On September 15, 2022, the European Commission published a draft regulation that sets out cybersecurity requirements for “products with digital elements” (PDEs) placed on the EU market — the Cyber Resilience Act (CRA). The Commission has identified that cyberattacks are increasing in the EU, with an estimated global annual cost of €5.5 trillion. The CRA aims to strengthen the security of PDEs and imposes obligations that cover:
- the planning, design, development, production, delivery and maintenance of PDEs;
- the prevention and handling of cyber vulnerabilities; and
- the provision of cybersecurity information to users of PDEs.
The CRA also imposes obligations to report any actively exploited vulnerability as well as any incident that impacts the security of a PDE to ENISA within 24 hours of becoming aware of it.
The obligations apply primarily to manufacturers of PDEs, which include entities that develop or manufacture PDEs as well as entities that outsource the design, development and manufacturing to a third party. Importers and distributors of PDEs also need to ensure that the products comply with CRA’s requirements.
The requirements apply for the lifetime of a product or five years from its placement on the market, whichever is shorter. Due to the cross-border dimension of cybersecurity incidents, the CRA applies to any PDEs that are placed on the EU market—regardless of where they are manufactured—and imposes new mandatory conformity assessment requirements. The proposed regulation will now undergo review and potential approval in the Council of the EU and the European Parliament. Its provisions would apply fully within two years after entry into force, potentially in late 2026. We set out more detail and commentary below based on our initial review of the proposal.