6 minute read
In September 2022, the EU Commission introduced a proposed regulation designed to regulate products in the EU market with a “digital element”.
Whilst the newly adopted and updated Network Information Security Directive (NIS 2) intended to focus on a broader concept of critical infrastructure and the Digital Operations Resilience Act (DORA) is intended to focus on financial institutions, the proposed Cyber Resilience Act (“CRA”) seeks to impose obligations on the connected hardware and software ecosystem. Essentially, the CRA seeks to implement a range of obligations on manufacturers, importers and distributors within the EU market.
1. Who is the CRA likely to impact?
The CRA applies to the entirety of a product’s supply chain and intends to encompass manufacturers, importers and distributors to enhance consumer trust and customer safety. The CRA introduces the concept of “products with digital elements” (“PDE”) and defines them as any software, hardware or device that processes data or connects to a network, including specific component parts. The Internet of Things (IoT) is clearly targeted. To fall within the scope of the CRA, those PDEs must also be “available” on the EU market.
The CRA does not apply to the following, as they are managed under separate legislation:
The full scope of the CRA’s application to software is unclear at this stage. Recent texts have indicated that the CRA may only apply to remote data processing solutions that support the functioning of a particular device or hardware. For example, an app developed to support the functionality of a smart product would fall within the scope of the CRA as it is most likely that it was developed by the product manufacturer.
For a sector specific comparison relating to smart medical devices, please see Global Authorities Ramp Up Medical Device Cybersecurity Expectations: What Medical Device Companies Need to Know.
2. What measures will manufacturers impacted by the CRA need to take?
3. What measure will importers and distributors have to take?
Distributors and importers are also within the scope of the CRA. Under the current proposal, they will be required to confirm the completion of the relevant certificate of conformity has been carried out by the manufacturer, prior to the PDE being placed on the EU market. It is likely that the requirements will align with the current regime for the ‘CE’ marking.
In the event that a vulnerability is identified, importers and distributors will also be under an obligation to inform the manufacturer to allow them to deploy the relevant vulnerability management steps. In the event of a significant vulnerability, importers and distributors will also be required to inform relevant authorities.
4. What are the incident reporting requirements?
Manufacturers will be required to notify ENISA of a security event or vulnerability within 24 hours of becoming aware of the issue. ENISA will then take steps to engage with relevant CERT teams, Member States and wider market surveillance authorities.
5. What are the consequences of noncompliance?
The CRA will introduce a sanctions regime for non-compliance. The potential maximum fines for non-compliance could range from either (1) €5 - €15 million; or (2) 1 – 2.5% of global annual turnover, whichever is greater. The CRA also categories breaches as relating to:
Notably, where non-compliance with the CRA may also involve a personal data breach, it is not clear whether fines will be imposed under the GDPR, if the breach arises from the same security event. If the event impacts service delivery relating to critical infrastructure, requirements under NIS2 may also be triggered.
6. Will the CRA impact organisations in the UK in the same manner as the EU?
As the CRA is a proposed EU Regulation, it will have direct effect once adopted by the European Parliament and Council. Unlike other EU cybersecurity legislation such as DORA and NIS2, the proposed regulation will not require implementation by each member state. It is not clear whether these obligations will transfer to the UK, however, some requirements were introduced in May 2022 in the proposed Product Security and Telecommunications Infrastructure Bill.
As outlined above, the European Parliament and the Council will examine the proposed text, followed by institutional negotiations and once adopted, Member States will have two years to adapt to the new requirements. Usually, it takes between 18 months and three years to work through the ordinary legislative procedure.
Orrick is advising global manufacturers and distributors on growing with cybersecurity in mind, day-to-day business functions, and preparing and responding to cybersecurity incidents around the globe. Contact one of the authors if you have questions.