The European Cyber Resilience Act in the shadow of the AI Act

In the midst of the remarkable passage of the AI Act, another crucial but perhaps less publicised event unfolded. The European Cyber Resilience Act, more commonly referred to as the “CRA”, was voted recently by the European Parliament. This blog explains why the CRA is expected to have a very significant on many organisations.

What is the scope of the CRA?

The European Commission intends the Cyber Resilience Act to establish a baseline for cybersecurity in products with digital elements, also known as “PDEs”. The CRA takes an methodology that is already known for other regulated products, such as Radio Equipment Directive (RED), Medical Device Regulation (MDR), but also the recently voted AI Act. The methodology is that such legislation also requires organisations to perform conformity assessments on the basis of essential requirements and to install processes and procedures to handle vulnerability and compliance issues.

The CRA has a horizontal approach, meaning that it applies irrespective of the product and the sector in which the product with digital elements (“PDE") will be used. That said, certain products additionally qualifying as products with digital elements which are already governed by other European rules are (partially) excluded from the scope of the CRA.

As the CRA is intended to be the baseline for cybersecurity, it is expected to have a very significant impact across almost all industries and sectors. So, while it seems that currently the AI Act is stealing the entire show, the CRA will probably have a more immediate impact on many organisations than the AI Act.

Categories of products with digital elements

The CRA covers a wide range of products, as PDEs are defined to include both hardware and software, and divides products into four categories:

1. General products with digital elements, acting as a residual category (i.e. products not falling into any other category).
2. Important products with digital elements of class I, which includes standalone browsers, password managers, VPNs, etc.
3. Important products with digital elements of class II, which includes firewalls, tamper resistant micro-processors, etc.
4. Critical products with digital elements, including more products of a more technical nature, such as smartcards, secure elements, hardware with security boxes, etc.

This categorisation is similar to the categorisation under the NIS2 Directive.

When will the CRA’s provisions take effect?

The CRA was voted by the European Parliament on 12 March 2024. Hence, the CRA is expected to enter its final legislative phase. If, as expected, the Council adopts the CRA in April, it will be published in the Official Journal of the European Union and enter into force twenty days later. This means that the CRA is likely to enter into force in April or June 2024.

The CRA’s provisions will take effect 36 months after to the CRA's entry into force. However, there are two exceptions:

• The reporting obligation for manufacturers of PDE’s facing active vulnerabilities and serious incidents will take effect 21 months after the CRA’s entry into force.
• The provisions about conformity assessment bodies will take effect 18 months after the CRA’s entry into force.

Actions for organisations to take today to comply with the CRA

It is crucial for organisations to start preparing today, as compliance will inevitably take time.

Relevant actions that organisations could take should include the following:

1. Assessing and categorizing products and services (inclusive of software) as PDEs within the CRA’s scope of application. The extensive range of the CRA means many offerings could fall under its scope.
2. Determining the CRA’s applicable requirements. Given the CRA's broad scope, compliance requirements are bound to be subject to varying interpretations and applications depending on the specific PDEs in question.
3. Modifying PDEs to fulfil the identified criteria. This may necessitate significant adjustments, especially for products in advanced development stages or those with established market presence.
4. Compiling requisite documentation to meet CRA standards. This encompasses updates to technical files, revisions to legal documents, and the establishment of procedures for vulnerability management.
5. Executing a conformity assessment, either internally or through a mandatory external party, based on the PDEs’ categorisation. Organisations with regulated products under other legislations may find this process more navigable.
6. Implementing procedures to sustain compliance and respond adeptly to alterations and occurrences, with ongoing recognition of evolving cybersecurity requirements, as this field is inherently dynamic.

For further insight, please consider reaching out to Pedro Demolder and Bernd Fiten.