The European Commission has published a proposal for the Cyber Resilience Act (CRA), which will set out new cybersecurity requirements for connected devices.  The proposal will now be debated in the European Parliament and this presents an opportunity for SMEs to inform policymakers of the impact that the Act will have on their business.

The Cyber Resilience Act is a horizontal legislation for cybersecurity products, applicable to all sectors within the Single Market. The Act covers “any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately”.

This means that tangible digital products, such as connected devices (i.e smart devices), and non-tangible digital products, such as software products that are embedded into connected devices will all fall under the scope of the Act. Non-embedded software, such as apps, or Software-as-a-service, are outside the scope of the legislation.

When placing a product on the market, companies will need to declare that it meets the cybersecurity requirements set out in the Act, and if it is in a higher risk category, potentially undertake a third party assessment (see below).

Based upon an initial risk assessment, the European Commission has categorised products by their risk profile, which entail differing forms of compliance:

• Unclassifed or default are products without critical cybersecurity vulnerabilities. According to the Commission, this category will cover 90 percent of connected devices. Products in this category will have to undergo self-assessment for compliance.
• Class 1 Critical Products must adhere to standard or be subject to a third-party assessment of their compliance.
• Class 2 Critical Products have to prove compliance to the requirements via a third party assessment.

Further to this, companies must notify ENISA (the European Union Agency for Cybersecurity) of the discovery of any exploited vulnerability within a 24-hour window.

Companies are also mandated to guarantee support for the product for 5 years after it is placed on the market, or for the expected lifetime of the product (whichever is shorter), and they shall ensure that the vulnerability of the product are handled in compliance to the requirements set forth by this regulation. On top of this, companies must keep the technical documentation of the product at disposal of the market surveillance authorities, for a period of 10 years after the product was placed on the market.

Please findbelow a summary of the new requirements below and read the full Regulation and the Annex. In addition, please find also below a survey on the CRA. We would like to encourage you to provide your answers to the survey to assess the CRA impact on your company.

If you would like to share how the Cyber Resilience Act will impact your company, you can complete our survey, below: