On September 15, 2022, the European Commission published a draft regulation that sets out cybersecurity requirements for “products with digital elements” (PDEs) placed on the EU market — the Cyber Resilience Act (CRA). The Commission has identified that cyberattacks are increasing in the EU, with an estimated global annual cost of €5.5 trillion. The CRA aims to strengthen the security of PDEs and imposes obligations that cover:

  1. the planning, design, development, production, delivery and maintenance of PDEs;
  2. the prevention and handling of cyber vulnerabilities; and
  3. the provision of cybersecurity information to users of PDEs.

The CRA also imposes obligations to report any actively exploited vulnerability as well as any incident that impacts the security of a PDE to ENISA within 24 hours of becoming aware of it.

The obligations apply primarily to manufacturers of PDEs, which include entities that develop or manufacture PDEs as well as entities that outsource the design, development and manufacturing to a third party. Importers and distributors of PDEs also need to ensure that the products comply with CRA’s requirements.

The requirements apply for the lifetime of a product or five years from its placement on the market, whichever is shorter. Due to the cross-border dimension of cybersecurity incidents, the CRA applies to any PDEs that are placed on the EU market—regardless of where they are manufactured—and imposes new mandatory conformity assessment requirements. The proposed regulation will now undergo review and potential approval in the Council of the EU and the European Parliament. Its provisions would apply fully within two years after entry into force, potentially in late 2026. We set out more detail and commentary below based on our initial review of the proposal.

Coverage

Under the CRA, a “product with digital elements” is defined broadly as “any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately.” The CRA excludes from its scope PDEs that have already been placed on the EU market, unless there have been “substantial modifications in their design or intended purpose.”

Specific rules apply to “critical” PDEs, which are listed in Annex III of the CRA (and can be amended by the Commission). These are divided into two groups based on the level of risk:

  • Class 1, which includes ID-management systems, VPNs, browsers, various network systems, mobile device management software, and update/patch management; and
  • Class 2, which includes operating systems for servers, desktops, and mobile devices; smartcards, smartcard readers and tokens; microprocessors; and IoT devices intended for the use by essential entities under the draft NIS2 Directive (e.g., energy, transport, banking, health, digital infrastructure, public administration and space sectors).

Out of scope

The CRA does not apply to cloud computing services such as Software-as-a-Service (SaaS), which are covered by the draft NIS2 Directive, or to products already regulated under EU laws that apply to medical devices, in vitro diagnostic medical devices, civil aviation, motor vehicles, and products developed exclusively for national security or military purposes.

The CRA also does not apply to free and open-source software developed or supplied outside the course of a commercial activity.

Interplay with other EU laws

Given the CRA’s broad scope, it includes various provisions on the interplay with multiple other EU laws, such as the GDPR, the Product Liability Directive, the Radio Equipment Directive (RED), the draft General Product Safety Regulation, the draft Machinery Regulation, the draft AI Act, the draft Regulation on the European Health Data Space, and the draft NIS2 Directive.

The CRA also envisages that compliance may be possible by adopting standards created under the RED Delegated Act and the Cybersecurity Act. For instance, the RED Delegated Act defines the scope of radio equipment subject to essential requirements on cybersecurity, data protection and protection against fraud (e.g., not harming the network or its functioning nor misusing it). In August 2022, the Commission adopted an Implementing Decision with a mandate to CEN-CENELEC to draft harmonized standards to show compliance with essential requirements under the RED.

Obligations

The CRA applies primarily to manufacturers, which are defined broadly as “any natural or legal person who develops or manufactures [PDEs] or has [PDEs] designed, developed or manufactured, and markets them under his or her name or trademark, whether for payment or free of charge.” Manufacturers are required to conduct mandatory security assessment requirements in relation to the design, development and production of PDEs; ensure that vulnerability-handling requirements are put in place; and provide necessary information to users. In particular, manufacturers are required to:

  • conduct a cybersecurity risk assessment of the PDEs and, based on that assessment, design, develop and produce the PDEs so that they ensure an appropriate level of cybersecurity and are delivered without any known exploitable vulnerability (in accordance with Annex I);
  • systematically document relevant cybersecurity aspects of the PED, including vulnerabilities they become aware of and any relevant information provided by third parties, and, where applicable, update the risk assessment of the product;
  • draw up technical documentation (including the content of Annex V), carry out a conformity assessment (in accordance with Annex VI), maintain an EU declaration of conformity (in accordance with Annex IV), and affix CE marking;
  • maintain appropriate policies and procedures to process and remediate potential vulnerabilities in the product reported from internal or external sources;
  • provide a set of information and instructions (listed in Annex II) to users of PDEs to allow users to take cybersecurity into account when selecting and using such products;
  • report any actively exploited vulnerability—i.e., a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber-threat—contained in the PDE to the European Union Agency for Cybersecurity (ENISA) within 24 hours of becoming aware of it; and
  • report any incident having impact on the security of the PDE to ENISA within 24 hours of becoming aware of it.

Importers must only place on the market PEDs that comply with the essential requirements set out under the law, and ensure that the manufacturer has carried out the appropriate conformity assessment procedures, drawn up the documentation, and that PEDs bear the CE marking and is accompanied by required information for users. Importers who identify a vulnerability in a PDE must inform the manufacturer without undue delay, and must inform immediately market surveillance authorities where a PDE presents a “significant cybersecurity risk.”

Enforcement

Under the CRA, market surveillance authorities (MSAs), to be designated or created in each EU Member State, have the primary responsibility for enforcement, including through coordinated sweeps of IoT products made available in the EU. The MSAs shall also cooperate with ENISA and the European Data Protection Board (EDPB).

Moreover, the European Commission can request that an MSA or ENISA evaluate a PDE’s compliance and order that the product be withdrawn or recalled from the market. This power reserved to the Commission is attracting some attention.

Penalties

Member States shall establish penalties applicable to infringements by economic operators, with limits set out in the CRA as follows:

  • Non-compliance with essential requirements set out in Annex I and obligations for manufactures shall be subject to administrative fines of up to €15 million or up to 2.5% of its global revenue, whichever is higher.
  • Non-compliance with other obligations under the CRA shall be subject to administrative fines of up to €10 million or up to 2% of global revenue, whichever is higher.

In case incorrect, incomplete or misleading information is supplied to notified bodies and market surveillance authorities in reply to a request, the offender shall be subjected to administrative fines of up to €5 million or up to 1% of global revenue, whichever is higher.

The most onerous obligations imposed on manufacturers and developers of PDEs include mandatory risk and conformity assessment requirements. Moreover, the CRA establishes obligatory notification requirements to the relevant conformity assessment bodies and a framework for market surveillance. Organizations are likely to incur additional compliance costs in order to adhere to these new obligations. In particular, software developers and hardware manufacturers will need to comply with the security requirements and the prescriptive documentation and reporting obligations imposed by the CRA.

Implications

Certain companies may feel comfortable with elements of the CRA that mirror existing good practices. However, many are likely to need to consider carefully requirements relating to conformity assessments depending on the nature of their products and how they are classified; technical documentation; and the need to have appropriate policies and procedures for handling cybersecurity vulnerabilities and incidents. In particular, the obligation to report an actively-exploited vulnerability in their product or an incident that impacts the security of their product adds to the growing burden on companies to notify different types of incident—including personal data breaches, cyber incidents, and sector-specific notification requirements—under EU and other law.

*                      *                      *

The Covington Team will continue to review and monitoring the progress of the CRA and is happy to assist with any potential inquiry.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
  • Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
  • Advising life sciences companies on industry-specific data privacy issues, including:
    • clinical trials and pharmacovigilance;
    • digital health products and services; and
    • engagement with healthcare professionals and marketing programs.
  • International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
  • Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
  • Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:
    • supervising technical investigations and providing updates to company boards and leaders;
    • advising on PR and related legal risks following an incident;
    • engaging with law enforcement and government agencies; and
    • advising on notification obligations and other legal risks, and representing clients before regulators around the world.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Photo of Cándido García Molyneux Cándido García Molyneux

Cándido García Molyneux provides clients with regulatory, policy and strategic advice on EU environmental and product safety legislation. He helps clients influence EU legislation and guidance and comply with requirements in an efficient manner, representing them before the EU Courts and institutions.

Cándido…

Cándido García Molyneux provides clients with regulatory, policy and strategic advice on EU environmental and product safety legislation. He helps clients influence EU legislation and guidance and comply with requirements in an efficient manner, representing them before the EU Courts and institutions.

Cándido co-chairs the firm’s Environmental Practice Group.

Cándido has a deep knowledge of EU requirements on chemicals, circular economy and waste management, climate change, energy efficiency, renewable energies as well as their interrelationship with specific product categories and industries, such as electronics, cosmetics, healthcare products, and more general consumer products.

In addition, Cándido has particular expertise on EU institutional and trade law, and the import of food products into the EU. Cándido also regularly advises clients on Spanish food and drug law.

Cándido is described by Chambers Europe as being “creative and frighteningly smart.” His clients note that “he has a very measured, considered, deliberative manner,” and that “he has superb analytical and writing skills.”

Photo of Bart Szewczyk Bart Szewczyk

Having served in senior advisory positions in the U.S. government, Bart Szewczyk advises on European and global public policy, particularly on technology, economic sanctions and asset seizure, trade and foreign investment, business and human rights, and environmental, social, and governance issues, as well…

Having served in senior advisory positions in the U.S. government, Bart Szewczyk advises on European and global public policy, particularly on technology, economic sanctions and asset seizure, trade and foreign investment, business and human rights, and environmental, social, and governance issues, as well as conducts international arbitration. He also teaches grand strategy as an Adjunct Professor at Sciences Po in Paris and is a Nonresident Senior Fellow at the German Marshall Fund.

Bart recently worked as Advisor on Global Affairs at the European Commission’s think-tank, where he covered a wide range of foreign policy issues, including international order, defense, geoeconomics, transatlantic relations, Russia and Eastern Europe, Middle East and North Africa, and China and Asia. Previously, between 2014 and 2017, he served as Member of Secretary John Kerry’s Policy Planning Staff at the U.S. Department of State, where he covered Europe, Eurasia, and global economic affairs. From 2016 to 2017, he also concurrently served as Senior Policy Advisor to the U.S. Ambassador to the United Nations, Samantha Power, where he worked on refugee policy. He joined the U.S. government from teaching at Columbia Law School, as one of two academics selected nationwide for the Council on Foreign Relations International Affairs Fellowship. He has also consulted for the World Bank and Rasmussen Global.

Prior to government, Bart was an Associate Research Scholar and Lecturer-in-Law at Columbia Law School, where he worked on international law and U.S. foreign relations law. Before academia, he taught international law and international organizations at George Washington University Law School, and served as a visiting fellow at the EU Institute for Security Studies. He also clerked at the International Court of Justice for Judges Peter Tomka and Christopher Greenwood and at the U.S. Court of Appeals for the Third Circuit for the late Judge Leonard Garth.

Bart holds a Ph.D. from Cambridge University where he studied as a Gates Scholar, a J.D. from Yale Law School, an M.P.A. from Princeton University, and a B.S. in economics (summa cum laude) from The Wharton School at the University of Pennsylvania. He has published in Foreign Affairs, Foreign Policy, Harvard International Law Journal, Columbia Journal of European Law, American Journal of International Law, George Washington Law Review, Survival, and elsewhere. He is the author of three books: Europe’s Grand Strategy: Navigating a New World Order (Palgrave Macmillan 2021); with David McKean, Partners of First Resort: America, Europe, and the Future of the West (Brookings Institution Press 2021); and European Sovereignty, Legitimacy, and Power (Routledge 2021).

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.