Cyber Resilience Act
Proposal for a regulation on horizontal cybersecurity requirements for products with digital elements (COM(2022)454)
Category
Status
EU
Adopted in the EU 10 October 2024.
EEA
Pending. The Commission has marked the proposal as EEA-relevant.
Norway
Pending.
Scope
The proposal aims to enhance the functioning of the internal market by introducing EU-wide cybersecurity requirements for design, development, production and making available on the market of hardware and software products.
The Regulation will apply to all products that are connected, indirectly or directly to another device or to a network. There are some exceptions for products for which cybersecurity requirements are already set out in existing rules, such as medical devices, aeronautical products and cars.
In addition to crucial cybersecurity requirements, the Regulation will impose obligations on economic operators and introduce provisions for conformity assessment, notification to conformity assessment bodies, and market surveillance.
Relevance
The objective of the proposal is to address deficiencies, clarify connections, and enhance the overall coherence of existing cybersecurity legislation. This includes ensuring the security of products with digital components, such as ‘Internet of Things’ (IoT) products, across the entire supply chain and throughout their lifespan which will affect the businesses of both manufacturers, importers and distributors.
Key obligations
The main obligations from the Commission proposal are:
- Rules to rebalance responsibility for compliance towards manufacturers, imposing obligations such as providing cybersecurity risk assessments, issuing declarations of conformity and cooperation with authorities.
- Vulnerability handling processes for manufacturers to manage vulnerabilities and ensure cybersecurity in digital products, along with responsibilities for economic operators such as importers or distributors in relation to those processes.
- Steps to enhance transparency regarding the security of hardware and software products for both consumers and business users.
- Establishment of a market surveillance framework to enforce compliance with the Regulation.