Update on the EU Cyber Resilience Act for UK companies | Fieldfisher
Skip to main content
Select location United Kingdom
  • Insights
  • Update on the EU Cyber Resilience Act for UK companies
Insight

Update on the EU Cyber Resilience Act for UK companies

Aonghus Heatley
10/06/2024
Jonathan Peters
 

Locations

United Kingdom

What is the EU Cyber Resilience Act?

The EU Cyber Resilience Act (EU CRA) is an incoming EU law intended to enhance the cybersecurity safeguards for consumers and businesses buying or using products or software.  The EU CRA will do this by imposing mandatory cybersecurity requirements. 

The EU CRA is, in many respects, the EU's equivalent of the UK's Product Security and Telecommunications Infrastructure regime which entered into force in April 2024.  The EU CRA is, however, a much more expansive and wide-ranging law. 

What products does the EU CRA apply to?

The EU CRA will apply to:

  • products with digital elements (PDEs) meaning software or hardware products whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network;
  • a PDE's remote data processing solutions, meaning data processing at a distance for which software is designed and developed and the absence of which would prevent the product with digital elements from performing one of its functions; and
  • a PDE's software or hardware components (namely, software or hardware intended for integration into an electronic information system) that are placed on the market separately.

A very wide range of products will be PDEs: smart or connected household devices (such as smartphones, tablets, PCs, cameras, TVs, fridges, exercise equipment, etc.), toys and wearables.  It is important to note that PDEs can also be software products.

A limited number of product categories – those that are already considered to be sufficiently regulated – are exempt from the EU CRA's requirements.  These include medical devices, automotive vehicles and aviation products.  These categories may be added to in future. 

Who has obligations under the EU CRA?

The EU CRA will impose obligations on:

  • manufacturers (which includes anyone who has a PDE designed, developed or manufactured and who markets them under their name or trademark);
  • a manufacturer's authorised representative (where appointed);
  • EU-based importers that place PDEs bearing the name or trademark of a non-EU-based person on the EU market; and
  • distributors (such as a retailer).

What are the key obligations?

The EU CRA imposes a large number of obligations. However, the key obligations are to:

  • assess the cybersecurity risks associated with a PDE and to ensure that PDEs are designed, developed and produced in accordance with essential cyber security requirements;
  • exercise due diligence when integrating components sourced from third parties used in PDEs and ensure that components do not compromise the PDE's security;
  • document certain cybersecurity-related matters including vulnerabilities and any relevant information provided by third parties;
  • ensure that vulnerabilities are handled effectively (for example, by providing updates for PDEs to ensure that exploitable vulnerabilities are fixed or mitigated in a timely manner);
  • for the shorter of a PDE's expected lifetime or for five years after a PDE is placed on the market, provide security support;
  • ensure that, within 24 hours of becoming aware of an actively exploited vulnerability in a PDE or an incident having an impact on the PDE's security, the EU Agency for Cybersecurity (ENISA) is notified and inform the PDE's users about corrective measures that they can deploy to mitigate the issue's impact; and
  • ensure that PDEs are accompanied by information, such as the manufacturer's details and point of contact where vulnerabilities can be reported, and detailed instructions for users including how security updates can be installed and how the product can be securely decommissioned; and
  • establish a conformity assessment process to verify compliance with the EU CRA's requirements.

These obligations primarily fall upon manufacturers, however other supply-chain participants are broadly required to ensure that products which they place on the market comply with the requirements. 

Importers are, for example, required to ensure that they only place compliant PDEs on the EU market and that the PDE's manufacturer has compliant vulnerability handling processes in place. 

What are the essential cyber security requirements?

The EU CRA's essential cyber security requirements (ECRs) are contained in Annex I and are, to ensure that they remain future-proofed, outcomes-focused rather than technically prescriptive. 

They include that PDEs:

  • are designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity and that the impact of cybersecurity incidents is reduced;
  • are delivered without any known exploitable vulnerabilities and with a secure by default configuration;
  • ensure protection from unauthorised access by appropriate control mechanisms, including authentication, identity or access management systems;
  • protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms;
  • process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended use of the product (‘minimisation of data’);
  • are designed, developed and produced to limit attack surfaces, including external interfaces; and
  • ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic updates and the notification of available updates to users.

The EU CRA categorises PDEs by risk.  PDEs without critical cybersecurity risks are in the 'default' category and can be self-assessed by their manufacturer.  Two categories of 'critical' PDEs – Class I and Class II – are subject to more onerous requirements and can require third-party conformity assessments.  

The EU CRA also includes a number of mandatory vulnerability handling requirements (VHRs).  These include:

  • identifying and documenting vulnerabilities and components in a PDE;
  • regularly testing and reviewing a PDE's security characteristics;
  • implement a vulnerability disclosure policy;
  • ensure that patches and updates are distributed without delay and for free along with advice to users on what actions need to be taken.

Who will enforce the EU CRA?

The EU CRA will be enforced by nominated market surveillance authorities of the EU Member States. 

What are the penalties for non-compliance?

Some aspects of enforcement will be left to the discretion of EU Member States. 

However, the EU CRA mandates that non-compliance with the ECRs has the potential to incur significant fines: up to €15 million or, for companies, 2.5% of total annual turnover worldwide, whichever is higher.

When will the EU CRA take effect?

The EU CRA was approved by the EU Parliament on 12 March 2024, but still needs to be formally adopted by the EU Council.  It is expected to become law later in 2024.

Following the EU CRA's entry into force, manufacturers, importers and distributors will have 36 months to adapt to the new requirements (with the exception of a more limited 21-month grace period in relation to the reporting obligation of manufacturers for incidents and vulnerabilities).

How does it relate to AI regulation?

PDEs which are also high-risk AI systems under the EU Artificial Intelligence Act (AI Act) and which meet the EU CRA's cybersecurity requirements will also be deemed to comply with the AI Act's cybersecurity requirements. 

How will it impact UK and other non-EU companies?

The EU CRA will have significant implications for non-EU companies, including companies established in the UK. 

The EU CRA's requirements will apply to any PDEs placed on the EU market.  This means that non-EU companies that intend to sell their products – or to otherwise have their products sold on the EU market – will need to ensure that their products comply with the EU CRA's requirements.  

What should potentially affected businesses do now?

Although the EU CRA's requirements will not take effect for some time yet, businesses should start assessing which of their products will be PDEs and what measures will need to be taken to ensure that they will be in compliance with the EU CRA.  This may also entail ensuring that suppliers and other supply chain participants are aware of the EU CRA and will be in a position to assist as may be required. 

Businesses may also wish to take steps to future proof their contractual relationships by, if they come up for review, ensuring that relevant contracts take account of the EU CRA and that the regime's requirements are 'backed-to-backed' with private enforcement rights.   

What is the EU CRA expected to achieve?

The European Commission expects that businesses will benefit from not having to comply with divergent security rules for PDEs in different Member States. The safeguards under the EU CRA are intended to reduce the number of cyber incidents and in turn incident handling costs and reputational damage arising from these (with an estimated overall saving of roughly EUR 180 to 290 billion annually).

It is also hoped that PDEs will become more trusted by and attractive to consumers. Against this, businesses within scope (which, as noted above, will include non-EU companies) will face the costs of compliance with onerous new measures, as well as the risks of potentially significant regulatory sanctions for non-compliance and of private enforcement.

If you would like to discuss this topic with a Fieldfisher lawyer, please contact Aonghus Heatley (Director) or Jonathan Peters (Senior Associate) in the firm's London Regulatory team.  Aonghus and Jonathan regularly advise technology businesses on UK product and tech regulatory requirements.