The current Swedish Presidency of the EU Council recently circulated new compromise texts on certain provisions of the proposal for a new European Cyber Resilience Act (“Cyber Resilience Act”), including inter alia major changes to the classification of digital products and clarification of the interplay between the Act with other legislation.
To recall, the proposal for a Cyber Resilience Act presented by the Commission on 15 September 2022, introduces horizontal mandatory cybersecurity requirements for products with digital elements that are not specific to sectors, throughout their whole lifecycle. The aim of the Cyber Resilience Act is to protect consumers and businesses from products with inadequate security features. The proposal is complementary to the requirements pursuant to the NIS2 Directive, which aims to ensure a high level of cybersecurity of services provided by essential and important entities.
The Act will apply to so-called economic operators such as manufacturers, importers and distributors. Within the scope of this new draft regulation are all products that are connected either directly or indirectly to another device or network, like smart Internet of Things (IoT) devices, computers, mobile devices, operating systems and apps, as well as safety-critical components that are installed in networks or industrial facilities. There are some exceptions for products for which cybersecurity requirements are already set out in existing EU rules, for example in the field of medical devices, aviation or cars.
What are the main elements of the new compromise texts?
Key elements introduced by the Swedish Presidency compromise texts are as follows:
- The classification of critical products with digital elements and highly critical products with digital elements has been described in more detail. In addition, in the context of critical products, a number of categories of digital products have been moved from Class I to Class II (e.g., identity management systems software and privileged access management software; products with digital elements with the function of Virtual Private Network), while some are now contained in Class I (e.g., public key infrastructure and digital certificate issuance software) instead of Class II. Smart home products with safety functionalities, such as door locks and alarm systems, have been newly included in the text. This will have an impact on the type of conformity assessment procedure needed;
- To demonstrate conformity with the essential requirements set out in the Act, the European Commission will be empowered to adopt Delegated Acts to supplement the Cyber Resilience Act. These Delegated Acts may specify categories of highly critical products with digital elements for which the manufacturers shall be required to obtain a European cybersecurity certificate at assurance level “substantial” or “high,” under a European cybersecurity certification scheme pursuant to the Cybersecurity Act;
- A template of a simplified EU Declaration of Conformity, making reference to an internet address where the full Declaration text is available, has been included as a further annex;
- The market surveillance authority of a Member State will require an economic operator to take appropriate measures where, having performed an evaluation, it finds that although a product with digital elements and the processes put in place by the manufacturer is in compliance with the Cyber Resilience Act, it presents a significant cybersecurity risk as well as a risk to the health or safety of persons or other aspects of public interest protection;
- The measures referred to above may include measures to ensure that the product with digital elements concerned and the processes put in place by the manufacturer no longer present the relevant risks when made available on the market, withdrawal from the market of the product with digital elements concerned, or recalling of it, and shall be commensurate with the nature of those risks;
- The interplay with the General Product Safety Regulation, the AI Regulation as well as the Machinery Regulation has been clarified; and
- Compared to the Commission’s original proposal, the new compromise text now limits the types of obligations which can be subject to administrative fines of up to 10 million EUR in case of non-compliance or, if the offender is an undertaking, up to 2% of total worldwide annual turnover for the preceding financial year, whichever is higher. In this context, the obligations the text makes reference to include inter alia provisions on technical documentation and conformity assessment procedures for products with digital elements.
Next steps
The European Parliament has started its work on the Cyber Resilience Act. A consideration of the draft Report in the lead Industry, Research & Energy (ITRE) Committee is currently planned for 24-25 April 2023, while the deadline for tabling amendments has been set for 27 April 2023.
Once adopted, economic operators and Member States will have two years to adapt to the new requirements. An exception to this rule is the reporting obligation for manufacturers with regard to actively exploited vulnerabilities and incidents. This obligation will apply already one year from the entry into force considering the fewer organisational adjustments than the other new obligations.
If you have questions about how the Cyber Resilience Act and its interplay with the NIS2 and the RCE Directives affect your business, Bird & Bird is ready to help you to carry out an assessment of the impact of the incoming legislation on your business and assist in preparing your compliance plan.
For further information, please contact:
Dr. Natallia Karniyevich, Bird & Bird
natallia.karniyevich@twobirds.com