Insights

PUBBanner_socialEUEnactsNewLawWithFarReach

EU Enacts Broad Cybersecurity Requirements for Hardware and Software Products

In Short

The Law: On October 10, 2024, the EU Cyber Resilience Act ("CRA") was adopted by the Council of the European Union.

The Requirements: The CRA sets mandatory standards for the design, development, production, delivery, and maintenance of digital products placed on the EU market, to mitigate cyber threats.

Looking Ahead: The law will have broad application and carries with it significant penalties and consequences.

The EU Cyber Resilience Act ("CRA") is a first-of-its-kind law that imposes a wide range of cybersecurity requirements on economic operators providing hardware and software products with digital elements placed on the EU market.

With the exception of provisions regarding high-risk suppliers of products, the content, scope, and obligations of the CRA have not changed much since the European Commission (the "Commission") published the Proposed CRA on September 15, 2022 (see our previous Jones Day Alert in this regard).

With the goal to strengthen the cybersecurity of connected products, tackling vulnerabilities in hardware and software, and making the EU a safer and more resilient place, the CRA:

Imposes five major categories of obligations on manufacturers. These obligations include conformity assessments, product documentation, customer support, cybersecurity risk assessment, and vulnerability reporting. Amongst others, manufacturers will be required to disclose to the European Union Agency for Cybersecurity ("ENISA") "any actively exploited vulnerability" within 24 hours of its detection. Furthermore, products that meet the regulatory conformity assessment will be required to affix a "CE" marking.

Imposes obligations on importers and distributors. Importers are, for example, required to ensure that manufacturers have met their obligations, such as that all essential requirements are met and that the appropriate conformity assessment has been carried out. Moreover, distributors are obliged to ensure that the product bears a CE marking, and that the manufacturer has complied with certain obligations.

Classifies products with digital components into three distinct categories: "Default," "important," and "critical" products, whereby important products are further categorized into Class I and Class II products. The categorization aims to adapt security measures based on the level of risk and potential impact each product category presents. 

  • "Default" products are products without critical cybersecurity vulnerabilities (e.g., smart toys, TVs, or fridges). According to the Commission, this category will cover 90% of connected devices. Manufacturers of products not classified as critical products or important products (Class II) can self-assess their compliance with the CRA's requirements. 
  • "Important" products (Class I) (e.g., browsers, password managers, antiviruses, firewalls, VPNs) must adhere to harmonized standards, common specifications or European cybersecurity certification schemes, or be subject to a third-party assessment of their compliance with the CRA.
  • "Critical" products and "important" products (Class II) (e.g., general-purpose microprocessors or certain kinds of firewalls) have to prove compliance to the CRA requirements via a third-party assessment.

Exempts in part or in whole certain connected devices covered by sectoral legislation. The exemptions apply to certain products such as cars, medical devices, in vitro products, and certified aeronautical equipment.

Obliges member states to put in place market surveillance bodies. The penalties for non-complying with the requirements of the CRA may amount to €15 million or 2.5% of the global annual turnover.

Complements the existing EU cybersecurity frameworks such as the NIS 2 Directive. While the NIS 2 Directive focuses on the security and resilience of networks and systems used by entities that provide essential or important services, the CRA focuses on the security and certification of products with digital elements placed on the market.

Following adoption, the CRA will be signed by the presidents of the Council and the European Parliament and published in the EU's official journal in the coming weeks. The new regulation will enter into force 20 days after this publication and will apply 36 months after its entry into force, with some provisions to apply at an earlier stage. Companies in scope of the CRA are advised to begin preparing for the far-reaching legislative changes it will bring sooner rather than later.

Three Key Takeaways

1. The CRA imposes a wide range of cybersecurity requirements on economic operators providing hardware and software, so companies in scope should begin preparing for the sweeping legal changes sooner rather than later.

2. The CRA classifies products with digital components into three distinct categories to adapt security measures based on the level of risk and potential impact each product category presents.

3. Failure to comply could result in fines of up to €15 million or 2.5% of the offender's total worldwide annual turnover for the preceding financial year.

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.