The new EU regulation complementing the cyber security regulatory framework − the Cyber Resilience Act (EU) 2024/2847 (“CRA”) − has been adopted and published in the Official Journal of the EU. The CRA aims to improve cyber security of the connected products at the EU market. It will have significant implications for manufacturers, importers and distributors of products with digital elements across the EU.
The CRA applies widely to software and hardware products with digital elements that are connected either directly or indirectly to another device or network. It encompasses a wide range of products, such as IoT devices and software products used in industrial systems. Certain products such as medical devices are excluded from the scope.
The new cyber security requirements are imposed on (i) manufacturers that design and produce products within the scope of the CRA, (ii) importers who bring such products into the EU market, and (iii) distributors involved in their distribution.
The CRA will come into force on 10 December 2024, and as a main rule, it will apply after a transitional period from 11 December 2027.
Key cyber security requirements
Several critical requirements are imposed under the CRA to ensure that the products with digital elements meet the cyber security standards:
- Cyber security requirements relating to the properties of products: The manufacturer of the product shall ensure that the product has been designed, developed and produced in accordance with the essential cyber security requirements set out by the CRA. Cyber security must be integrated into the design and development process of the products. This involves conducting thorough risk assessments and implementing appropriate security measures to mitigate identified risks. In addition, detailed documentation obligations must be complied with.
- Conformity requirements: Before placing the product to the market, the manufacturer must carry out conformity assessment procedure and affix the CE marking to the product.
- Vulnerability handling requirements: Products must continue to adhere the cyber security standards after placed on the market. Mechanisms must be established to identify and address product vulnerabilities throughout the product’s lifecycle, including the provision of timely updates and patches to mitigate post-market cyber security threats.
- Reporting obligations: The manufacturer must report actively exploited vulnerabilities contained in the product as well as serious cyber security incidents to the national CSIRT unit and the EU Cybersecurity Agency (ENISA). Such reporting must comply with the strict deadlines set out by the CRA. An early warning must be made within 24 hours and a vulnerability or incident notification within 72 hours. A final report shall be given no later than 14 days after taking corrective measures to the vulnerability or within one month after the submission of the incident notification.
Strengthening transparency
The CRA aims to create conditions allowing users of the products with digital element to take cyber security into account when selecting and using them. It empowers consumer and business users by providing them with transparent information about the cyber security properties of products, enabling them to make informed choices. Users will have access to detailed product information, including information on cyber security features, user guidelines and vulnerability handling.
Enforcement with severe penalties
Compliance with the regulation has been reinforced by severe sanctions. Non-compliance shall be subject to administrative fines of maximum 15 MEUR or up to 2.5 % of the total worldwide annual turnover of the entity. The maximum level of the fine depends on the nature of the infringement. The sanctions shall be imposed by the national market surveillance authorities.
According to the press release of the Finnish Ministry of Transport and Communications, the aim is to submit a draft proposal for the national complementary legislation for consultation in winter 2025 and to the Finnish Parliament in the autumn of 2025.
Going forward
The CRA complements the cyber security regulatory framework of the EU with product safety rules for the connected products with the aim to improve the level of cyber security of the products at the market. The expected positive impact of the CRA on the general level of cyber security is to be welcomed, but at the same time, the broad impact on market players must be recognised.
There is a substantial transitional period before the CRA shall be applicable from 11 December 2027 (with a few exceptions), but it will have a major impact, particularly on manufacturers of products with digital elements. The entities falling within the scope must review their current cyber security measures associated with their products and ensure compliance with the CRA to avoid potential legal and financial repercussions. This entails updates to processes, properties of the products, product information and documentation. It is necessary to recognise these obligations across the supply chain and, where necessary, address them contractually.
We are happy to discuss the implications of the new requirements and keep you updated. For further information and advice, please contact the Head of our Data Protection & Cyber Security practice group, Jukka Lång.