The Cyber Resilience Act Proposal: New Horizontal Cybersecurity Requirements for Hardware and Software Products

Guest Author: Pier Giorgio Chiara

The EU Commission presented on 15 September 2022 a proposal for a regulation ‘on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020’, known as the Cyber Resilience Act (CRA).

The Act, building on the 2020 EU Cybersecurity Strategy for the digital decade, will bolster cybersecurity rules to ensure more secure hardware and software products across the single market. This proposed regulation aims at tackling two sets of issues: (1) a low level of cybersecurity, reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them, and (2) an insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or using them in a secure manner. In particular, having regard to the former, most of the hardware and software products are currently not covered by any EU legislation tackling their cybersecurity.

The CRA proposal, therefore, sets out four specific objectives with a view to addressing the abovementioned problems:

  • ensure that manufacturers improve the security of products with digital elements since the design and development phase and throughout the whole life cycle;
  • ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers;
  • enhance the transparency of security properties of products with digital elements;
  • enable businesses and consumers to use products with digital elements securely.

Accordingly, the CRA proposal horizontal scope applies to all “products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network” (Art. 2(1)). ‘Products with digital elements’ is then defined as “any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately” (Art. 3(1)).

The CRA would not apply to products with digital elements which already fall in scope of Regulation (EU) 2017/745 (Medical Devices Regulation); Regulation (EU) 2017/746 (Regulation on in vitro diagnostic medical devices); Regulation (EU) 2019/2144 (Automotive type-approval general regulation) nor would it apply to products with digital elements that have been certified in accordance with Regulation (EU) 2018/1139 (Common rules in civil aviation) (Art. 2). Also excluded from the scope of the CRA are those products with digital elements exclusively developed for national security, military purposes or specifically designed to process classified information (Art. 2(5)). 

In terms of the economic operators concerned by the CRA proposal, from manufacturers up to distributors and importers, as adequate for their responsibilities on the supply chain, a wide array of stakeholders will have to comply with the new set of rules. These rules pivot on the principles of the New Legislative Framework (NLF), which sets out essential requirements as a condition for the placement of certain products on the internal market and provides for conformity assessment, the process conducted by the manufacturer to demonstrate whether specified requirements relating to a product have been fulfilled.

An overview of how the EU cybersecurity regulatory landscape addressed the manifold challenges in securing the IoT before the CRA proposal can be found here:

A comment to the Cyber Resilience Act proposal is forthcoming in the next thematic edition of International Cybersecurity Law Review.

Leave a Reply

Your email address will not be published. Required fields are marked *