Photo of Lucas Falco

Lucas Falco, a Belgian qualified lawyer, is an associate in the Public Policy Practice Group. Lucas advises clients on EU public policy strategy and regulatory law with a particular focus on food, drugs and devices, environment, international trade, data privacy, and gaming.

His experience covers representing multiple international clients, such as EU trade associations on multiple aspects of EU law (including representation before courts and strategic advice).

Lucas also worked with EU Member States on EU public policy, providing him with considerable knowledge and insights in various procedures at national and EU level, such as the notification Directive, implementation of EU law at the national level (including drafting of national implementation acts) and infringement proceedings.

Lucas has significant experience in advocacy strategy and regulatory advice.

His expertise encompasses a broad range of environmental issues (e.g., single-use plastics, waste, hand hygiene), food and beverages (labeling requirements, market access), drugs and devices (market access, IPR), gaming, and international trade and customs (TRQs).

On September 15, 2022, the European Commission published a draft regulation that sets out cybersecurity requirements for “products with digital elements” (PDEs) placed on the EU market — the Cyber Resilience Act (CRA). The Commission has identified that cyberattacks are increasing in the EU, with an estimated global annual cost of €5.5 trillion. The CRA aims to strengthen the security of PDEs and imposes obligations that cover:

  1. the planning, design, development, production, delivery and maintenance of PDEs;
  2. the prevention and handling of cyber vulnerabilities; and
  3. the provision of cybersecurity information to users of PDEs.

The CRA also imposes obligations to report any actively exploited vulnerability as well as any incident that impacts the security of a PDE to ENISA within 24 hours of becoming aware of it.

The obligations apply primarily to manufacturers of PDEs, which include entities that develop or manufacture PDEs as well as entities that outsource the design, development and manufacturing to a third party. Importers and distributors of PDEs also need to ensure that the products comply with CRA’s requirements.

The requirements apply for the lifetime of a product or five years from its placement on the market, whichever is shorter. Due to the cross-border dimension of cybersecurity incidents, the CRA applies to any PDEs that are placed on the EU market—regardless of where they are manufactured—and imposes new mandatory conformity assessment requirements. The proposed regulation will now undergo review and potential approval in the Council of the EU and the European Parliament. Its provisions would apply fully within two years after entry into force, potentially in late 2026. We set out more detail and commentary below based on our initial review of the proposal.

Continue Reading EU Publishes Draft Cyber Resilience Act