Yesterday, the European Commission, Council and Parliament announced that they had reached an agreement on the text of the Cyber Resilience Act (“CRA”). As a result, the CRA now looks set to finish its journey through the EU legislative process early next year. As we explained in our prior post about the Commission proposal (here), the CRA will introduce new cybersecurity obligations for a range of digital products sold in Europe. We’ll provide a more detailed summary of the agreed text once it is finalized and published but in this post we set out a brief summary of key provisions. In terms of timing, the CRA will come into force over a phased transition period starting in late 2025.

The CRA will impose a range of obligations for manufacturers and importers of “products with digital elements” (“PDEs”) – a category which is defined broadly to that include both hardware and software products. The final text has not yet been published, but based on the draft text circulated before the agreement and related reporting, the obligations are set to include:

  • Designing PDEs to meet certain essential cybersecurity requirements through risk assessment and protection against known vulnerabilities.
  • Submitting PDEs to conformity assessments.
  • Notifying identified vulnerabilities (within 24 hours) to the relevant national cybersecurity authority, the entity that maintains the vulnerable PDE and, potentially, ENISA.
  • Notifying severe security incidents to ENISA, the relevant national cybersecurity authority, and users of the PDE.
  • Conducting due diligence on imported PDEs.

Although the CRA applies broadly to PDEs, it is focused particularly on certain “Important” or “Critical” PDEs. The final list of PDEs in these categories has not yet published, but it is likely to include items covering both software (such as antivirus software and VPNs), and connected devices such as “smart home” devices, connected toys, and wearables. As with most recent European technology regulation, the CRA will come with the threat of high penalties for non-compliance – up to €15 million or 2.5% of global turnover.

Certain details of the CRA were hotly debated between the EU institutions, particularly the vulnerability reporting obligations as well as the categories of PDEs considered “Important” or “Critical”. The vulnerability reporting obligations have been of particular interest to industry, with security experts roundly criticizing the proposed vulnerability disclosure framework as being out of step with international standards and likely to lead to increased, rather than decreased, cybersecurity risks. Nonetheless, we understand that these provisions have been retained and indeed extended in the agreed text, with multiple phased vulnerability disclosures likely being required.   

What happens next?

The agreement between the EU institutions paves the way for the CRA to make its way onto the EU’s statute books following formal approval, which should occur in early 2024. After this, obligations under the law will come into force over a phased transition period, with the vulnerability reporting obligations kicking in after 21 months (that is, in late 2025) and the remaining obligations after 3 years (that is, in early 2027).

The CRA is just one of many cybersecurity regulations currently being prepared in Brussels: a consultation on Cybersecurity Act standards for ICT services just wrapped up; discussions on the draft Cybersecurity Certification Scheme for Cloud Services are ongoing (see our blog here); the consultation for “Tranche 2” of Digital Operational Resilience Act (“DORA”) technical standards is expected in the coming months; and Member States are continuing to work to implement NIS 2 by the October 2024 deadline. All of this sets up 2024 to be yet another busy year for cybersecurity regulation in Europe.

***

Covington’s Privacy and Cybersecurity Practice regularly advises on cybersecurity laws in Europe and elsewhere. If you have any questions about how the raft of new European cyber regulations will affect your business, or about developments in the cybersecurity space more broadly, our team would be happy to discuss.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Photo of Aleksander Aleksiev Aleksander Aleksiev

Aleksander advises clients on legal problems associated with data protection, cybersecurity, and new technologies. He holds degrees in both law and computer engineering which he combines to provide advice that is both legally sound and technologically pragmatic.

Aleksander has advised companies, governments, and…

Aleksander advises clients on legal problems associated with data protection, cybersecurity, and new technologies. He holds degrees in both law and computer engineering which he combines to provide advice that is both legally sound and technologically pragmatic.

Aleksander has advised companies, governments, and charitable organizations on a range of technology law issues including data breach response, compliance with privacy and cybersecurity laws, and IT contract negotiations. In addition to his experience advising on European law, Aleksander is Australian-qualified and has significant experience advising clients in the Asia-Pacific – particularly on Australian and Hong Kong law.