Draft EU Cyber Security Regulation

On 15.09.2022, the Commission published its proposal for a regulation on horizontal cybersecurity requirements for products with digital elements, the “Cyber Resilience Act” (hereinafter “CRA-E”). As the first European legal act of its kind, it will introduce mandatory cybersecurity requirements for products with digital elements throughout their lifecycle.
 

Scope of application

The proposed Regulation applies to all products that are either directly or indirectly connected to another device or network. According to Art. 3 (1) CRA-E, it covers hardware and software equally. However, products for which cybersecurity requirements are already laid down in existing EU legal acts, e.g. for medical devices, aviation or vehicles, are excluded from the scope of application.
 

Regulatory structure

As the draft cybersecurity regulation is based on the EU’s New Legislative Framework (NLF), it follows its basic regulatory structure.
 

Formal requirements

The formal requirements include, for example, the issuing of an EU declaration of conformity according to Art. 20 CRA-E and the affixing of the CE marking in the sense of Art. 22 CRA-E. As usual, the latter must be affixed primarily to the product itself or secondarily to the packaging. In the case of stand-alone software, the CE marking can also be affixed to the EU declaration of conformity or to a website accompanying the product.
 

Substantive requirements

Furthermore, the product must meet the basic cybersecurity requirements according to Art. 5 CRA-E in conjunction with Annex I of the CRA-E. Annex I of the CRA-E. According to Art. 18 CRA-E, it is presumed that the product meets the requirements if it complies with harmonised standards (so-called presumption of conformity).

According to Art. 24 CRA-E, the manufacturer himself usually carries out the conformity assessment procedure that is decisive for compliance with the material requirements. This is different for so-called critical products with digital elements within the meaning of Art. 6 CRA-E. A product falls under this category if its core function corresponds to one of the applications listed exhaustively in Annex III of the CRA-E, whereby a distinction is made between Class I and Class II products. In the case of Class I products, the manufacturer can demonstrate conformity by the full application of harmonised standards within the meaning of Art. 18 CRA-E, otherwise he must carry out one of the procedures listed in Art. 24 No. 2 CRA-E with the involvement of a notified body. In the case of Class II devices, on the other hand, a conformity assessment procedure involving a notified body is mandatory.
 

Duties of economic operators

In Art. 10 ff. CRA-E, obligations are addressed to manufacturers, authorised representatives, importers and distributors.
 

Manufacturer

The concept of manufacturer in Art. 3 (18) CRA-E corresponds to the usual understanding and also covers so-called quasi-manufacturers. According to Art. 16 CRA-E, in turn, the making of a substantial modification to a product with a digital element is also sufficient to be considered a manufacturer.

The manufacturer bears primary responsibility for product conformity. The expression of product responsibility are the classic pre-market and post-market obligations, which, however, partly differ from the existing harmonisation legislation of the Union:

• Information and instruction obligations with the minimum content of Annex II of the CRA-E.
• Product monitoring obligations, in particular regarding susceptibility to security vulnerabilities and the risks arising therefrom
• inspection obligations regarding purchased components
• proactive post-market obligations throughout the life of the product, but for a maximum of 5 years after market launch, such as software updates in the event of security vulnerabilities or corrective measures in the event of non-compliance
• Cooperation and notification obligations towards market surveillance authorities; specifically, a very short notification period of no more than 24 hours towards the European Union Agency for Cyber Security (ENISA) in case of discovery of actively exploited security vulnerabilities  

Importer and dealer

Importers and traders are initially subject to the usual testing and assurance obligations under the NLF. Among other things, they must check or ensure formal conformity. Furthermore, it is incumbent on them to take appropriate measures to ensure compliance if there are doubts about material conformity.
 

Relationship with other EU product legislation

As a horizontal legal act, the draft EU Cyber Security Regulation provides that it is to be applied in parallel with other harmonisation legislation. However, the relationship to three pieces of EU product legislation is explicitly regulated:

• according to Art. 7 CRA-E, Union harmonisation legislation and the EU Product Safety Regulation, which is still in draft form, take precedence over the CRA-E regarding product safety requirements.
• according to Art. 8 CRA-E, the cybersecurity requirements of Art. 15 AI Regulation are deemed to be met if the product is already compliant under the CRA-E
• with compliance with the requirements of the CRA-E, the requirements of No. 1.1.9 and 1.2.1 of Annex III of the EU Machinery Regulation are deemed to be fulfilled according to Art. 9 CRA-E 
   

Market surveillance

Art. 41 No. 1 CRA-E orders the application of Regulation (EU) 2019/1020 (so-called EU Market Surveillance Regulation) with regard to market surveillance. On this basis, the market surveillance authorities may, in the case of non-compliant products, require economic operators to take measures to end non-compliance and eliminate risks, prohibit or restrict the making available of a product on the market, and carry out recalls. In order to enforce these measures, the national transposition acts are to contain corresponding provisions on fines in accordance with Art. 53 (1) CRA-E.
 

Further course of proceedings and commencement of validity

The legislative process is still at the beginning. It will certainly take some time until the regulation is adopted, even though the EU has emphasised the importance of this legal act. The current feedback period on the draft still runs until at least 17.11.2022.

From the entry into force of the regulation, economic operators will have a transitional period of 24 months according to Art. 57 CRA-E. An exception to this is the reporting obligation for actively exploited security vulnerabilities, which will already have to be complied with after 12 months.
 

Conclusion

Overall, this is an ambitious draft with numerous points of reference to various regulatory areas. Due to the advancing digitalisation in almost all product areas, the majority of economic actors will be affected by the planned regulation. Despite the generous transitional period, economic actors should therefore already deal with the planned regulations now.
 

Further Information

Interested readers can read the proposal for a regulation on the pages of the EU Commission.