Making Europe fit for the digital age: the proposal for a Cyber Resilience Act

As the world’s digital transformation proceeds apace, cybersecurity becomes an increasingly pressing matter. In the wake of the pandemic, the intensity of this transition exceeded all precedents. All aspects of everyday life and business became overwhelmingly dependent on the use of digital products and services, making the need to prevent -or endure- the occurrence of cyber-attacks a top priority. It has been estimated that the annual cost of cybercrime to the world’s economy will reach $10.5 trillion USD by 2025, up from the cost of $3 trillion USD in 2015. 

One year after its announced commitment, the European Commission presented a draft proposal for a Cyber Resilience Act – ‘CRA’- (2022/0272/COD), adding an important piece of future legislative provisions in the EU’s policy framework for the digital age. Taking a step forward in strengthening the security aspects of digital products and critical infrastructures, the envisioned CRA introduces the concept of “resilience”, supplementing the existing preventive-of-incidents approach, with a focus on the ability to endure a cyber-related crisis and shifting the interest from operators to manufacturers.

In order for potential end users to be in a position of having adequate assurances as to the cybersecurity characteristics of the digital products they are selecting, the draft CRA imposes general transparency requirements and outlines the basic conditions that said products must meet before their placement on the market, to satisfy high cybersecurity standards.

Mapping the material scope of the draft CRA

The draft CRA “applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.” (Art. 2). Anything, tangible or not, with an internet connection that is developed or supplied in the course of commercial activity could thus fall under this broadly defined material scope of the future act, including hardware, software, and the data processing operations they cover. 

There are, however, exemptions to its application. The law will not apply to connected devices that are already regulated by certain sectoral legislations and further limitations to its applicability may be introduced if sectoral legislation on particular digital products achieves the same level of cybersecurity protection in the future. Currently, the excluded digital products are those covered by the Medical Devices Regulation (Regulation (EU) 2017/745), In Vitro Diagnostic Medical Devices Regulation (Regulation (EU) 2017/746), Vehicle General Safety Regulation (Regulation (EU) 2019/2144), and Common Rules in Civil Aviation Regulation (Regulation (EU) 2018/1139). The CRA does not apply to cloud computing services such as Software-as-a-Service (SaaS), which are covered by the draft NIS2 Directive and to free and open-source software developed or supplied outside the course of a commercial activity. We should note that electronic health record systems or products with high-risk artificial intelligence systems are not exempted from the act’s scope.

CRA categories

The digital products falling under the scope of the CRA are divided into three categories, following a risk-based classification. The Default category is for commonplace products with low-risk cybersecurity vulnerabilities, such as video games, photo and word editing apps, smart speakers, etc. It is estimated that 90% of today’s digital products will be counted under this category. The remaining products, considered as ‘critical’, will be categorized as Class I or Class II and will entail more stringent requirements for their manufacturers, operators, and providers. The draft foresees various factors for the determination of a product’s level of risk, ranging from the existence of previous adverse effects to whether they are intended for use in sensitive environments (such as critical infrastructures, e.g., a water supply system).

Basic obligations for economic operators of products with digital elements under the draft CRA

By focusing on how the covered products are being configured right from their initial design, the CRF introduces a security-by-design approach in the field. The Annexes to the proposed CRA describe the various requirements that need to be implemented by manufacturers in order to be compliant and differentiates them as: i) security requirements relating to the properties of these products, and ii) vulnerability handling requirements for the manufacturers of these products. These essential requirements create obligations for the entire supply chain, that is for all entities involved in designing, developing, producing, and making commercially available products with digital elements (i.e., economic operators of products with digital elements).  

As manufacturers are considered those who design, develop, or manufacture the covered products and market them under their name or trademark, whether for payment or free of charge. The idea is that manufacturers have to undergo conformity assessments in order to determine and demonstrate that their products comply with the aforementioned essential security and vulnerability requirements. Different processes of conformity assessments correspond to products that belong to different categories, as per the provisioned risk classification. For unclassified or default category products a security self-assessment (accompanied by the necessary technical documentation, marking, and written EU declaration of conformity) may be applied. For Class I products, the options are to undergo a third-party conformity assessment or to apply harmonized standards/European cybersecurity certification schemes, whereas for Class II products the third-party conformity assessment is the only and mandatory option.

Along with these responsibilities, manufacturers must care to provide clear and understandable instructions for the use of the products, make sure that their product’s known vulnerabilities are handled effectively for the expected lifetime of the product or for a period of five years, make available security updates at least for five years, and inform market authorities when they cease operations. In the case that they become aware of “any actively exploited vulnerability contained in the product with digital elements” or “any incident having impact on the security of the product with digital elements”, they also bear the obligation to notify relevantly the European Union Agency for Cybersecurity (ENISA) within 24 hours.

Importers of products with digital elements -namely, the ones that bring on the market a product bearing the name or trademark of an entity established outside the Union- must check both that their products comply with the essential requirements and that their manufacturers are compliant with the essential vulnerability requirements. Companies or persons other than a manufacturer or an importer, who make a covered product commercially available in the Union market (without affecting its properties), are also bound by the CRA to verify that their products have conformity markings and that the related manufacturers and importers have complied with their essential requirements obligations. Both importers and distributors of products with digital elements bear reporting obligations towards manufacturers regarding any cybersecurity vulnerability that comes to their attention without delay. Moreover, in case a significant cybersecurity risk arises, they must inform national market surveillance authorities immediately, so that corrective measures are taken.