On October 10th, 2024, The European Commission released the final draft of the Cyber Resillience Act, this proposed regulation focuses on horizontal cybersecurity requirements for products with digital elements, with a view to ensuring that products, such as connected home cameras, fridges, TVs, and toys, are safe before they are placed on the market. It amends Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828.
It aims to address the lack of comprehensive cybersecurity legislation in the EU by establishing horizontal rules for products with digital elements, improving the security of digital supply chains, and creating a single market for cybersecurity products and services.
The Cyber Resilience Act builds upon and relies on several existing EU regulations and directives, creating a comprehensive cybersecurity framework.
– It leverages Regulation (EU) 2019/881 (Cybersecurity Act) to establish a basis for trust and simplify compliance. Products with EU statements of conformity or European cybersecurity certificates under schemes from the Cybersecurity Act can benefit from the presumption of conformity with the Cyber Resilience Act, potentially eliminating the need for additional third-party assessments.
– It recognizes the importance of the Commission Implementing Regulation (EU) 2024/482 and the EUCC for critical products like hardware security modules. For example, products certified under the EUCC or other schemes established by the Cybersecurity Act are granted a presumption of conformity with the Cyber Resilience Act’s essential cybersecurity requirements. This means that manufacturers of certified products do not need to undergo a separate conformity assessment process for the corresponding requirements under the Cyber Resilience Act.
The new regulation will enter into force twenty days after this publication and will apply 36 months after its entry into force with some provisions to apply at an earlier stage:
– Reporting obligations for actively exploited vulnerabilities and severe incidents impacting product security will apply 21 months from the regulation’s entry into force. This earlier implementation aims to quickly enhance responsiveness to critical cybersecurity threats.
– Provisions related to the notification of conformity assessment bodies will apply 18 months from the regulation’s entry into force. This phased approach ensures the necessary infrastructure for conformity assessment is in place before the broader application of the regulation.
The provided version of the Cyber Resilience Act is still in draft form. To become a final regulation, it needs to go through the remaining stages of the EU legislative process:
1. Formal Adoption and Publication: The final text must be formally adopted by the European Parliament and the Council.
2. Publication in the Official Journal of the European Union: The adopted regulation needs to be published in the Official Journal, marking its entry into force.
This regulation seeks to create a uniform cybersecurity framework across the EU, ensuring both the safety of digital products and the transparency of cybersecurity measures across supply chains.
Impact on Type Approval and Market Access Requirements? – Yes
Impact on Imports, Customs, Trade, or Market Surveillance? – Yes
Impact on Spectrum Management? – No
Impact on Technical Standards? – No
