Cyber Resilience Act

The Cyber Resilience Act is a Regulation proposed by the European Commission to increase the overall level of cybersecurity of products with digital elements placed on the EU market and to protect consumers and businesses that purchase or use such products. The Act would create new mandatory cybersecurity obligations for manufacturers, importers, and distributors of covered hardware and software products to address their increasing vulnerability to cyberattacks and other cyberthreats throughout their lifecycle.

What does this mean?

  • Hardware and software products would need to be adequately secured against cybersecurity vulnerabilities throughout their lifecycle, e.g., by ensuring that risks are considered in the design, production and maintenance of the products. Each stage of a product’s value chain would be required to meet specific obligations and security updates would be mandatory at regular intervals by default.
  • Before entry into market, products would undergo (depending on their criticality and level of cybersecurity risk they pose) more rigorous examination by a notified body or a lighter conformity assessment process, typically managed internally by a manufacturer. Applicable products would bear the CE marking.
  • To increase transparency, the Act would impose reporting requirements on manufacturers and distributors, requiring, for example, that the European Union Agency for Cybersecurity (ENISA) is notified if an exploited vulnerability or incident becomes known that could negatively impact the security of the product.
  • Manufacturers and distributors of products with digital elements would need to give the end customers information on the cybersecurity of the products and instructions on how to keep the products secure.

Who?

  • The Act would apply to manufacturers, importers, and distributors of products with digital elements. However, there would be specific exclusions relating, e.g., to open-source software, national security and defense products, and services that are already regulated by existing rules (such as medical devices, aviation, and cars).

Consequences

  • Member States shall adopt rules on effective, proportionate and dissuasive penalties applicable to infringements of the Cyber Resilience Act. According to the Commission Proposal, sanctions for non-compliance would include administrative fines, which, e.g., for non-compliance with essential cybersecurity requirements, could be up to €15 million or 2,5 % of total worldwide annual turnover, whichever is higher.
  • Monitoring and enforcement would be the responsibility of the national authorities in each Member State.

Timeline

  • The Act was approved by the EU Parliament on 12 March 2024 and still needs to be formally adopted by the EU Council before it can enter into force, which is expected to happen in the second half of 2024. However, there will be a transition period, and manufacturers will likely have to place compliant products on the EU market by 2027.