ThinkTank_Logo_black
The wait is over
Ailance™ ThinkTank is here!

Cyber Resilience Act - European Council gives green light

The consequences of the Cyber Resilience Act for companies and why they should not be underestimated.
Categories:

The Council of the European Union adopted the Cyber Resilience Act (CRA) on October 10, 2024. Under the new CRA regulations, mandatory cybersecurity requirements will apply to all connected devices for the first time. These include app-controlled coffee machines, smart watches and smart baby monitors. Until now, such IT security requirements have only been in place for individual product categories. Companies should not underestimate the consequences.

This is where the Cyber Resilience Act comes in

The CRA stipulates that all connected products must bear the CE mark in future. The CE mark signals to the outside world that the connected product guarantees adequate protection against cyber risks. Consumers will be able to see at a glance that the product has also been tested in terms of cyber security.

"The aim is to avoid overlapping requirements due to different legislation in the EU Member States," the Council said in its communication.

The regulation applies to all products that are directly or indirectly connected to another device or a network. There are some exemptions for products for which cybersecurity requirements are already laid down in existing EU legislation, e.g. medical devices, aviation equipment and motor vehicles.

The new regulations place obligations on all economic players involved. This applies to manufacturers, importers and retailers. In future, they must ensure that the products they sell meet the cyber security requirements and bear a CE mark. In addition, manufacturers will have to report IT vulnerabilities and cyber incidents to a central reporting office and provide regular security updates.

Reading tip: NIS 2 Directive comes into force soon - these companies are affected

These are the consequences of the Cyber Resilience Act for companies

  1. Stricter safety requirements for products
    Companies that manufacture or sell products with digital components must ensure that their products meet the requirements of the CRA. This applies to both hardware and software.
    - Security-by-design approach: Products must be developed from the outset in such a way that security risks are minimized. This means that companies must invest more in research and development to ensure that security functions are integrated into the products.
    - Regular updates and maintenance: Manufacturers are obliged to provide security updates over a certain period of time to fix vulnerabilities. This can lead to higher costs and a longer responsibility for product maintenance.

  2. Increased liability and sanctions
    One of the most important effects of the Cyber Resilience Act is the introduction of stricter liability rules for manufacturers and providers. Companies that fail to meet the security requirements of the CRA will face significant penalties.
    - Fines: Companies that violate the regulations can be fined heavily. This is similar to the approach of the General Data Protection Regulation (GDPR), where violations can be punished with heavy fines.
    - Legal consequences for insecure products: If products cause damage due to cybersecurity flaws, companies can be held liable. This could lead to a wave of product liability lawsuits.

  1. Extended documentation obligations
    Companies must maintain extensive technical documentation and evidence of how they meet cybersecurity requirements. This documentation must be made available to the supervisory authorities.
    - Declarations of conformity: Companies must submit an EU declaration of conformity stating that the product meets the safety standards.
    - Technical documentation: Companies are obliged to maintain technical documentation that demonstrates compliance with safety requirements and risk mitigation measures.

  1. Impact on supply chains and third-party providers
    As companies increasingly rely on global supply chains and third-party providers, they must ensure that these partners also meet the requirements of the CRA.
    - Suppliers and service providers: Companies must ensure that all suppliers and service providers involved in the manufacture or provision of a product also comply with the safety requirements.
    - Security risk management: Companies must implement a comprehensive security risk management system that also covers risks in the supply chain and with third-party providers.

  1. Product testing and certification
    The CRA is also expected to introduce requirements for the testing and certification of IT products. This means that companies will have to subject their products to independent security tests before launching them on the market.
    - Certifications: Companies may need to have their products certified to confirm that they meet the applicable safety requirements. This can represent an additional financial burden, especially for smaller companies.
    - Third party audits: In some cases, independent reviews and audits may be required to ensure compliance with CRA requirements.

  1. International effects
    Companies that sell their products internationally must ensure that they comply with CRA requirements not only within the EU, but also worldwide. This could lead to global companies adapting their cybersecurity standards to the strict EU regulations.
    - Global compliance: Organizations may need to rethink their global compliance strategies to ensure they meet both the CRA and other international cybersecurity requirements.

Cyber Resilience Act with a transitional period of three years

Once adopted by the European Council, the legal act will be signed by the President of the Council and the President of the European Parliament in the coming weeks and then published in the Official Journal of the EU. The new regulation will enter into force 20 days after this publication.  

A transition period of three years is planned for the Cyber Resilience Act. By then at the latest, products sold on the market will have to meet the new cyber security requirements and document this with a CE mark. Other obligations under the CRA, such as the obligation for manufacturers to report knowledge of exploited IT vulnerabilities, will already apply in 21 months.

Summary: The Cyber Resilience Act will have a significant impact on businesses as it introduces stricter security requirements and higher liability obligations. While compliance with the CRA will involve costs and additional effort for many companies, the regulation also offers opportunities for companies that invest in cyber security and implement change early. In the long term, the CRA will help to make the European market for digital products safer and more resilient to cyber threats.

Source: Ordinance on Horizontal Cybersecurity Requirements for Products with Digital Elements (Cyber Resilience Act), October 10, 2024

Tags:
Share this post :
en_USEnglish