On 10 December 2024, Regulation (EU) 2024/2847 (Cyber Resilience Act – CRA) came into force. In this context, it is useful to consider some helpful Q&A:
1. What does the CRA regulate?
Regulation (EU) 2024/2847 (Cyber Resilience Act – CRA) applies to all Products with Digital Elements (PDEs) made available in the EU market. PDEs include:
Devices incorporating software or hardware capable of connecting to other systems or networks (e.g., IoT).
Computing components, operating systems, applications, and remote data processing solutions.
Examples of PDEs:
- Devices:
- Laptops,
- Smartphones,
- Sensors and cameras,
- Smart robots,
- Smart cards,
- Smart meters,
- Mobile devices,
- Smart speakers,
- Routers,
- Switches,
- Industrial control systems.
- Software:
- Firmware,
- Operating systems,
- Mobile applications,
- Desktop applications,
- Video games.
- Components (hardware and software):
- Computer processing units,
- Graphics cards,
- Software libraries.
2. Who does it concern?
The CRA applies to all entities involved in the PDE supply chain:
- Manufacturers:
- Responsible for designing, developing, and ensuring PDEs comply with cybersecurity requirements.
- Must manage vulnerabilities and provide security updates.
- Importers:
- Must ensure PDEs comply with the CRA before entering the EU market.
- PDEs must bear the “CE” mark and come with user instructions.
- Distributors:
- Verify product compliance and inform the manufacturer of any vulnerabilities.
If importers or distributors rebrand third-party products, they are considered manufacturers for the purposes of CRA compliance.
3. How are PDEs categorized?
The CRA categorizes PDEs based on risk levels:
- Products with Digital Elements (Default Products):
- Low risk.
- Covers most PDEs.
- E.g., smart home devices, connected toys.
- Important Products (Class 1):
- Medium risk.
- E.g., operating systems, VPNs, password managers.
- Important Products (Class 2):
- High risk.
- E.g., firewalls, tamper-resistant microprocessors.
- Critical Products:
- Very high risk.
- E.g., smart meters, security devices with cryptographic functions, secure mailboxes.
4. What are the obligations for involved entities?
- Manufacturers:
- Security by Design: Develop PDEs that meet the Essential Cybersecurity Requirements (Annex I) and provide necessary information and instructions (Annex II).
- Essential Cybersecurity Requirements:
- Risk Assessment: Ensure PDEs are designed, developed, and produced with the appropriate level of protection through:
- Cybersecurity measures,
- Secure default configurations,
- Access control,
- Data minimization policies,
- Availability and resilience features.
- Risk Assessment: Ensure PDEs are designed, developed, and produced with the appropriate level of protection through:
- Vulnerability Management:
- Continuous monitoring,
- Security checks,
- Recording and reporting vulnerabilities to national Computer Security Incident Response Teams (CSIRTs) and ENISA (EU Agency for Cybersecurity).
- CE Marking: PDEs must bear the CE compliance mark.
- Importers & Distributors:
- Ensure PDEs comply with the CRA and obtain documents proving compliance.
- Verify PDEs bear the CE mark and are accompanied by necessary instructions.
- Inform the manufacturer immediately if vulnerabilities are detected.
- Security Updates:
- Provide automatic security updates with an option for users to disable them.
5. Are there any exceptions?
- SMEs: Eligible for special treatment regarding certain compliance requirements.
- Free and Open-Source Software (FOSS): Obligations do not apply if the software is not for commercial use.
- National Security Products: Exempt if developed exclusively for national security or defense purposes.
6. Who supervises CRA enforcement?
- Member States: Must appoint a supervisory authority responsible for CRA enforcement, including:
- Imposing fines,
- Banning or recalling non-compliant products.
- ENISA: Oversees notifications of severe incidents.
- CSIRTs: Receive incident notifications at the national level.
7. What penalties apply?
- Non-Compliance with Cybersecurity Requirements:
- Up to €15 million or 2.5% of annual turnover.
- Non-Compliance with Other Obligations:
- Up to €10 million or 2% of annual turnover.
- Providing Misleading Information:
- Up to €5 million or 1% of annual turnover.
8. When do these obligations apply?
- 10 December 2024: CRA formally entered into force.
- 11 June 2026: Conformity assessment bodies’ provisions take effect.
- 11 September 2026: Manufacturers’ obligation to report vulnerabilities begins.
- 11 December 2027: Full compliance with all CRA obligations.
9. Interaction with Other EU Regulations
- NIS2 Directive – Law 5160/2024: PDEs can be deemed critical if relied upon by essential entities defined in NIS2 (Article 6(5)(a) CRA).
- AI Act: High-risk AI systems complying with CRA Annex I, Section I requirements are considered compliant with the AI Act (Article 8(1) CRA).
10. What should entities within the CRA’s scope do?
- Product Development:
- Integrate security measures from the design phase (security by design).
- Staff Training:
- Train staff on vulnerability management and CRA compliance.
- Collaboration with Authorities:
- Ensure communication with local CSIRTs and ENISA for incident reporting.
- Policy Updates:
- Review and update security and compliance policies.
Conclusion
“Stergios Konstantinou and Associates – SGK Legal” remains at the forefront of developments in cybersecurity and compliance with EU regulatory frameworks.
Recognizing the significance of the Cyber Resilience Act (CRA) and the changes it introduces for manufacturers, importers, and distributors of PDEs, we are prepared to support businesses in their compliance efforts by offering:
- Specialized legal advice on designing and implementing compliance policies.
- Comprehensive support in risk assessment and vulnerability management procedures.
- Staff training to meet CRA obligations effectively.
- Representation and mediation with national and European authorities on compliance and enforcement matters.
With our continued presence in regulatory bodies and professional associations for data protection and cybersecurity, we are committed to ensuring that our clients smoothly adapt to the new requirements, safeguarding their interests and enhancing their digital resilience.