EU Cyber Resilience Act

Cybersecurity is once again headline news and continues to get attention from law makers as new laws pass with the hope of closing out cybersecurity vulnerabilities.  On 10 October 2024, the European Council adopted the EU Cyber Resilience Act (Regulation of The European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020).

The proposal for this Act was submitted on 15 September 2022, and complements the EU cybersecurity framework, which includes NIS2 (see our FAQs: The EU’s NIS2 Directive) and the EU Cybersecurity Act.

What is this about?

This Regulation is mainly concerned with “products with digital elements” (PDEs). PDEs are products that are connected to another device or network, directly and indirectly. Network connected devices are also commonly known as the Internet of Things, or “smart objects”.

These products cover an ever-widening range of products, such as facial recognition locks, smart refrigerators, fitness trackers, and industrial level smart machines in manufacturing. This regulation does not apply to those PDEs which are already subject to cyber security regulations: medical devices, aeronautical products, and cars.

What kind of products fall under scope?

The scope of this Regulation covers both software and hardware products. Most products will be categorised as “default” while an estimated 10% will be categorised as Class I or Class II “Critical”, which will have more stringent obligations.

Some examples of default products include:

• Photo editing tools
• Video games
• Smart home devices like speakers, TVs, and toys.

Examples of Class I critical products include:

• Password managers
• Remote access / sharing software
• Browsers

Examples of Class II critical products include:

• Operating systems
• Smartcards and smartcard readers
• Firewalls for industrial use
• Robot controllers
• Routers for industrial use.

What are the main obligations under this Regulation?  

This Regulation seeks to ensure that PDEs are more secure and introduces cybersecurity requirements for hardware and software products throughout their whole life cycle. In some respects, the new Regulation mirrors existing product safety obligations for non-digital products. The Act also aims to ensure that PDEs on the EU market will have fewer vulnerabilities. This Regulation also seeks to improve transparency and make it easier for consumers to identify hardware and software products with proper cybersecurity features.

Manufacturers’ obligations shall include:

• Meeting essential requirements before placing PDEs on the EU market.
• Undertaking cybersecurity risk assessments.
• Including risk assessments in some technical documentation.
• Due diligence obligations.
• Reporting vulnerabilities and incidents.
• Handling vulnerabilities in accordance with the essential requirements of the Act.
• Keeping appropriate policies and procedures on vulnerability disclosure policies and potential vulnerabilities.

Importers and distributors’ obligations will include:

• Ensuring the appropriate assessments, technical documentation and markings are in place before placing a product on the market.
• Ensuring that PDEs are accompanied by clear and easily understood instructions and information.
• Informing manufacturers or market authorities about vulnerabilities or non-compliance.
• Ensuring documents can be made available upon request.

What are the penalties for non-compliance?

For non-compliance with the essential cybersecurity requirements: administrative fines of up to €15 million, or 2.5% of total worldwide annual turnover for the preceding financial year, whichever is higher.

For non-compliance with other obligations: €10 million, or 2% of total worldwide annual turnover for the preceding financial year, whichever is higher.

For suppling incorrect, incomplete, or misleading information to authorities in response to a request: €5 million, or 1% of total worldwide annual turnover for the preceding financial year, whichever higher.

When will this come into force?

Further details will be known when the Act is published in the Official Journal in the coming weeks.  Once published, the new regulation will enter into force twenty days after publication and apply 36 months after entry into force.

For more information, visit us at Governance & Compliance, or Contact Us for a consultation.