Horizontal cybersecurity requirements for products with digital elements

In “A Europe Fit for the Digital Age”

PDF version

On 15 September 2022 the Commission presented a legislative proposal for the EU Cyber Resilience Act (CRA), which introduces mandatory cybersecurity requirements for products with digital elements. The proposal covers a broad range of devices - it would include all products that are connected either directly or indirectly to another device or network, including hardware, software and ancillary services and would impose obligations on manufacturers, importers, and distributors of these products to provide duty of care across their whole life cycle.

The proposal aims to ensure better protection for consumers through increasing the responsibility of manufacturers by obliging them to provide security support and software updates to address identified vulnerabilities, and providing them with information about cybersecurity of products they buy and use. The act would provide a single set of rules for cybersecurity for companies in the EU, it would decrease the number of cybersecurity incidents and increase the transparency and trust of consumers in products with digital elements and guarantee better protection of their data and privacy.

The proposed measures are based on New Legislative Framework for EU product legislation and define:

  • rules for placing on the market of products with digital elements through a process of conformity assessment (self-assessment or third party conformity assessment, depending on the category of the product) to demonstrate fulfillment of specific cybersecurity requirements, resulting in attribution of a CE marking;
  • requirement for the design, development and production of such products and obligations of economic operators, as well as processes put in place and reporting obligations for manufactures to ensure cybersecurity throughout the life cycle of such products, as well as obligation of economic operators in these processes;
  • rules on market surveillance and enforcement, which would be performed through appointed market surveillance authorities.

In the Parliament, the file has been provisionally assigned to the Committee on Industry, Research and Energy (ITRE). The Committees on Internal Market and Consumer Protection (IMCO) and on Civil Liberties, Justice and Home Affairs (LIBE) have been asked for their opinions.

In the Council, a progress report was presented by the Czech Presidency to the Transport, Telecommunications and Energy Council meeting on 6 December. The Council welcomed the proposal, but expressed a need to clarify its scope to make it explicit if software as a service is part of it or no. They proposed the exclusion of products exclusively intended for military purposes from the scope of the proposal, and expressed a need to clarify interactions with other legislative acts, namely with the Directive on the Security of Network and Information Systems (NIS2) and the Cybersecurity Act (CSA). They also expressed a need to evaluate the burden of the proposal for the industry, in particular  for the SMEs, and to elaborate on the role of the European Union Agency for Cybersecurity (ENISA).

The European Economic and Social Committee (EESC) adopted their opinion on the Cyber Resilience Act on 14 December 2022.


Further reading:

Author: Polona Car, Members' Research Service, legislative-train@europarl.europa.eu

As of 20/02/2023.