The transformations brought by the digital era demand constant vigilance and adaptation to protect users. The issue addressed in the new EU regulation – Cyber Resilience Act (CRA) – intersects two significant problems: the first is the low level of cybersecurity embedded in many products or insufficient security updates provided for these products and software, and the second is the inability of consumers and businesses to clearly identify cyber-secure products or configure them to ensure adequate protection against cyber risks. The European Union (EU) is taking significant steps to strengthen cybersecurity through the Cyber Resilience Act (CRA), an initiative aimed at improving the protection of digital products against cyberattacks amidst the continuous growth in the number of internet-connected devices.
The foundation of the new regulation lies in the absence of general cybersecurity requirements at the EU level for hardware and software that are not specific to certain products or sectors, as confirmed by Internal Market Commissioner Thierry Breton. Consequently, the CRA aligns with other European cybersecurity laws, such as the NIS2 Directive, GDPR framework, Radio Equipment Directive (RED), Medical Devices Regulation, In Vitro Diagnostic Devices Regulation, General Vehicle Safety Regulation, Common Aviation Rules Regulation, and Machinery Regulation.
The CRA, currently under discussion in the European Parliament and the EU Council, aims to introduce horizontal cybersecurity requirements for products with digital elements. This initiative seeks to harmonize cybersecurity standards for bringing products and software with digital elements to market and to enhance resilience in the EU single market. The CRA sets cybersecurity requirements covering the stages of planning, design, development, and maintenance of these products, with specific obligations for each phase of the value chain, as well as the obligation to maintain a high level of attention and responsibility regarding security throughout the entire product lifecycle.
Upon adoption, products will carry a CE Mark, indicating compliance and the freedom to be marketed within the internal market. This should be the sole symbol guaranteeing that digital products meet the regulatory cybersecurity requirements. Simply put, the “CE Mark” is an indicator by which a manufacturer asserts that a digital product, along with associated processes, complies with the fundamental cybersecurity requirements specified, as well as other harmonized EU regulations allowing the application of this mark.
The CRA’s main objectives are to ensure that digital products in the EU market are safe and to require manufacturers to consider security throughout the product’s entire lifecycle. Under the new regulations, all digital products directly or indirectly connected to a network must comply with the CRA requirements. Furthermore, the new regulation identifies two major categories of digital products based on their risk level: critical products, such as smart cards, and non-critical products, such as household appliances.
Manufacturers will also be required to regularly test their products, keep records of vulnerabilities, and address any identified security issues. Failure to comply with the CRA rules could result in fines of up to 15 million euros or 2.5% of annual global turnover.
The Cyber Resilience Act introduces an ambitious and unified approach to digital product security, establishing a European standard that could also become a global benchmark. The proposal is still under discussion, with implementation scheduled over 36 months, giving businesses adequate time to align their security systems with the regulation.
For further information or any additional inquiries, please do not hesitate to contact us:
➡ Phone: (+4) 031 426 0745
📧 Email: office@grecupartners.ro
We are here to assist and provide legal support for all your needs. We look forward to discussing with you.
Mihaela Murariu – Attorney at Law