On 15 September 2022 the Commission presented a legislative proposal for the EU cyber- resilience act (CRA), which introduces mandatory cybersecurity requirements for products with digital elements. The proposal covers a broad range of devices -  all products that are connected either directly or indirectly to another device or network, including hardware, software and ancillary services. It would impose obligations on manufacturers, importers, and distributors of these products to provide duty of care across their whole life cycle.

The proposal aims to ensure better protection for consumers through increasing the responsibility of manufacturers by obliging them to provide security support and software updates to address identified vulnerabilities, and providing them with information about cybersecurity of products they buy and use. The act would provide a single set of rules for cybersecurity for companies in the EU. It would decrease the number of cybersecurity incidents and increase the transparency and trust of consumers in products with digital elements and guarantee better protection of their data and privacy.

The proposed measures define:

• rules for placing on the market of products with digital elements through a process of conformity assessment (self-assessment or third party conformity assessment, depending on the category of the product) to demonstrate fulfilment of specific cybersecurity requirements, resulting in attribution of a CE marking;
• requirement for the design, development and production of such products and obligations of economic operators, as well as processes put in place and reporting obligations for manufactures to ensure cybersecurity throughout the life cycle of such products, as well as obligation of economic operators in these processes;
• rules on market surveillance and enforcement, which would be performed through appointed market surveillance authorities.

The European Economic and Social Committee (EESC) adopted their opinion on the CRA on 14 December 2022.

In the Parliament, the file has been assigned to the Committee on Industry, Research and Energy (ITRE) and Nicola Danti (Renew, Italy) has been appointed as rapporteur. The Committees on Internal Market and Consumer Protection (IMCO) and on Civil Liberties, Justice and Home Affairs (LIBE) have been asked for their opinions. IMCO has exclusive competences on articles 7 and 9 and shared competences on articles 4, 8, 21, 22 and 25-40, and LIBE has shared competence on article 41(5). LIBE committee decided not to give an opinion.

The report was adopted by the ITRE Committee with 61 votes to 1, with 10 abstentions on 19 July 2023. Committee amendments to the Commission proposal include inter-alia:

• The report confirms the Commission's proposal to include all products with digital elements. It underlines however the importance to ensure that developers of open source software are excluded from the scope if they are not receiving any financial returns for their projects. The report expands the list of critical products under class I, to include as well home automation systems and products that enhance private security, such as cameras and smart locks.
• Flexible duration for the expected product lifetime, which should be  clearly stated, and obligation that manufacturers provide automatic security updates and to differentiate between security and functionality updates where feasible.
• Reporting should align with the directive on the security of network and information systems (NIS2) to simplify the obligations for manufacturers, and make mandatory only reporting of significant incidents and actively exploited vulnerabilities, in a multi-step approach (24 hours, 72 hours, 1 month). The European Union Agency for Cybersecurity (ENISA) should become the one-stop entity for reporting, and should receive reinforcement to be able to fulfil additional tasks set-out in the regulation.  
• Prolongation of the date from which the regulation applies to 40 months. In this respect, micro, small and medium enterprises should receive sufficient support to ensure their compliance. Harmonised standards, common specifications or European cybersecurity certification schemes should be in place for six months before the conformity assessment procedure applies. The Commission should provide guidelines with more details on the implementation.
• The importance of cybersecurity professionals and a proposal to upskill and reskill workers to ensure their availability.
• To promote international trade, Mutual Recognition Agreements (MRAs) with third countries should be concluded to ensure the same level of protection as that provided by the CRA. As regards the monitoring of non-technical risk factors, ENISA and market surveillance authorities should perform the necessary checks on vendors which might present a higher risk profile.

In Council, Member States’ representatives (Coreper) reached a common position on 19 July 2023, allowing the Council to enter in negotiations with the European Parliament. Council notably removed the notion of "critical" from products with digital elements  and deleted a substantial number of the products listed in the Annex III. Council introduced three categories of products, critical for essential entities as defined by the NIS2, that would fall under mandatory European cybersecurity certification by means of a delegated act. The Council moved the reporting of cybersecurity incidents and actively exploitable vulnerabilities from ENISA to the national Computer Security Incident Response Teams (CSIRTs) in a two-step process of an initial notification after 24 hours and a second one after 72 hours. Council proposes to postpone the application of the regulation to 36 months.

Parliament confirmed committee decision to enter into interinstitutional negotiations on 13 September 2023.

The co-legislators met in trilogue negotiations on 27 September and 8 November 2023, with next one planned for 30 November 2023.

References:

• EP Legislative Observatory, Horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act), 2022/0272(COD)  
• European Commission, Proposal for a Regulation on cybersecurity requirements for products with digital elements - Cyber resilience Act, COM(2022)454, 15 September 2022
  
• European Commission, Annexes Proposal for a Regulation on cybersecurity requirements for products with digital elements - Cyber resilience Act, COM(2022)454, 15 September 2022
• European Parliament, Committee on Industry, Research and Energy report on the proposal for a regulation on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020, 26 July 2023
• European Commission, Cyber Resilience Act - Impact assessment, 15 September 2022
• Council, Progress Report on the proposal, 18 November 2022
• Council, Progress Report on the proposal, 12 May 2023
• Council, Mandate for negotiations with the European Parliament, 13 July 2023
• European Economic and Social Committee, EESC Opinion: Cyber Resilience Act, 14 December 2022

Further reading:

• European Parliament, EU cyber-resilience act, legislative briefing, EPRS, November 2023
• European Parliament, Strengthening cyber resilience, Initial Appraisal of a European Commission Impact Assessment, EPRS, December 2022

Author: Polona Car, Members' Research Service, legislative-train@europarl.europa.eu