Authors

Dr. Paul Voigt, Lic. en Derecho, CIPP/E

Partner

Read More

Alexander Schmalenberger, LL.B.

Knowledge Lawyer

Read More
Authors

Dr. Paul Voigt, Lic. en Derecho, CIPP/E

Partner

Read More

Alexander Schmalenberger, LL.B.

Knowledge Lawyer

Read More

1 December 2023

Political agreement on the CRA

  • Quick read

On 30 November 2023, the co-legislators reached a political agreement on the Cyber Resilience Act (CRA). This act standardizes digital product cybersecurity in the EU, with manufacturers managing lifecycle security for CE (Conformité Européene) marked products. It applies to all products connected directly or indirectly to another device or to a network if those products are distributed within the EU. The new rules will apply three years after the CRA enters into force, assumably in spring or early summer 2027.

Key points and main amendments of the co-legislators 

  • Amended Scope: The European Cyber Resilience Act (CRA) encompasses a broad range of devices, including hardware and digital technologies, that connect to networks. The co-legislators agreed on a simpler methodology for the classification of digital products to be covered by the new regulation. 
  • Amended Support period, responsibilities and reporting: Manufacturers are required to ensure lifecycle security of products, providing software updates and clear consumer information about cybersecurity. The negotiators agreed on a support period of 5 years unless the expected product lifetime is shorter. Reports regarding actively exploited vulnerabilities and incidents must be made to competent national authorities. 
  • Conformity Assessment: Products must undergo either self-assessment or third-party assessment processes, leading to the attainment of a CE marking. 
  • Amended ENISA's Role: The European Union Agency for Cybersecurity (ENISA) is central to reporting significant cybersecurity incidents and vulnerabilities. However, different to initial drafts of the CRA, the competent national authorities will be the initial recipients of the reports mentioned above. 
  • Amendment on SME (Small and Medium Enterprise) support: SME will receive support for awareness-raising and training activities, testing and conformity assessment procedures.

The next steps: 

  • The text of the CRA will be finalised in technical meetings. 
  • The finalised text will be adopted by the European Parliament and the Council, presumably by April 2024 
  • The text will be published in the Official Journal of the European Union, probably by June 2024

More detailed information on the CRA can be found here.

You need assistance in implementing the new CRA requirements? Our experts are here to help!

Call To Action Arrow Image

Latest insights in your inbox

Subscribe to newsletters on topics relevant to you.

Subscribe
Subscribe

Related Insights

Data protection & cyber

EU Data Act agreed – what you need to know

29 June 2023
Briefing

by multiple authors

Click here to find out more
Data protection & cyber

Global Data Hub - Data transfers after Schrems II and Brexit transition

9 October 2020
Quick read

by multiple authors

Click here to find out more
Data protection & cyber

Data Protection Officer – FAQ

21 August 2020
IN-DEPTH ANALYSIS

by multiple authors

Click here to find out more