The EU's Cyber Resilience Act: 10 on the 10

Today the EU's Cyber Resilience Act (Regulation (EU) 2024/2847) ('CRA') enters into force.

The CRA recognises that the continuously evolving world of smart products is frequently challenged by vulnerabilities which can potentially lead to cyber-security incidents. Whilst most of the Act's obligations will not be applicable until three years from now, 10 December is the day when the EU takes a big step towards it's ten-year Cybersecurity Strategy. To mark the occasion, we have outlined ten key points that entities in scope must be aware of in preparation for compliance with the CRA.

1. Products with Digital Elements

The objective of the CRA is to protect consumer rights in relation to Products with Digital Elements ('PDEs') across the EU. The definition of PDEs is broad. It includes any goods incorporating either software or hardware elements. From Internet of Things ('IOTs') products to computer components, remote data processing solutions and any other devices which foreseeably use or connect to a device or network. 

2. Entities in Scope

The CRA is applicable across the entire EU supply chain, capturing Manufacturers, Importers and Distributors of PDEs. If Importers or Distributors use any manufacturers' products with the Importer's or Distributor's own branding, they will be considered a Manufacturer for the purposes of the CRA.

3. Risk Categories

The CRA recognises that PDEs bear different levels of risk depending upon their intended use and the potential extent of the impact rising from a disruption. As such, the Act sets out four categories of risk:

• Default Products: Products in this category are considered to bear the lowest level of cybersecurity risk and as such they are subject to basic cybersecurity requirements. This group covers the majority of PDEs including IOTs such as smart connected toys, smart watches, smart speakers, smart fridges and other connectable home devices.
• Important Products (Class 1): These are PDEs which present a higher risk than Default Products. Examples of this category include operating systems, identity management systems, password managers and VPNs.
• Important Products (Class 2): The level of risk for products in this category is even higher than that of Important Products Class 1. Examples of this category include firewalls, tamper-resistant microprocessors and microcontrollers.
• Critical Products: This category comprises those PDEs bearing the highest level of risk. Examples of these include smart metre gateways¹ and hardware devices with security boxes, smartcards or similar devices.

4. PDE Conformity

Different conformity requirements apply to each risk category. 

Whilst Manufacturers can self-assess conformity for Default Products, further steps are required for Important and Critical products. These can include instructing a third-party to assess the PDE, obtaining an applicable European Cybersecurity Certification Scheme or conducting self-assessments (only available to PDEs with common specifications standards).

5. Obligations

The extent of the obligations arising under the CRA differs depending on whether an entity is a Manufacturer, Importer or Distributor.

Manufacturers are under the highest level of scrutiny. It is their responsibility to ensure that the PDE meets the essential cybersecurity and vulnerability handling requirements, listed at Annex I and II of the Act respectively.

Essential cybersecurity requirements include carrying out risk assessments on PDEs to ensure that they are designed, developed and produced with an appropriate level of controls.  Those controls relate to cybersecurity, secure default configurations, access control, data minimisation policies, availability and resilience features.  There are also obligations to report PDE vulnerabilities to the local Computer Security Incident Response Teams (CSIRT) and European Union Agency for Cybersecurity (ENISA).

Vulnerability requirements include an obligation for Manufacturers to conduct security tests, identify and document vulnerabilities and distribute updates to fix or mitigate vulnerabilities.

Importers are under an obligation to ensure that any PDEs entering the EU market are CRA compliant and must obtain documents from the Manufacturer evidencing this. Importers must also ensure that PDEs bear the 'CE' mark and are accompanied with information and instructions for use. 

Distributors must check that Importers and Manufacturers have complied with their CRA obligations and ensure that the product bears the 'CE' mark. Upon identifying any vulnerability in PDEs, both Importers and Distributors must inform the Manufacturer without undue delay.

6. Enforcement Powers

From a wider EU perspective, ENISA will oversee the notifications arising from severe PDE incidents and local CSIRTs will receive notifications at a national level. However, each Member State will also expect to appoint its own market surveillance authority, responsible for the enforcement of CRA obligations. Market surveillance authorities' powers include the banning or withdrawing / recalling non-compliant PDEs from the market.

7. Consequences of Non-compliance

Potential fines for non-compliance vary depending upon the nature of the breach:

• Non-compliance with the essential cybersecurity requirements, Manufacturers' obligations² or reporting obligations³ can result in a fine up to EUR 15 million or up to 2.5% of the offender's worldwide turnover.
• Non-compliance with other obligations can result in a fine up to EUR 10 million or up to 2% of the offender's worldwide turnover.
• Providing misleading or incorrect information to market surveillance authorities or a relevant body can result in a fine up to EUR 5 million or 1% of the offender's worldwide turnover.

8. Key Dates

The CRA comes into force today (10 December 2024) but its applicability is spread across three key dates:

• On 11 June 2026, provisions relating to conformity assessment bodies will start to apply (18 months).⁴
• On 11 September 2026, Manufacturers' obligations related to reporting exploitable vulnerabilities will commence (21 months).
• On 11 December 2027, the CRA will become fully applicable (36 months).

9. EU Legislation

The CRA will join a number of European Directives and Regulations currently being implemented to attempt to create a harmonised and safe cybersecurity environment across the EU. Others include:

NIS2 - The NIS2 directive aims to create a high common level of cybersecurity for important organisations and critical entities providing physical and digital infrastructure across Member States. There is an interplay between the two pieces of legislation as PDEs can be deemed critical if they are used or relied upon by Essential Entities as defined in NIS2 (Art 6(5)(a) CRA).  However, NIS2 focuses on the harmonisation of cybersecurity and cyber resilience standards, whereas the CRA focuses on PDEs and the protection of consumers' rights.

AI Act - The AI Act aims to ensure that artificial intelligence products are safe and transparent. In a similar vein to the CRA, the AI Act applies to providers, distributors and manufacturers and takes a risk-based approach, dividing AI systems into different risk categories. While the focus of each Act is clearly distinct, there is also an interplay between them.  Products deemed High Risk AI systems which fulfil the requirements of Section I Annex I of the CRA are deemed to have fulfilled the AI Act requirements too (Art 8(1) CRA).

European Data Act - The European Data Act requires data to be accessible and usable throughout Member States with a view to increase data availability and innovation. It establishes rules for information sharing which were previously not defined. It applies to manufacturers and providers of connected goods and entities that hold data obtained by such connected products or services. The products in scope are similar to the CRA and can include electronics such as smart fridges and equipment that collects and transmits data.

Whilst both Acts focus on similar products, their aims are clearly distinct. The Data Act is aimed at enhancing the EU's data economy and fostering a competitive data market by giving users of connected products greater control over their data  and to impose measures to increase fairness and competition in the cloud market. The CRA is primarily aimed at strengthening the cybersecurity of products in scope.

10. UK Legislation

In the UK, the most comparable piece of legislation to the CRA is the Product Security and Telecommunications Infrastructure Act (PSTI). The PSTI imposes minimum security requirements on manufacturers, importers, and distributors in relation to smart products. Some of these requirements include the need to provide information on how to report security issues and the duty to investigate potential compliance failures. Whilst both instruments are similar and target the wider product supply chain, the CRA's definition of PDEs is further reaching than the PTSI.

Despite a similar naming convention, the UK's Cyber Security and Resilience Bill (which was announced at the King's Speech in July) appears to be more aligned with NIS2 than with the CRA.

The EU landscape on digital products is developing at rapid speed. The combination of the CRA and other European statutory instruments creates a changing playing field for the highly competitive tech market. Whilst these changes impose more strenuous requirements on businesses, in particular start-ups which may find challenging to navigate, they are intended to create an even, safer and more consistent environment for the industry and consumers across the EU. Businesses in the EU and the UK have started giving careful consideration to the increasing legislation and constant developments in the cybermarket where neither innovation nor regulation are showing signs of slowing down anytime soon.