Photo of Cándido García Molyneux

Cándido García Molyneux provides clients with regulatory, policy and strategic advice on EU environmental and product safety legislation. He helps clients influence EU legislation and guidance and comply with requirements in an efficient manner, representing them before the EU Courts and institutions.

Cándido co-chairs the firm’s Environmental Practice Group.

Cándido has a deep knowledge of EU requirements on chemicals, circular economy and waste management, climate change, energy efficiency, renewable energies as well as their interrelationship with specific product categories and industries, such as electronics, cosmetics, healthcare products, and more general consumer products.

In addition, Cándido has particular expertise on EU institutional and trade law, and the import of food products into the EU. Cándido also regularly advises clients on Spanish food and drug law.

Cándido is described by Chambers Europe as being "creative and frighteningly smart." His clients note that “he has a very measured, considered, deliberative manner,” and that “he has superb analytical and writing skills.”

On September 15, 2022, the European Commission published a draft regulation that sets out cybersecurity requirements for “products with digital elements” (PDEs) placed on the EU market — the Cyber Resilience Act (CRA). The Commission has identified that cyberattacks are increasing in the EU, with an estimated global annual cost of €5.5 trillion. The CRA aims to strengthen the security of PDEs and imposes obligations that cover:

  1. the planning, design, development, production, delivery and maintenance of PDEs;
  2. the prevention and handling of cyber vulnerabilities; and
  3. the provision of cybersecurity information to users of PDEs.

The CRA also imposes obligations to report any actively exploited vulnerability as well as any incident that impacts the security of a PDE to ENISA within 24 hours of becoming aware of it.

The obligations apply primarily to manufacturers of PDEs, which include entities that develop or manufacture PDEs as well as entities that outsource the design, development and manufacturing to a third party. Importers and distributors of PDEs also need to ensure that the products comply with CRA’s requirements.

The requirements apply for the lifetime of a product or five years from its placement on the market, whichever is shorter. Due to the cross-border dimension of cybersecurity incidents, the CRA applies to any PDEs that are placed on the EU market—regardless of where they are manufactured—and imposes new mandatory conformity assessment requirements. The proposed regulation will now undergo review and potential approval in the Council of the EU and the European Parliament. Its provisions would apply fully within two years after entry into force, potentially in late 2026. We set out more detail and commentary below based on our initial review of the proposal.

Continue Reading EU Publishes Draft Cyber Resilience Act

Consumer Law Developments

Over the past 5 years, the EU has launched several legislative initiatives aimed at revamping EU consumers protection laws.  One such initiative was the “New Deal for Consumers” adopted by the European Commission on April 11, 2018.  The New Deal for Consumers amends existing EU consumer legislation in order to, on the