Co-Author: Lucas Falk

I. Introduction

On September 15 2022, the European Commission published its “Proposal for a Regulation on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020” (Cyber Resilience Act – CRA). The Cyber Resilience Act introduces cybersecurity requirements for a broad scope of products with digital elements, including software, and has potential to become one of the most important EU cyber security laws.

The Cyber Resilience Act has strong links with other cyber security laws such as the NIS-2 Directive, the Cyber Security Act, the AI-Act and the GDPR (in particular its data protection by design and cybersecurity elements). 

II. Scope

The Cyber Resilience Act has a broad scope of application. It applies to all products with digital elements whose use includes a direct or indirect logical or physical data connection. A product with digital elements in this context means any software or hardware product with remote data processing solutions.

The application is limited or excluded where sectoral rules achieve the same level of protection as the one provided by the CRA. This is the case regarding Software as a Service (SaaS) which shall only be covered by the NIS-2 Directive, which aims at ensuring a high level of cybersecurity of services provided by essential and important entities.

Products with digital elements developed exclusively for national security or military purposes are not covered by the regulation.

III. Obligations of economic operators

Economic operators covered by the CRA (in particular manufacturers, importers and distributors of products with digital elements) need to fulfill several obligations before and whilst placing a product with digital elements on the market.

Placing on the market means the first making available on the EU market, i.e. when there is any supply of a product with digital elements for distribution or use on the European Union market in the course of a commercial activity. It does not matter if this is in return for money or free of charge.

1. General Obligations of economic operators

There are several obligations which need to be fulfilled by several or all economic operators.

Manufacturers and importers 

Manufacturers and importers shall place only products with digital elements on the EU market that comply with the essential cybersecurity requirements laid down in the CRA to ensure an appropriate level of cybersecurity and ensure that there are no exploitable vulnerabilities.

Importers and distributors

If importers and distributors identify a vulnerability in a product with digital elements they shall inform the manufacturer without undue delay. Where the product presents a significant cybersecurity risk, they need to immediately inform the market surveillance authorities of the member states in which they made the product available on the market.

Importers and distributors need to ensure that the product with digital elements has been accompanied with appropriate instructions and information in a language that is easy to understand in order to ensure a safe use by the user.

When importers or distributors become aware that the manufacturer of a product with digital elements is not able to comply with the obligations laid down in the CRA, they shall inform the relevant market surveillance authority and, if possible, the users of the product.

Obligations in case of a request by the market surveillance authority

In case of reasoned concerns regarding the compliance of the product with the CRA, the competent market surveillance authority can request that manufacturers, importers and distributors provide with all the data required to assess the design, development, production and vulnerability handling. This includes related internal documentation in order to demonstrate the conformity of the product with the CRA in a language that can be easily understood by that authority.

Application of the manufacturer’s obligations to other parties

Where importers or distributors place a product with digital elements on the EU market under their name or trademark, they are considered manufacturers under the CRA and are subject to the obligations of the manufacturer.

Where a natural or legal person carries out a substantial modification of the product it shall be considered a manufacturer under the CRA and is subject to the obligations of the manufacturer.

2. Specific Obligations of Manufacturers

General Obligations

A manufacturer is any person who develops or manufactures products with digital elements or has them designed, developed, manufactured and markets them under his name or trademark.
Manufacturers shall ensure that 

• the product has been designed, developed and produced in accordance with the essential cybersecurity requirements laid down in the CRA,
• the product has an appropriate level of cybersecurity based on the risks,
• the product is delivered without any known exploitable vulnerabilities.

To fulfill this obligation manufacturers shall undertake an assessment of the cybersecurity risk associated with their product and take its outcome into account during planning, designing, developing, producing, delivering and maintaining the product, aiming to minimize cybersecurity risks, prevent incidents and minimize the impacts of such, including in relation to the health and safety of users. In addition, due diligence must be exercised when integrating components sourced from third parties to ensure that those components do not compromise the security of the product. 
Relevant cybersecurity aspects must be systematically documented.

A cybersecurity risk assessment must be included in technical documentation when the product is placed on the EU market.

Manufacturers must ensure that vulnerabilities of the product are handled effectively during the expected product lifetime or five years counted from the placing on the market, whatever is shorter.

Before placing the product on the market, they need to 

• draw up the technical documentation, which must contain all relevant data and must be updated continuously,
• carry out the chosen conformity assessment procedures (see below),
• provide the product with the EU declaration of conformity,
• accompany the product with clear, understandable, intelligible and legible information and instructions which ensure a secure installation, operation and use.

Manufacturers need appropriate policies and procedures, including coordinated vulnerability disclosure policies to process and remediate potential vulnerabilities.

Manufacturers may also choose to appoint an authorized EU representative which may fulfill some of the manufacturer’s obligations.

Conformity Assessment

Manufacturers must carry out appropriate conformity assessment procedures to ensure the conformity with the CRA before placing a product on the market.

The requirements are based on the risks involved with the products: For this purpose, critical products with digital elements are divided into two classes, reflecting the level of cybersecurity risk linked to these categories of products. A potential cyber incident involving products in class II might lead to greater negative impacts than an incident involving products in class I, for instance due to the nature of their cybersecurity-related function or intended use in sensitive environments.

If the product is classified as a critical product 

• of class I: additional assessment is required to demonstrate conformity
• If manufacturers want to carry out the assessment on their own they should apply harmonized standards, common specifications or certification schemes as set out in the Cyber Security Act
• Otherwise third-party conformity assessment is mandatory
• of class II: mandatory third-party conformity assessment 

If the compliance of the product has been demonstrated, manufacturers shall 

• draw up an “EU declaration of conformity” that states the fulfilment of the applicable essential requirements. The EU declaration of conformity 
• shall contain the elements specified in the relevant conformity assessment, 
• shall be continuously updated,
• shall be made available in the language required by the Member State in which the product is made available,
• states that the manufacturer assumes responsibility for the compliance of the product. 
• affix a CE marking to the product that indicates that it assumes responsibility for the conformity with all applicable requirements.

Reporting Obligations

If there is any actively exploited vulnerability contained in the product or if any incident has impact on the security of the product, manufacturers need to report this to EU cyber security agency ENISA without undue delay and in any event within 24 hours. ENISA then shall prepare a biennial technical report.

Furthermore, upon identifying a vulnerability in a component, manufacturers need to report the vulnerability to the person or entity maintaining the component.

3. Specific Obligations of Importers

An importer is any person established in the EU who places a product with digital elements on the EU market that bears the name or trademark of a (natural or legal) person established outside the EU.

Before placing a product on the market importers must ensure that

• appropriate conformity assessment procedures have been carried out by the manufacturer,
•  the manufacturer has drawn up the technical documentation,
• the product bears the CE marking,
• the product is accompanied by clear, understandable, intelligible and legible information and instructions which ensure a secure installation, operation and use.

Importers shall not place products on the market where they consider that it is not compliant with the essential cybersecurity requirements laid down in the CRA until that product has been brought into conformity by the manufacturer.

Importers must indicate

• their name, registered trade name or registered trademark,
• a contact address / contact details in a language easy to understand,

on the product with digital elements or on its packaging. 

For ten years after the product with digital elements has been placed on the market, importers must keep a copy of the EU declaration of conformity.

4. Specific Obligations of Distributors

A distributor is any person in the supply chain other than the manufacturer or distributor, that makes a product with digital elements available to the EU market without affecting its properties.

Distributors must act with due care regarding the requirements of the Cyber Resilience Act when making a product with digital elements available on the market.

Before making it available they need to verify that 

• The product bears the CE marking, 
• that the manufacturer has accompanied the information and instructions and the EU declaration of conformity,
• that the importer has indicated their name, registered trade name or registered trademark and a contact address on the product or on its packaging.

IV. Market Surveillance Authority

Each Member State appoints at least one market surveillance authority to ensure the effective implementation of the CRA. This can be either an existing or a completely new authority. The market surveillance authority cooperates with other national authorities, authorities of other Member States or the European Commission where necessary.

When the market surveillance authority has sufficient reasons to consider that a product with digital elements presents a significant cyber security risk, it evaluates the product regarding its compliance with the CRA. If the result of the evaluation is that the product is not compliant with the CRA it requires the operator to take all appropriate corrective actions to make the product compliant, to withdraw it from the market or to recall it within a reasonable period. When the market authority considers that the non-compliance is not limited to its national territory, it informs the commission and the other Member States.

V. Sanctions

Sanctions may differ from Member State to Member State. However, sanctions must be effective, proportionate and dissuasive. 
In case of an infringement of essential cybersecurity requirements and the obligations of manufacturers, fines up to 15.000.000 EUR or up to 2.5 % of the total worldwide annual turnover for the previous financial year are possible, whichever is higher.

In case of an infringement of any other obligations, fines up to 10.000.000 EUR or up to 2 % of the global annual revenue generated in the previous financial year are possible.

The supply of incorrect, incomplete or misleading information to notified bodies and market surveillance authorities in reply to a request could lead to fines up to 5.000.000 EUR or up to 1 % of the global annual revenue generated in the previous financial year. 

VI. Outlook

The Cyber Resilience Act is still in the making. Once it has been passed, it shall apply after a grace period of 24 months. Reporting obligations of manufacturers shall apply after 12 months following its entry into force.