Council of the European Union and Parliament Strike Deal on European Cyber Resilience Act

Author photo: Chantal Polsonetti
ByChantal Polsonetti
Category:
Acquisition or Partnership

The Council of the European Union (EU) presidency and European Parliament negotiators have reached a European Cyber Resilience Actprovisional agreement on proposed legislation regarding the European Cyber Reliance Act (CRA).  The CRA outlines security requirements for digital products to ensure that they are safe before they are placed on the market.  The underlying premise of the Act is that digital connected devices, including automation equipment, need a basic level of cybersecurity when sold in the EU to ensure that businesses and consumers are properly protected against cyber threats.

Main objectives of the new regulation

The new law introduces EU-wide cybersecurity requirements for the design, development, production and marketing of hardware and software products.  The regulation will apply to all products that are connected, either directly or indirectly, to another device or to a network. There are some exceptions for products for which cybersecurity requirements are already established in existing EU rules, for example medical devices, aeronautical products, and cars.

The proposal aims to fill the gaps, clarify the links, and make the existing cybersecurity legislation more coherent, ensuring that products with digital components, for example ‘Internet of Things’ (IoT) products, are made secure throughout the supply chain and throughout their lifecycle.  The regulation is also intended to allow consumers to take cybersecurity into account when selecting and using products that contain digital elements, making it easier for them to identify hardware and software products with the proper cybersecurity features.

Main Thrust of the Commission Proposal Retained

The new provisional agreement maintains the general thrust of the Commission’s proposal, namely regarding:

  • Rules to rebalance responsibility for compliance towards manufacturers, who must meet certain obligations such as providing cybersecurity risk assessments, issuing declarations of conformity, and cooperating with the competent authorities.

  • Vulnerability handling processes for manufacturers to ensure the cybersecurity of digital products, and obligations for economic operators, such as importers or distributors, in relation to those processes.

  • Measures to improve transparency on the security of hardware and software products for consumers and business users.

  • A market surveillance framework to enforce the rules.

Co-legislators’ Main Amendments

The co-legislators proposed various adjustments to parts of the Commission’s proposal, mainly regarding:

  1. The scope of the proposed legislation, with a simpler methodology for the classification of digital products to be covered by the new regulation.

  2. The determination of the expected product lifetime by manufacturers: while the principle remains that the support period for a digital product corresponds to its expected lifetime, a support period of at least five years is indicated, except for products which are expected to be in use for a shorter time period.

  3. The reporting obligations regarding actively exploited vulnerabilities and incidents: the competent national authorities will be the initial recipients of such reports but the role of the EU agency for cybersecurity (ENISA) is strengthened.

  4. The new rules will apply three years after the law enters into force, which should give manufacturers sufficient time to adapt to the new requirements.

  5. Additional support measures for small and micro enterprises have been agreed, including specific awareness-raising and training activities, as well as support for testing and conformity assessment procedures.

Next steps

Work will continue at the technical level in the coming weeks to finalize the details of the new regulation. The Spanish presidency will submit the compromise text to the member states’ representatives for endorsement once this work has been concluded.  The entire text will need to be confirmed by both institutions and undergo legal linguistic revision before formal adoption by the co-legislators.

Background

In its conclusions of 2 December 2020 on the cybersecurity of connected devices, the Council underlined the importance of assessing the need for horizontal legislation in the long term to address all relevant aspects of cybersecurity of connected devices, such as availability, integrity, and confidentiality, including specifying conditions for placement on the market.

First announced by Commission President von der Leyen in her State of the Union address in September 2021, the cyber resilience act was mentioned in the Council conclusions of 23 May 2022 on the development of the European Union’s cyber posture, which called upon the Commission to submit its proposal by the end of 2022.

On 15 September 2022, the Commission submitted the proposal for a cyber resilience act, which will complement the existing EU cybersecurity framework: the directive on the security of network and information systems (NIS directive), the directive on measures for a high level of cybersecurity across the Union (NIS 2 directive), and the EU cybersecurity act.

Engage with ARC Advisory Group

Representative End User Clients
Representative Automation Clients
Representative Software Clients