Cyber Resilience Act (CRA): taking cybersecurity to a higher level in the EU

by Maria Alexandra Enescu - Data Protection Consultant
by Domenico Orlando - Compliance Consultant
| minute read

Last September, the European Commission proposed a new Regulation that sets out a number of cybersecurity-related requirements for products with ‘digital elements’. Known as the Cyber Resilience Act (CRA), the general aim of this new EU Regulation is, as its name already suggests, to strengthen the Union’s cybersecurity resilience. While it is currently going through the EU legislative process, let’s have a quick look at the proposed new legislation and what it entails and requires exactly.

A significantly important word that keeps popping up in the brochure that accompanies this year’s State of the Union address by Ursula von der Leyen, is ‘resilience’. In the letter of intent included in that brochure, the EU Commission President writes that “Europe has shown in the last year that it is a geopolitical Union – and we must continue to show leadership, working with our partners across the world. This also includes strengthening our resilience and security by strengthening our cybersecurity.”

Common cybersecurity rules

First officially announced in last year’s State of the Union Address, the Cyber Resilience Act is designed to do just that: strengthen the EU’s cybersecurity. And it aims to do so by establishing common cybersecurity rules for digital products and associated services that are placed and traded in the EU’s common market. The new Regulation applies more specifically to “products with digital elements that can be used to connect to a device or network”, including hardware and software.

Although an increasing amount of hardware and software is successfully being targeted by cyberattacks, bringing the annual worldwide cost of cybercrime up to EUR 5.5 trillion in 2021, the cybersecurity of most “products with digital elements” is currently not covered by any particular EU legislation. To address and remedy that shortcoming, the European Commission has now published the Cyber Resilience Act. On top of its general aim of strengthening the EU’s cybersecurity, the specific key objectives of this new Regulation are:

  • to ensure a high level of cybersecurity of digital products throughout their life-cycle;
  • to increase the transparency of cybersecurity features for better consumer awareness and trust in the digital single market;
  • to boost the competitiveness of the internal market by turning cyber resilience into a competitive advantage.

What’s in a name?

The Cyber Resilience Act defines “products with digital elements that can be used to connect to a device or network” as any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately. Some products are not covered by the CRA, even though they may contain digital elements, as they are covered by existing rules:

  • medical devices for human use and accessories for such devices, which are covered by the Medical Devices Regulation (MDR);
  • in vitro diagnostic medical devices for human use and accessories for such devices, which are covered by the In Vitro Diagnostic Medical Devices Regulation (IVDR);
  • motor vehicles and their trailers, and systems, components, and separate technical units, which are covered by a dedicated EU Regulation;
  • civil aviation aircrafts and their equipment, which are covered by the Civil Aviation Regulation establishing EASA;
  • products developed exclusively for national security or military purposes or to process classified information, which are governed by national rules.

Critical products: two categories

The Cyber Resilience Act further distinguishes between regular and critical products with digital elements. Since critical products are subject to higher cybersecurity risks, they will have to follow specific conformity assessment procedures.

Critical products are divided into two categories or classes. The first category, or class I, represents 10% of products on the market. It includes identity management systems, browsers, password managers, antiviruses, firewalls, virtual private networks (VPNs), network management systems, physical network interfaces, routers, and chips used for essential entities falling under the NIS2 Directive. Moreover, it also includes all operating systems, microprocessors, and industrial IoT not covered in class II.

The second category, or class II, includes higher-risk products such as desktop and mobile devices, virtualised operating systems, digital certificate issuers, general-purpose microprocessors, card readers, robotic sensors, smart meters, and all IoT, routers, and firewalls for industrial use, which is considered a “sensitive environment”.

In my next blog post, we will take a closer look at the key requirements for products with digital elements. We will also look into the obligations and penalties for the so-called economic operators (manufacturers, importers, distributors…)

Meanwhile, if you have questions or wish to discuss this new EU legislation in more detail, do not hesitate to contact us or my colleagues.