Strengthening Resilience Against Cyber Threats: The Cyber Resilience Act

The rise of digitalization and technologies such as low-cost sensors, embedded systems, and software has fueled the development of the Internet of Things (“IoT”). Products with digital elements are now ubiquitous, ranging from household appliances to toys. To enhance the security of such products, the European Parliament approved the Cyber Resilience Act (“CRA”) on March 12, 2024, aiming to protect consumers and businesses from cyber incidents.

Following the Council's adoption on October 10, 2024, the CRA will be signed by the presidents of the Council and the European Parliament and published in the EU’s official journal. As an EU regulation, it will apply directly in all Member States. It will take effect 20 days after publication, with full application after 36 months, although some provisions will take effect earlier.

Background

Before the CRA, the EU had undertaken significant initiatives to strengthen cybersecurity. The EU Cybersecurity Strategy for the Digital Decade (“Strategy”) announced the CRA and complemented related legislation, particularly the Directive on Measures for a High Common Level of Cybersecurity Across the Union (“NIS2”).

1. Cybersecurity Strategy for the Digital Decade

Published on December 14, 2020, the Strategy set out to ensure that all internet-connected products are secure and resilient against cyber incidents. Key objectives include establishing ultra-secure communication networks based on quantum technology, creating a self-sufficient technology supply chain, and adopting IoT security standards. Other measures include the creation of a European Cyber Shield through Security Operations Centers and initiatives to boost cybersecurity education, supported by the European Union Agency for Cybersecurity (“ENISA”), established in 2004, which contributes to the EU's cybersecurity policy and develops certification schemes to increase trust in digital products and services. The approval of the CRA has further reinforced ENISA's activities.

2. NIS2 Directive

Effective from 2023, NIS2 updates earlier EU cybersecurity rules. It requires Member States to establish Computer Security Incident Response Teams and a Network and Information Systems (“NIS”) authority to enhance cybersecurity across the EU. It also establishes a Cooperation Group to strengthen cooperation among Member States, ensure strategic information sharing and promote a security culture in critical sectors such as energy, transport, banking, health and digital infrastructure. Unlike CRA, which focuses on products with digital elements, NIS2 addresses the broader operational resilience of network and information systems.

About the Cyber Resilience Act

The CRA aims to reduce vulnerabilities in products with digital elements, clarify manufacturers' responsibilities, increase users’ security awareness and harmonize cross-border security standards. It applies to most digital products, excluding certain categories such as medical devices and automobiles, which are governed by their own cybersecurity regulations.

Key Objectives:

• Introduce digital products with fewer vulnerabilities and ensure regular security updates.
• Enhance user access to cybersecurity features for safer usage.
• Establish EU-wide cybersecurity standards.
• Strengthen cross-border product security by clarifying supply chain requirements.

Scope and Application:

The CRA applies to all products directly or indirectly linked to a device or network, with limited exceptions. The CRA primarily addresses two key issues:

·         Inadequate cybersecurity in products and the lack of regular security updates,

·         Challenges for consumers in identifying safe products.

Additionally, the CRA mandates that manufacturers develop products with digital elements in compliance with the regulation’s cybersecurity standards. These products include, but are not limited to, user devices, operating systems, hardware components, IoT devices, identity management software, privileged access management software, standalone and embedded browsers, password managers, malware detection and removal software, and products with digital elements that function as virtual private networks (VPNs).

Although the CRA lacks explicit territorial scope provisions, its references to products "placed on the EU market" indicate its application to all products sold or used within the EU.

CRA and the AI Act

High-risk AI systems classified under the AI Act are subject to CRA cybersecurity requirements. Products meeting CRA standards are deemed compliant with corresponding AI Act provisions. This alignment ensures that products integrating high-risk AI systems satisfy both regulations.

Violations and Penalties

The CRA defines “economic operators” as manufacturers, importers, authorised representatives and distributors who are responsible for meeting compliance requirements. Member States must enforce penalties for violations, ensuring they are deterrent, effective, and proportionate. Fines include:

• €15 million or 2.5% of annual turnover for non-compliance with essential requirements.
• €10 million or 2% of annual turnover for other violations.
• €5 million or 1% of annual turnover for providing misleading, incorrect or incomplete information.

Administrative fines and corrective measures will be proportional to the operator’s size and market impact. In addition to fines, other corrective or restrictive actions may also be imposed.

The Importance of CRA

Cyberattacks can have severe consequences for businesses and individuals. The CRA addresses critical cybersecurity gaps, protecting companies from penalties and mitigating the risks of damaging cyber incidents. Examples of significant global cyberattacks include:

• Pegasus Spyware: Used to monitor activists, journalists, and human rights advocates.
• WannaCry Ransomware: A virus that encrypted files and spread across 99 countries.
• VSA Supply Chain Attack: Attackers exploited a vulnerability in a widely-used software platform, deploying ransomware across its clients' systems.

Conclusion

The CRA establishes comprehensive security obligations for economic operators, enhancing the safety of digital products, bolstering businesses’ resilience against cyber threats, and promoting compliance through deterrent penalties. By addressing vulnerabilities in digital products, the CRA marks a significant step toward a secure digital future.

References

Cyber Resilience Act. (2024, March 12). Retrieved from European Parliament: https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html

Cyber resilience act: Council adopts new law on security requirements for digital products. (2024, October 10). Retrieved from Council of the EU: https://www.consilium.europa.eu/en/press/press-releases/2024/10/10/cyber-resilience-act-council-adopts-new-law-on-security-requirements-for-digital-products/

Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive). (2023, September 14). Retrieved from European Commission: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

Directive on Measures for a High Common Level of Cybersecurity Across the Union. (2022). Retrieved from Eur-Lex: https://eur-lex.europa.eu/eli/dir/2022/2555

EU Cyber Resilience Act. (2024, July 8). Retrieved from European Commission: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act

European Union Agency for Cybersecurity (ENISA). (n.d.). Retrieved from European Union: https://european-union.europa.eu/institutions-law-budget/institutions-and-bodies/search-all-eu-institutions-and-bodies/european-union-agency-cybersecurity-enisa_en

NIS Cooperation Group. (2024, September 19). Retrieved from European Commission: https://digital-strategy.ec.europa.eu/en/policies/nis-cooperation-group

The EU’s Cybersecurity Strategy for the Digital Decade. (2020, December 14). Retrieved from European Commission.

The European Cyber Resilience Act (CRA). (n.d.). Retrieved from The European Cyber Resilience Act (CRA): https://www.european-cyber-resilience-act.com/