Cyber Resilience Act: Provisional agreement between Council and Parliament, five-year update obligation and longer implementation period

After the European Commission presented an initial draft of the Cyber Resilience Act (CRA) last autumn ("Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020", we reported here and here), a provisional agreement has now also been reached between the Council and Parliament as part of the trilogue negotiations (Council press release of November 30, 2023). Although much of the content of the Commission's draft has been adopted, there are some changes, such as stricter requirements for particularly critical products. In addition, the new regulations are to be implemented three years after the regulation comes into force, rather than two as previously planned. Companies that are already dealing with the new cybersecurity requirements for products with digital elements will therefore still have enough time to implement them.

1. Background

The first draft of the CRA was presented by the EU Commission on September 15, 2022. It provides for comprehensive requirements for the cybersecurity of products with digital elements, which must be implemented by their manufacturers, importers and distributors.

Among other things, manufacturers of products with digital elements are to be obliged to take cyber security into account during the design and development of the products and to ensure it throughout the entire product life cycle. This means that products with known vulnerabilities must not be brought onto the market in the first place, and subsequent cyber risks and vulnerabilities must be identified through regular tests and rectified through security updates within a defined support period. If an incident nevertheless occurs that may have an impact on the security of the product, or if a vulnerability is exploited, this must be reported to the competent authority within a maximum of 24 hours. The authorities should also be informed of the measures taken to limit the security risk. Before placing their products on the market, manufacturers must also carry out a conformity assessment based on an internal control procedure, EU type approval or comprehensive quality assurance. For particularly critical products, a reliability test (Class I) or a test involving a competent third party (Class II) must also be carried out.

Importers of products with digital elements must check whether the manufacturer has carried out the conformity assessment and prepared the technical documentation. The product must also bear the CE marking and be accompanied by the necessary additional information and instructions for use. Distributors are also obliged to check that the product bears the CE marking and that the technical information and instructions of the EU Declaration of Conformity as well as the name and contact information of the importer are attached.

If the CRA requirements are not met, the national market surveillance authorities can impose corresponding requirements on the companies and prohibit the sale of the respective product. In addition, fines of up to 15 million euros or 2.5% of the previous year's global turnover can be imposed.

2. What has changed?

One of the most important changes in the current draft regulation concerns its scope of application. It still covers products with digital elements, i.e. both software and hardware that can be accessed via a product or a network, but not purely digital services such as SaaS or cloud services (e. g. smart kitchen appliances or speakers, mobile devices or wearables such as smartwatches). However, the definition of critical Class I and II products, which are subject to stricter conformity assessment involving third-party experts, has changed compared to the previous draft. These now exist if a product has a critical function for the cyber security of other products or has a function that entails a significant risk of negative effects on a large number of products or users. Details on the affected device classes and software have been included in the annexes to the CRA.

At the insistence of the European Parliament, Class I now also includes consumer products such as smart home systems, internet-connected toys and personal wearables. Operating systems for servers, desktops and mobile devices, routers or chip card readers, on the other hand, are no longer to be included, so that only a conformity assessment by the manufacturer itself is required for these (which is criticized by the TÜV association, for example). Class II is expected to include hypervisors and container runtime systems, firewalls, tamper-proof microprocessors and controllers. In addition, a list of critical products is to be introduced for which a cyber security certificate may be required. This is to include hardware devices, intelligent measuring devices and smartcards, for example.

Another important change concerns the period for which security updates must be provided. Although it remains the case that these must be provided for the entire expected service life of a product, it is now envisaged that this support will generally be provided for five years. A shorter update period is only provided for products that are expected to be used for a shorter period of time. Manufacturers must therefore prove that their products will be used for less than the standard period of five years in order to shorten their update and support obligations accordingly. This should mean that updates for the majority of products will be provided for five years in future. In addition, the security updates provided should be available for at least 10 years or until the end of the product's life cycle – whichever period ends later.

Reports of exploited vulnerabilities and security incidents are now to be made both to the national Computer Security Incident Response Teams (CSIRTs) and to the European Union Agency for Cybersecurity (ENISA). However, the member states do not want to strengthen ENISA's role too much, as cyber threats are a sensitive issue. As a result, manufacturers should be able to indicate themselves in the event of a notification if they see an imminent danger in passing on the data to ENISA.

In addition, the planned implementation period has been adjusted so that companies now have 36 months after the final version of the CRA comes into force to implement the strict requirements rather than just 24 months. However, only a transitional period of 21 months will apply to the reporting of security incidents and vulnerabilities.

Unlike many other EU regulations, no exemptions are planned for small and micro-enterprises (companies with up to 49 employees and an annual turnover or balance sheet total of no more than EUR 10 million). However, the latest draft provides for additional implementation support measures to be made available to them, such as special awareness-raising and training measures as well as support with testing and conformity assessment procedures. Companies that are eligible for such offers should definitely take advantage of them, as they could serve as proof of compliance with the requirements of the CRA in subsequent proceedings for possible infringements.

Finally, a compromise was also found with regard to the handling of open source software in digital products. Only software that was brought onto the market together with the products as part of commercial activities is to be covered. However, the involvement of commercial actors in the development of the software is not relevant. Also excluded are non-profit organizations that sell open source software on the market but reinvest all revenues in non-profit activities. In addition, exceptions are planned in particular for those actors that do not act as traditional software manufacturers but still provide support, for example in connection with documentation and dealing with security vulnerabilities.

3. Checklist

Manufacturers of products with digital elements still have three years after the CRA comes into force to implement the requirements. However, precautions should already be taken now in order to be able to technically implement the update obligation, for example. Affected companies should therefore start preparing for the new requirements of the CRA now:

• Identify existing and planned products with digital elements;
• Identify critical and important Class I and II products;
• Select one or more conformity assessment mechanisms and make any necessary preparations;
• Develop a procedure for the trustworthiness test (Class I) and have it assessed in good time by an expert third party (Class II);
• After receiving the EU Declaration of Conformity, affix the CE mark;
• Provision of information and recommendations for action on the cyber security of each product;
• Determine the life cycle of the product, taking into account the doubt rule that support must generally be provided for a period of 5 years;
• Develop test procedures for new and existing products to identify security vulnerabilities (product monitoring);
• Provide necessary security updates throughout the entire life cycle;
• Report exploited vulnerabilities and incidents that may have an impact on the security of the affected products to the responsible body (probably the national authorities) within 24 hours. At the same time, check and fulfill any other reporting obligations (e. g. according to Art. 33 GDPR).

4. Outlook

The full revised version of the CRA has not yet been published by Parliament and Council and technical work will continue over the next few weeks on the basis of the current provisional agreement. Only once this work has been completed will the full text be confirmed by the two institutions and then formally endorsed by Parliament and Council. There is no fixed timeframe for this yet, but the Commission expects it to enter into force in the first half of next year.

Once the law has been passed, it comes into force 20 days after its publication. The 36-month transition period then begins, by the end of which all CRA requirements must be implemented.