Blog

European Cyber Resilience Act: can new requirements for products strengthen your organization’s cybersecurity resilience?

On 15 September, the European Commission published a Cyber Resilience Act (CRA), which aims at setting common cybersecurity standards for connected devices and services. The European Union has long been taking action against cybercrime. Following up on its path to the digital decade to deliver on the EU’s digital transformation by 2030, this regulation seeks to protect consumers and the market from cyber incidents. Being a package of rules that should embed digital security in Europe, it also includes two guidelines: one on networks and information systems (NIS), which aims to improve Member States’ cybersecurity capabilities and encourages information sharing while the other one being the Cybersecurity Act, which entered into force in 2021 and defines the tasks of European cyber watchdog, ENISA. 

With this blog post, Dr2 Consultants is happy to provide an overview of the main implications and opportunities for European businesses, focusing on: 

  • The objectives of the legislation. 
  • The implications for providers of digital products and connected services. 

Read our summary below and if you want to have an in-depth view of the content of the proposal, you can check here our detailed analysis.

What’s the objective of the European Cyber Resilience Act?

As different economic sectors have become more dependent on digital technologies in executing their businesses, the opportunities that digital connectivity brings also expose economies to cyber threats. The amount, complexity, scale, and impact of cybersecurity events are also growing. When everything is connected, a cybersecurity incident can affect an entire system, disrupting many economic and social activities. The Cyber Resilience Act introduces rules to protect digital products that are not covered by any previous regulation. This way, it will be the first (‘the Internet of Things or IoT) legislation in the world. 

First communicated by European Commission President Ursula von der Leyen in her State of the Union Address in September 2021, the Cyber Resilience Act seeks to establish common cybersecurity rules for digital products and associated services that are placed on the EU market. Von der Leyen emphasized the growing importance of cybersecurity and called on Europe to properly address cyber threats and to become a leader in cyber defence. “With the economy and society relying more and more on digital solutions, it is crucial to ensure that we can defend ourselves in a world increasingly prone to the hacking of connected products and associated services”, she stated. Also, Commissioner for the Internal Market, Thierry Breton, specified his expectation for this initiative. He wished to increase Europe’s cyber defence capabilities by including defence requirements in the legislation. 

What implications will the European Cyber Resilience Act have for your business?

Dr2 Consultants has identified a number of essential requirements for hardware manufacturers, software developers, distributors and importers who place digital products or services on the EU market. The requirements proposed include: an ‘appropriate’ level of cybersecurity, the prohibition to sell products with any known vulnerability, security by default configuration, protection from unauthorised access, limitation of attack surfaces, and minimisation of incident impact. 

EU Data Policy Services

Furthermore, two categories for critical products are listed: 

  1. The first category includes browsers, password managers, antiviruses, firewalls, virtual private networks (VPNs), network management, systems, physical network interfaces, routers, and chips used for entities falling under the NIS2.  Moreover, it also includes all operating systems, microprocessors and industrial IoT not covered in class II.
  2. The second category includes higher-risk products such as desktop and mobile devices, virtualised operating systems, digital certificate issuers, general purpose microprocessors, card readers, robotic sensors, smart meters and all IoT, routers and firewalls for industrial use.  

The main difference between the two categories is the compliance process. Moreover, the commission asks manufacturers to perform regular tests to identify vulnerabilities in their products. Lastly, Member States would also have to put in place market surveillance bodies. The penalties for non-complying with the requirements can amount to €15 million or 2.5% of the annual turnover. 

Stakeholder reactions

In H1 2022, the Commission launched a public consultation and call for evidence on the Cyber Resilience Act open until 25 May 2022. The first overall reactions from the industry and other stakeholders to this initiative were positive. Consumers expect the products they purchase to be safe and secure. Hence, creating greater awareness of the importance of these security requirements in products will result in customers considering key security criteria when making purchasing decisions.  

However, to avoid confusion, the industry also warned that the legislation should encompass a clear definition, considering differences in the development, functionality, and use of digital products. Different sectors also ask the Commission that it should consider existing vertical legislation for specific sectors and/or product groups. Adding essential cybersecurity requirements risks excluding SMEs from the market. Businesses also need to know exactly what kind of technical specifications they must comply with to ensure adherence to CRA obligations. For instance, app developers warn of the extra costs in maintaining a cyber-resilient environment for the benefit of consumers. They prefer guidelines or recommendations. 

Next steps

A new call for feedback on the proposed legislation is open until 15 November. In the meantime, it is not yet known which European Parliament’s committee will lead this file. However, either the Internal Market and Consumer Protection Committee (IMCO) or the Industry, Research and Energy Committee (ITRE) are expected to be asked to take the lead. While, for the Council of the EU, EU ministers will meet to discuss the file for the first time on 6 December.  

Dr2 Consultants will follow the legislative developments very closely, and thanks to its expertise and wide range of clients in the digital sector, Dr2 Consultants is expertly placed to assist your company in identifying the impact of and leveraging the opportunities offered by the Cyber Resilience Act. 

Would you like to know more about how your organization can make the most out of this regulation? Subscribe to Dr2 Consultants’ newly launched service for EU data-related policies or get in touch with our Managing Partner Jasper Nagtegaal.