A Summary of the Cyber Resilience Act Implemented by the EU

A Summary of the Cyber Resilience Act Implemented by the EU

The European Commission has presented the Cyber Resilience Act (CRA) on September 15, 2022, marking a significant step towards improving the cybersecurity of digital products in the European Union (EU). The Act, which applies a broad regulatory framework to tangible and intangible products with digital elements, aims to enhance the security of connected devices on the EU market.

Manufacturers of connected devices have been tasked with determining and declaring that their products meet all essential security and vulnerability requirements. This includes designing products with an appropriate level of cybersecurity, delivering them without known exploitable vulnerabilities, and ensuring secure-by-default configurations.

To demonstrate compliance with the CRA, manufacturers must undertake a cybersecurity risk assessment, include it in technical documentation, and mark where certain essential requirements are not applicable. For Class I and Class II products, manufacturers must undergo a third-party conformity assessment or apply harmonized standards or European cybersecurity certification schemes. Class II product manufacturers can only demonstrate conformity through third-party conformity assessment.

The CRA mandates security-by-design and creates essential cybersecurity requirements for manufacturers, importers, and distributors. These entities are also required to report cybersecurity vulnerabilities and incidents to the European Union Agency for Cybersecurity (ENISA) within 24 hours. In the event of non-compliance, administrative fines of up to €15 million or 2.5 percent of a business's global annual turnover may be imposed. Member states can also prohibit or restrict products from being available if the manufacturer, importer, distributor, or other responsible business proves non-compliant.

The CRA classifies covered products into three categories: Class I, Class II, and the Default category. The Default category applies to products without critical cybersecurity vulnerabilities. Manufacturers, importers, and distributors of covered products must ensure compliance with the essential requirements in Annex I of the Cyber Resilience Act.

Regulatory oversight and cooperation play a crucial role in enforcing the CRA. Supervisory government bodies in each Member State are responsible for overseeing compliance, and they cooperate and share information across borders. This cooperation is facilitated under broader policies such as the NIS2 Directive.

The European Union Agency for Cybersecurity (ENISA) supports the implementation and enforcement of the CRA by assisting Member States and businesses. ENISA manages processes like cybersecurity certification and vulnerability information sharing, notably through the European Union Vulnerability Database (EUVD), which aids transparency and coordinated response.

Notably, the CRA does not exempt European Digital Identity Wallets, electronic health record systems, or products with high-risk artificial intelligence systems. It also leaves open the possibility of further sectoral legislation post-enactment.

The CRA's comprehensive enforcement framework combines manufacturer responsibilities for product security and reporting, government supervision and cooperation, and potential financial penalties for non-compliance to uphold a high common level of cybersecurity across the EU market. This new regulation is expected to significantly enhance the security of digital products in the EU, protecting consumers and businesses from cyber threats.

1. The European Commission's Cyber Resilience Act (CRA) targets innovation in areas such as artificial intelligence (AI) and the Internet of Things (IoT), as it applies a broad regulatory framework to digital products.
2. The CRA requires automation in cybersecurity risk assessments for manufacturers of connected devices, with the results of these assessments included in technical documentation.
3. Data-driven cybersecurity will be crucial for manufacturers, importers, and distributors who must report cybersecurity vulnerabilities and incidents to ENISA within 24 hours.
4. Regulation of AI and related technologies becomes more prominent with the CRA, as it does not exempt high-risk AI systems or electronic health record systems from its essential cybersecurity requirements.
5. The IOT and AI sectors will likely see increased oversight and data-sharing between government bodies due to the CRA's enforcement framework, as part of a broader policy like the NIS2 Directive.
6. The CRA's comprehensive approach to enhancing cybersecurity involves data-driven manufacturing responsibilities, regulatory oversight, and potential financial penalties, aiming to create a secure digital marketplace in the European Union (EU).

Read also: