Yesterday, the European Parliament approved the Cyber Resilience Act (“CRA”), which sets out cybersecurity requirements for “products with digital elements” (“PDEs”) placed on the EU market. The term PDE is broadly defined to include both hardware and software products such as antivirus software, VPNs, smart home devices, connected toys, and wearables. The approved text is available here.
The document adopted by the European Parliament is identical to the December 2023 compromise between the Parliament and the Council described here. In summary, the CRA's main obligations apply to the manufacturer of her PDE and must:
- Implement specific “must-have” cybersecurity requirements for PDEs.
- Perform PDE conformance assessment.and
- Notify competent authorities of identified vulnerabilities and major cybersecurity incidents.
As with the latest European technical regulations, non-compliance can result in steep fines of up to €15 million or 2.5% of global turnover, whichever is higher.
In the coming weeks, we will be posting a series of blogs that will analyze in more detail the key obligations of CRAs, including the obligation to implement “mandatory” cybersecurity requirements, report vulnerabilities, and undergo conformity assessments.
next step
The CRA must be formally adopted by the Board of Directors before becoming law. It will probably be him in April 2024. The final version of the CRA will then be published in the EU Official Journal. Most of the CRA's provisions will be fully applicable for three years from the date of publication (with the exception of vulnerability reporting requirements, which will apply 21 months after this date).
* * *
Covington's Privacy and Cybersecurity Practice regularly advises on cybersecurity laws in Europe and elsewhere. If you have any questions about how Europe's raft of new cyber regulations will impact your business, or developments in the broader cybersecurity field, our team will be happy to talk to you.