This is a guest article by Anna Cartwright, Keith Dunn and Chris Swann of A&L Goodbody.

The long-awaited Cyber Resilience Act (“CRA”) is now in force (as of 10 December 2024). Despite now being in force, as discussed in further detail earlier in our series, the majority of its obligations will not apply until 36 months’ time. The vulnerability reporting obligations, however, will apply in 21 months’ time.

The CRA will impose mandatory cybersecurity requirements in respect of the design, development, production, delivery, and maintenance of "products with digital elements" ("PDEs") that are being placed on the EU market. PDEs are broadly defined and can include end devices, such as laptops, phones, smart devices, routers, servers and industrial control systems; software (including apps); and IT components (such as CPUs, video cards, etc).

Who will enforce the CRA on UK companies?

The CRA will not be directly enforceable by any UK regulatory authority, given that, post-Brexit, the EU’s jurisdictional scope no longer directly extends to the UK. However, UK “manufacturers” (of both hardware and software PDEs), will be subject to the regulation and enforcement of each individual EU Member State’s designated “market surveillance authority” (“MSA”) within which their PDEs are made available.

These MSAs will also be required to cooperate with Member State’s relevant “cybersecurity certification authorities”, the EU Agency for Cybersecurity (“ENISA”), the authorities supervising GDPR enforcement, the European Commission, and each other, should an offending product’s availability span several Member States.

What are the risks of non-compliance?

MSA’s have a range of enforcement powers at their disposal in order to crack down on CRA-offending PDEs on offer in the EU market. They can require operators to bring the non-compliance to an end, giving an opportunity to take corrective action and eliminate the risk. For more serious breaches, a MSA can prohibit or restrict the making available of an offending PDE on the market or can order that the product is completely withdrawn or recalled.

The CRA also establishes a framework within which each MSA will be able to fine companies that do not adhere to the rules. The CRA establishes maximum levels for administrative fines, which should be provided for in national laws in cases of non-compliance – for the most serious of offences, fines can reach the higher of €15 million OR 2.5% of a company’s global annual turnover.

CRA vs UK legislation

The CRA has significant similarities to the UK’s existing Product Security and Telecommunications Infrastructure Act 2022 (the “PSTI Act”) and its accompanying regulations, which have been in force from 29 April 2024, with both regimes imposing cybersecurity requirements on products that are capable of connecting to the internet.

However, the CRA imposes more prescriptive security requirements compared to the UK regime, such as requirements relating to conformity assessments, security-by-design (including the ability for a product to be reset to its original state and to monitor its own internal data access, and requirements for the product to process only data that is necessary to its intended use), and vulnerability management (including requirements to regularly test products for vulnerabilities, implement mechanisms to distribute security updates, and to publicly disclose information regarding fixed vulnerabilities).

This means that organisations may be subject to additional or differing security requirements, depending on whether they place their connectable product onto either (or both) of the EU and UK markets. This regulatory gap should be actively monitored by companies who believe they might be subject to both regulatory regimes, with assessments to determine the applicable regime and any relevant security gaps potentially adding significant administrative burden to compliance requirements.

Complementing compliance with NIS2

The EU Commission have emphasised that the CRA will harmonise the EU cyber regulatory landscape and will directly complement the NIS2 Directive, which puts in place cybersecurity requirements, including supply chain security measures and incident reporting obligations for essential and important entities operating in the EU market. The Commission believes that the enhanced level of cybersecurity of PDEs under the CRA would facilitate some cross-over compliance by the entities in the scope of NIS2 and will overall strengthen the security of the entire supply chain.

Conclusion

Although a 36-month lead-in period might feel like a lot of time to prepare, it is important that organisations begin planning for the application and enforcement of the CRA at an early stage, so as to ensure full and proper compliance by 2027 and avoid any enforcement action by a MSA. Both Vertical Structure and A&L Goodbody are on-hand to assist, ready to advise you through the preparation process – just reach out using the contact details below.

For more information on the CRA and the obligations it will impose on PDE manufactures, please our previous instalment in this series here.

Anna Cartwright is a Senior Associate in A&L Goodbody's Corporate and M&A group in Belfast. Anna specialises in corporate transactional and corporate advisory matters. She has advised on a wide range of transactions at a local, national and multi-jurisdictional level, including private acquisitions and mergers, group reorganisations, investments, shareholders' agreements, joint ventures and partnerships. Anna has acted for businesses in a variety of sectors including retail, manufacturing, food production, sports, healthcare, leisure, technology and IT. Anna is a qualified solicitor in Northern Ireland and in England and Wales.

Keith Dunn is a Senior Associate in A&L Goodbody's Commercial & Technology team in Belfast. He advises clients on a wide range of commercial and technology matters with a particular focus on data protection and cyber security. Keith regularly assists clients in the planning, drafting and negotiation of a broad-spectrum of technology related agreements, including software licensing, SaaS, IT outsourcing, master services and software development agreements. Keith also provides regulatory analysis of new pieces of legislation for clients, such as the Online Safety Act, NIS2 and the Product Security and Telecommunications Infrastructure Act. Keith is qualified to practise in Northern Ireland and England and Wales.

Chris Swann is a Solicitor in ALG’s Commercial & Technology team in Belfast. He has experience assisting clients in a broad range of commercial and technology related matters, including data protection, intellectual property and cyber security.