EU propose Cyber Resilience Act: The first EU-wide legislation of its kind

On September 15th, the European Commission published a proposal for a Cyber Resilience Act (“CRA”) aimed at introducing common cybersecurity rules focused on manufactures and developers of products with digital elements, including hardware and software and its remoted data processing solutions. The CRA will look to introduce horizontal and harmonised standards in relation to design, mandatory updates and the need to provide sufficient information to consumers at the point of purchase. The introduction of this proposed Regulation stems from the increased threat of cybercrime, leading to an estimated global cost of €5.5 trillion.

These requirements ensure that consumers fully understand how to enable and maintain security features throughout their product’s lifecycle. The draft CRA focuses on two main issues; the level of cybersecurity being implemented into digital products and more notably, the fact that many manufacturers do not provide updates with the view to address and notify consumers of potential vulnerabilities within their product. Under the provisions of the proposed CRA, manufacturers will have certain reporting obligations and be required to undertake an “assessment of the cybersecurity risks associated with the product and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases… with the view to minimising risks, preventing security incidents and minimising the impacts of such incidents”.

The scope of this Regulation will also capture distributors and importers of digital products. However, products and services subject to existing sectoral EU legislation will be exempt. The proposed CRA will look to echo and complement the provisions of the existing NIS2 Directive. It is also of crucial importance to consider the link between the CRA and the European Commission’s proposal for a legal framework surrounding Artificial Intelligence (“AI”). In certain cases pertaining to “high-risk” AI products and services, compliance with CRA requirements will automatically be considered as compliance with the cybersecurity requirements under the AI Regulation.

In order to ensure compliance with their proposed requirements, the CRA will introduce penalties akin to those seen under the General Data Protection Regulation (GDPR), with fines of up to €15 million or 2.5% of global annual turnover, whichever is higher. As is typical for EU legislations, Member States are able evaluate the nature of such non-compliance and impose other corrective or remedial measures. Once examined before the European Parliament and Council, Member States will have a two-year period to introduce the new requirements upon the legislation being adopted.

The proposed CRA would therefore impose a regulatory burden on all manufacturers and distributors providing products with digital elements (as described in the draft legislation) to users in the European Union. Gibraltar has a wide range of laws that govern cybersecurity, some of which implement EU directives, as well as territory specific legislation. The United Kingdom have their own prospective legislation - the Product Security and Telecommunications Infrastructure Bill (PSTI) which has been in development since 2019 and is currently being considered by the House of Lords. In the United States, Senators are lobbying to amend the Cybersecurity Information Sharing Act 2015 in order to include companies involved with digital assets and distributed ledger technology. It will be fascinating to witness the implications of these new legislations and requirements, and whether they will in fact foster a new global standard.

Feel free to reach out for further information: 

Email: jerome.compson@hassans.gi