On 15 September 2022 the Commission presented a legislative proposal for the EU Cyber Resilience Act (CRA), which introduces mandatory cybersecurity requirements for products with digital elements. The proposal covers a broad range of devices - it would include all products that are connected either directly or indirectly to another device or network, including hardware, software and applications and would impose obligations on manufacturers, importers, and distributors of these products to provide duty of care across their whole life cycle.

The proposal aims to ensure better protection for consumers through increasing the responsibility of manufacturers by obliging them to provide security support and software updates to address identified vulnerabilities, and providing them with information about cybersecurity of products they buy and use. The act would provide a single set of rules for cybersecurity for companies in the EU, it would decrease the number of cybersecurity incidents and increase the transparency and trust of consumers in products with digital elements and guarantee better protection of their data and privacy.

The proposed measures are based on New Legislative Framework for EU product legislation and define:

• rules for placing on the market of products with digital elements through a process of conformity assessment (self-assessment or third party conformity assessment, depending on the criticality of the product) to demonstrate fulfillment of specific cybersecurity requirements, resulting in attribution of a CE marking;
• requirement for the design, development and production of such products and obligations of economic operators, as well as processes put in place and reporting obligations for manufactures to ensure cybersecurity throughout the life cycle of such products, as well as obligation of economic operators in these processes;
• rules on market surveillance and enforcement, which would be performed through appointed market surveillance authorities.

References:

• EP Legislative Observatory, Horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act), 2022/0272(COD)  
• European Commission, Proposal for a Regulation on cybersecurity requirements for products with digital elements - Cyber resilience Act, COM(2022)454, 15 September 2022
  
• European Commission, Annexes Proposal for a Regulation on cybersecurity requirements for products with digital elements - Cyber resilience Act, COM(2022)454, 15 September 2022
• European Commission, Cyber Resilience Act - Impact assessment, 15 September 2022

Author: Polona Car, Members' Research Service, legislative-train@europarl.europa.eu