EU Enacts Broad Cybersecurity Requirements for Hardware and Software Products

The EU Cyber Resilience Act ("CRA") is a first-of-its-kind law that imposes a wide range of cybersecurity requirements on economic operators providing hardware and software products with digital elements placed on the EU market.

With the exception of provisions regarding high-risk suppliers of products, the content, scope, and obligations of the CRA have not changed much since the European Commission (the "Commission") published the Proposed CRA on September 15, 2022 (see our previous Jones Day Alert in this regard).

With the goal to strengthen the cybersecurity of connected products, tackling vulnerabilities in hardware and software, and making the EU a safer and more resilient place, the CRA:

Imposes five major categories of obligations on manufacturers. These obligations include conformity assessments, product documentation, customer support, cybersecurity risk assessment, and vulnerability reporting. Amongst others, manufacturers will be required to disclose to the European Union Agency for Cybersecurity ("ENISA") "any actively exploited vulnerability" within 24 hours of its detection. Furthermore, products that meet the regulatory conformity assessment will be required to affix a "CE" marking.

Imposes obligations on importers and distributors. Importers are, for example, required to ensure that manufacturers have met their obligations, such as that all essential requirements are met and that the appropriate conformity assessment has been carried out. Moreover, distributors are obliged to ensure that the product bears a CE marking, and that the manufacturer has complied with certain obligations.

Classifies products with digital components into three distinct categories: "Default," "important," and "critical" products, whereby important products are further categorized into Class I and Class II products. The categorization aims to adapt security measures based on the level of risk and potential impact each product category presents. 

• "Default" products are products without critical cybersecurity vulnerabilities (e.g., smart toys, TVs, or fridges). According to the Commission, this category will cover 90% of connected devices. Manufacturers of products not classified as critical products or important products (Class II) can self-assess their compliance with the CRA's requirements. 
• "Important" products (Class I) (e.g., browsers, password managers, antiviruses, firewalls, VPNs) must adhere to harmonized standards, common specifications or European cybersecurity certification schemes, or be subject to a third-party assessment of their compliance with the CRA.
• "Critical" products and "important" products (Class II) (e.g., general-purpose microprocessors or certain kinds of firewalls) have to prove compliance to the CRA requirements via a third-party assessment.

Exempts in part or in whole certain connected devices covered by sectoral legislation. The exemptions apply to certain products such as cars, medical devices, in vitro products, and certified aeronautical equipment.

Obliges member states to put in place market surveillance bodies. The penalties for non-complying with the requirements of the CRA may amount to €15 million or 2.5% of the global annual turnover.

Complements the existing EU cybersecurity frameworks such as the NIS 2 Directive. While the NIS 2 Directive focuses on the security and resilience of networks and systems used by entities that provide essential or important services, the CRA focuses on the security and certification of products with digital elements placed on the market.

Following adoption, the CRA will be signed by the presidents of the Council and the European Parliament and published in the EU's official journal in the coming weeks. The new regulation will enter into force 20 days after this publication and will apply 36 months after its entry into force, with some provisions to apply at an earlier stage. Companies in scope of the CRA are advised to begin preparing for the far-reaching legislative changes it will bring sooner rather than later.