Cyber Resilience Act
The European Commission has adopted a proposal for a Cyber Resilience Act to impose specific cybersecurity requirements for products with digital elements – which will be relevant for those UK tech businesses doing business with Europe.
The proposed Cyber Resilience Act (CRA) will create a new legal framework for the development of secure products whereby products sold in the European single market will be required to meet essential cybersecurity requirements to make them less vulnerable.
It is proposed that manufacturers, importers and distributors should be subject to the new obligations, with manufacturers having greatest responsibility:
- Products will have to be designed and manufactured to ensure they meet essential cybersecurity standards.
- There will be a system of conformity assessments – to ensure that products do indeed meet the essential standards. In some cases self-assessment will be permitted, in other cases the assessment will have to be carried out by an external body.
- Products will have to be supplied with technical and user information concerning their cybersecurity features.
- There will be requirements to report the discovery of any cyber vulnerabilities or incidents concerning the products to which the rules apply.
- There will also be provisions relating to market surveillance and enforcement.
Some products will be outside the scope of the CRA, these include:
- Software as a service (SaaS): These services are already regulated under Cybersecurity Directive ((EU) 2016/1148).
- Free and open-source software which do not fall in the realm of commercial activity.
- Digital medical devices covered by Regulation (EU) 2017/745 and Regulation (EU) 2017/746: these regulations already set out requirements for such devices.
- Products with digital elements that are certified within Regulation (EU) 2018/1139 (relating to products in the aviation sector).
- Products to which Regulation (EU) 2019/2144 applies (relating to products in the motor vehicle sector).
- Products that are designed for national security or military purposes.
If the CRA becomes law when will the changes take effect and how will this impact UK businesses?
It is proposed that there would be a two-year transition period to allow companies to prepare for the new requirements. However, this could still be a challenge for those companies which need to make large scale changes to their operations in order to comply. In order to alleviate some of the burden, it is proposed that the CRA should align with existing EU safety legislation.
The UK is looking at a new regime of its own for the cybersecurity of internet of things (IoT) products for the consumer market but to the extent that the UK’s proposed Product Security and Telecommunications Infrastructure Bill might overlap with the CRA, UK businesses doing business in European could have the headache of having to comply with two regimes as the UK-EU Trade & Co-operation Agreement currently does not permit recognition of any UK conformity assessment procedures in the EU.
We will continue to monitor the progress of both the UK and EU plans but if you have any questions in the meantime on cybersecurity issues from a legal perspective, please contact [email protected]