Published in the European Union Official Journal on November 20, 2024, the EU Cyber Resilience Act (the „CRA”) aims to enhance protection for both consumers and businesses adressing the rising cybersecurity threats faced within the European Union. In response to these growing risks, the CRA introduces a comprehensive framework for monitoring compliance, addressing non-compliance, and enforcing penalties for violations.
The CRA establishes uniform cybersecurity standards for the design, development, and production of hardware and software products with digital elements (the “PDEs”) placed on the EU market. A PDE is defined as a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately.
1. Background
The CRA was adopted to address the cybersecurity risks posed by PDEs that are placed on the European Union market and are designed to connect, directly or indirectly, to a device or network via a data connection as part of their normal operation or intended use. Such PDEs may include:
Hardware Products:
• Laptops and smartphones
• Sensors and cameras
• Smart home products with security functionalities, including smart door locks, security cameras, baby monitoring systems and alarm systems
Software Products:
• Operating systems
• Software that searches for, removes, or quarantines malicious software
• Video-editing tools
These products, when not properly secured, pose significant risks to users and businesses alike. Here are some examples of cyberattacks that have compromised the security of PDEs in the past:
• Pegasus spyware, which exploited vulnerabilities in mobile phones, allowing unauthorized access to sensitive data;
• WannaCry ransomware, which took advantage of a Windows vulnerability, affecting computers across 150 countries and causing widespread disruption;
• Kaseya VSA supply chain attack, which used network management software to compromise over 1,000 companies, disrupting critical IT infrastructure.
2. Key Provisions
2.1. Scope of the CRA
The CRA applies to PDEs that are placed on the EU market and are designed to connect, directly or indirectly, to a device or network via a data connection as part of their normal operation or intended use.
However, the CRA does not apply, or applies only in a limited way, in cases such as:
• Products with digital elements developed or modified exclusively for national security or defense purposes, or those designed specifically for processing classified information; or
• Products and/or sectors that are already sufficiently regulated under existing legislation.
2.2. Cybersecurity requirements for economic operators
The CRA introduces cybersecurity requirements for economic operators, which are defined as the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with the CRA.
Examples of manufacturers’ responsibilities:
• Ensure that their PDEs meet the essential cybersecurity requirements (please see Section 2.3 below) before being placed on the market;
• Document relevant cybersecurity risks of their PDEs;
• Ensure that components sourced from third parties do not undermine the cybersecurity of the final product. Due diligence is required when integrating these components.
Examples of importers’ responsibilities:
Before placing a product with digital elements on the market, importers shall ensure that:
• the appropriate conformity assessment procedures have been carried out by the manufacturer;
• the PDE bears the CE marking and is accompanied by the EU declaration of conformity referred to in the CRA and the information and instructions to the user as set out in the CRA in a language which can be easily understood by users and market surveillance authorities.
Examples of distributors’ responsibilities:
• Verify that products with digital elements bear the CE marking and that manufacturers and importers have met their regulatory obligations before distributing the products.
• Ensure that any PDEs they place on the market, which do not comply with the CRA, are either corrected, withdrawn, or recalled, as necessary;
• Upon request from market surveillance authorities, provide the necessary documentation to demonstrate that their products comply with the CRA.
2.3. Essential Cybersecurity Requirements
The CRA imposes essential cybersecurity requirements for PDEs, including:
• Ensuring that vulnerabilities can be addressed through timely security updates;
• Ensuring products are made available on the market without known exploitable vulnerabilities;
• Implementing robust mechanisms to prevent unauthorized access, such as authentication, identity management, and access control systems, and ensuring reporting of any unauthorized access;
• Protecting the confidentiality of personal and other sensitive data during storage, transmission, or processing;
• Providing mechanisms to record and monitor internal activities, such as access or modifications to data, services, or functions, with an option for users to opt-out;
• Allowing users to securely and permanently remove all data and settings from the product, and ensuring that data transfer to other systems or products is done securely, if applicable.
2.4. Conformity assessment
The manufacturer shall perform a conformity assessment of the PDE and the processes put in place by the manufacturer to determine whether the essential cybersecurity requirements set out in the CRA are met. The assessment criteria vary based on the risk level of the PDE, with stricter requirements for important / critical PDEs.
3. Sanctions
Each Member State shall designate one or more market surveillance authorities for the purpose of ensuring the effective implementation of the CRA.
Penalties for non-compliance are significant, including administrative fines of up to EUR 15,000,000 or, if the offender is an undertaking, up to 2,5 % of the its total worldwide annual turnover for the preceding financial year, whichever is higher.
4. Effects and Implementation
The CRA entered into force starting December 10, 2024, marking a significant shift toward stronger cybersecurity standards across the EU. Businesses and manufacturers will need to align their processes with the new regulation to ensure they meet the required compliance standards and avoid potential penalties. The CRA will apply from 11 December 2027, except some provisions that will apply from June 2026.
***
If you are interested in receiving further information on this topic, please do not hesitate to contact us. You can also find this legal update in the News section of our website: www.leroylaw.ro.
