Pier Giorgio Chiara, who has in the past contributed to this blog on several occassions, has published a research article on the CRA Proposal in the International Cybersecurity Law Review ([2022] 225 – 272). His article outlines the content of the CRA Proposal and also addresses the interplay with the forthcoming NIS 2.0 Directive.
Abstract:
The EU Commission presented on 15 September 2022 the proposal for a ‘Regulation on horizontal cybersecurity requirements for products with digital elements amending Regulation (EU) 2019/1020’ (Cyber Resilience Act, CRA). This long-awaited piece of legislation would complement EU cybersecurity acquis by laying down horizontal cybersecurity requirements for all products with digital elements. This article sheds light on the ‘horizontal’ character of the CRA proposal by highlighting its main pillars. In particular, the contribution takes into account the new set of obligations placed on economic operators, the conformity assessment procedures as well as the market surveillance framework and the interplay with other legislative initiatives, both in the policy area and outside EU cybersecurity law. Against the backdrop of the sectoral regulatory approach adopted thus far by the Commission vis-à-vis cybersecurity requirements for products, horizontal intervention is needed to ensure legal certainty, avoiding duplicative obligations and further market fragmentation.