On 15 September 2022 the Commission presented a legislative proposal for the EU cyber- resilience act (CRA), which introduces mandatory cybersecurity requirements for products with digital elements. The proposal covers a broad range of devices -  products that are connected directly or indirectly to a device or network, including hardware, software and ancillary services. 

The proposal aims to ensure better protection for consumers through increasing the responsibility of manufacturers by obliging them to provide security support and software updates, and providing them with information about cybersecurity of products they buy and use. The act would provide a single set of rules for cybersecurity for companies in the EU. It would decrease the number of cybersecurity incidents and increase the transparency and trust of consumers and guarantee better protection of their data and privacy.

The proposed measures define:

• rules for placing on the market of products with digital elements through a process of conformity assessment (self-assessment or third party conformity assessment, depending on the category of the product) to demonstrate fulfilment of specific cybersecurity requirements, resulting in attribution of a CE marking
• requirement for the design, development and production of such products and obligations of economic operators, as well as processes put in place and reporting obligations for manufactures to ensure cybersecurity throughout the life cycle of such products, as well as obligation of economic operators in these processes
• rules on market surveillance and enforcement, which would be performed through appointed market surveillance authorities.

The European Economic and Social Committee (EESC) adopted their opinion on the CRA in December 2022.

In the Parliament, the file has been assigned to the Committee on Industry, Research and Energy (ITRE) and Nicola Danti (Renew, Italy) has been appointed as rapporteur. The Committees on Internal Market and Consumer Protection (IMCO) and on Civil Liberties, Justice and Home Affairs (LIBE) have been asked for their opinions. IMCO had exclusive competences on articles 7 and 9 and shared competences on articles 4, 8, 21, 22 and 25-40, and LIBE had shared competence on article 41(5). LIBE committee decided not to give an opinion.

The report was adopted by the ITRE Committee in July 2023. Committee amendments to the Commission proposal include inter-alia:

• Confirm the Commission's proposal to include all products with digital elements. The report underlines the importance to ensure that developers of open source software are excluded from the scope if they are not receiving financial returns for their projects. The report expands the list of critical products under class I, to include as well home automation systems and products that enhance private security (e.g. cameras or smart locks).
• Flexible duration for the expected product lifetime, which should be clearly stated, and obligation that manufacturers provide automatic security updates and to differentiate between security and functionality updates if feasible.
• Reporting should align with the directive on the security of network and information systems (NIS2), and make mandatory only reporting of significant incidents and actively exploited vulnerabilities, in a multi-step approach (24 hours, 72 hours, 1 month). The European Union Agency for Cybersecurity (ENISA) should become the one-stop entity for reporting, and should receive reinforcement to be able to fulfil additional tasks set-out in the regulation.  

In Council, Coreper reached a common position in July 2023. Council removed the notion of "critical" from products with digital elements  and deleted a substantial number of the products listed in the Annex III. Council introduced three categories of products, critical for essential entities as defined by the NIS2, that would fall under mandatory European cybersecurity certification. The Council moved the reporting from ENISA to the national Computer Security Incident Response Teams (CSIRTs) in a two-step process of an initial notification after 24 hours and a second one after 72 hours.

Parliament confirmed committee decision to enter into interinstitutional negotiations in September 2023.

The co-legislators met in trilogue negotiations on 27 September, 8 November 2023, and reached a provisional agreement on the text during the third trilogue on 30 November 2023.

The agreed text simplifies the methodology for the classification of digital products. MEPs secured an expansion of the list of covered devices with products such as identity management systems software, password managers, biometric readers, smart home assistants and private security cameras. The support period for manufacturers should be at least five years, with the differentiation between security (automatically installed) and functionality updates. As for the reporting, initial recipients will be competent national authorities, who will notify ENISA  to be able to assess the situation, and, if it estimates that the risk is systemic, inform other Member States so they are able to take the necessary steps. Application of the regulation is postponed to three years after it will enter in force to give manufacturers sufficient time to adapt. The negotiators agreed as well to add to the text support measures for small and micro enterprises, including specific awareness-raising, education and training programmes, collaboration initiatives, and strategies to enhance workforce mobility, as well as support for testing and conformity assessment procedures.

At the Council, the Coreper confirmed the agreement in December 2023. ITRE committee approved the provisional agreement at its meeting in January 2024. The text was approved by Parliament as a whole on 12 March 2024 with 517 votes in favour, 12 against and 78 abstentions. The text still needs to be formally adopted by the Council before it can enter into force.

References:

• EP Legislative Observatory, Horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act), 2022/0272(COD)  
• European Parliament legislative resolution of 12 March 2024 
• European Parliament, Cyber Resilience Act: agreement with Council to boost digital products’ security, Press release, 1 December 2023
• European Commission, Proposal for a Regulation on cybersecurity requirements for products with digital elements - Cyber resilience Act, COM(2022)454, 15 September 2022
  
• European Commission, Annexes Proposal for a Regulation on cybersecurity requirements for products with digital elements - Cyber resilience Act, COM(2022)454, 15 September 2022
• European Parliament, Committee on Industry, Research and Energy report on the proposal for a regulation on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020, 26 July 2023
• European Commission, Cyber Resilience Act - Impact assessment, 15 September 2022
• Council, Progress Report on the proposal, 18 November 2022
• Council, Progress Report on the proposal, 12 May 2023
• Council, Mandate for negotiations with the European Parliament, 13 July 2023
• Council, Letter sent to the European Parliament with agreement on the compromise text, 20 December 2023
• European Economic and Social Committee, EESC Opinion: Cyber Resilience Act, 14 December 2022

Further reading:

• European Parliament, EU cyber-resilience act, Legislative briefing, EPRS, November 2023
• European Parliament, Strengthening cyber resilience, Initial Appraisal of a European Commission Impact Assessment, EPRS, December 2022

Author: Polona Car, Members' Research Service, legislative-train@europarl.europa.eu