber Resilience Act (CRA):
https://www.european-cyber-resilience-act.com/
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
