Organisations around the world need to be prepared for a new cybersecurity regulation that’s expected to be adopted imminently by the EU. The forthcoming Cyber Resilience Act ("CRA") is being hailed by industry pundits as the first dedicated piece of multi-national legislation, and perhaps the strictest, cybersecurity regulation yet seen. The CRA will impose mandatory cybersecurity requirements in respect of "products with digital elements" ("PDEs") being placed on the EU market.

Due to the nature of modern-day globalisation, with devices and connections coming from anywhere and everywhere, the CRA will have implications not only for companies based within the EU but worldwide. Any manufacturer, importer or distributor who wants to place a PDE on the EU market will have to comply with the requirements of the CRA, regardless of where they themselves are based.

Furthermore, it’s expected that the CRA will set a new benchmark that other territories will rapidly want to match. Overall, it is likely to represent a sea change in how cyber resilience is approached around the world.

How can you be prepared for the CRA?

The first step lies in educating key stakeholders in your organisation about what’s in the legislation. This article, the first in a series, seeks to educate tech sector organisations about the basics, including: who will be affected by the CRA; its implementation timeframe; the main objectives and requirements of the CRA; and the potential consequences of breaching it.

Who does the CRA impact?

Any company or organisation involved in the manufacturing, importing or distribution of a PDE has the potential to be impacted by the CRA. The term “PDE” has been defined broadly in the CRA and includes the following type of products:

• End devices, such as laptops, phones, smart devices, routers, servers and industrial control systems;
• Software (including apps); and
• IT components (such as CPUs, video cards, etc).

Our insight: The CRA uses the term “manufacturer” of digital elements. It’s important not to be tripped up by this term. The IT industry would typically associate this term with the production of end devices and physical objects, however, in this instance, it also includes the development of software (including cloud solutions which control the functionality of a PDE).

Timing

The EU Parliament adopted the CRA on 12 March 2024. As part of the EU’s legislative process, it also needs to be adopted by the EU Council (which is expected to happen imminently). The CRA will then be published in the Official Journal of the EU and will enter into force 20 days later. Once that takes place, operators will have 36 months to adapt to the new requirements. This timeline is sped up to 21 months, however, in respect of the vulnerability reporting obligations (more on that later in this series of articles). Therefore, we expect the new requirements will start to apply early to mid 2027, with the reporting obligations expected to kick in in early 2026.

What are the main objectives and requirements of the CRA?

According to the EU Commission, the CRA is aimed at ensuring “…that we can defend ourselves in a world increasingly prone to hacking of connected products and associated services.”

The first recital of the CRA summarises what the EU Commission views as two main problems with PDEs in the EU market that need to be addressed:

1. A low level of cybersecurity of products with digital elements, reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them; and
2. An insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or using them in a secure manner.

The seriousness by which the Commission takes these problems is clear:“Cyberattacks … have a critical impact not just on the Union’s economy, but also on democracy and consumer safety and health.”

To address these issues, the CRA focuses on three main areas:

1. Ensuring cybersecurity is given sufficient consideration throughout a PDEs lifecycle;
2. Ensuring vulnerabilities and incidents are adequately reported; and
3. Ensuring end users are provided with sufficient information to make informed choices about their PDE.

Let’s take each in turn:

1. Ensuring cybersecurity is given sufficient consideration throughout a PDEs lifecycle

The EU Commission was concerned that all-too-often, end users across the EU were using devices and software that were left dangerously unprotected from the threat of cyberattacks. Hence the CRA aims to place responsibility squarely on the part of ‘manufacturers’ of PDEs. Manufacturers will have to ensure that PDEs have been “designed, developed and produced” in accordance with the CRA’s requirements.

Furthermore, the obligation to consider cybersecurity will now continue throughout a product’s expected lifecycle. The support period offered by manufacturers cannot be shorter than 5 years unless the expected lifespan of the product is less than that. During the support period, manufacturers must monitor their products and release free updates to address any identified vulnerabilities or security issues.

Our insight: The creation of mandatory support periods has already provoked quite a lot of adverse commentary. To date, tech companies have largely been left to their own devices when determining how long they wish to push cybersecurity updates and maintenance to an end device. Defining a reasonable lifespan of a digital product may not be straightforward and more oversight will be needed from regulators in this area. In anticipation of these issues, the CRA requires theestablishment of an “Administrative Cooperation Group” (“ADCO”) to provide guidance to manufacturers on indicative support periods and statistics on the average support period for various categories of PDEs.

Vertical Structure’s CEO, Simon Whittaker said, “There are a few parts of the CRA that involve grey areas that are potentially open to interpretation. We are looking forward to seeing the guidance issued by ADCO to help organisations determinehow long a lifespan lasts. This will determine the framework for cybersecurity maintenance and updates, a very big issue for any tech manufacturer. Once we see this guidance, we will be well-positioned to coach organisations through these intricacies.”

Our insight: To assist with compliance under the CRA, manufacturers will need to ensure they’re prepared to combat vulnerabilities with a combination of technical measures, including: robust penetration testing, threat modelling scenarios, improved training for staff (both technical and non-technical); cyber incident exercising; ISO certification.

“We at Vertical Structure can advise the right blend of these elements to ensure organisations are adequately protected against the threat of cyberattack. This has always been of extreme importance, to ensure business continuity, above and beyond the basic need to adhere to regulations,” said Simon Whittaker.

2. Ensuring vulnerabilities and incidents are adequately reported

The CRA will impose comprehensive reporting obligations on manufacturers. Manufacturers must report to authorities any actively exploited vulnerabilities and severe incidents within 24 hours of becoming aware of the vulnerability or incident. Reports are to be submitted to the relevant national authorities via a newly created reporting platform (which will be managed and maintained by ENISA).

The manufacturer must also inform impacted users of the PDE about an actively exploited vulnerability or severe incident in a timely manner. Where necessary, they must also suggest possible steps that the users can deploy to mitigate the impact of the vulnerability or incident.

3. Ensuring end users are provided with sufficient information to make informed choices about their PDE

Another key element of the CRA lies in how security models are communicated to the end user. The Commission’s view was that, to date, communication with end users about the cybersecurity of products with digital elements had not been comprehensive enough, nor articulated in a way that consumers could understand. To correct this, the CRA imposes significant new requirements on manufacturers regarding the information that needs to be provided to end-users. This includes:

Manufacturers’ details: manufacturers now need to indicate their name, registered trade name/mark, postal address and digital contact details. These details should be included on the PDE itself, on its packaging or in a document accompanying the PDE;

Single point of contact: end users must be provided with a single point of contact to enable them to communicate “directly and rapidly” with manufacturers about vulnerabilities of the PDE. End users should be allowed to choose the means of communication (which must include at least one non-automated tool);

Instructions on the use of the PDE: detailed instructions must be provided on the secure use of the product throughout its lifecycle including information regarding its initial commissioning, how updates are to be installed and how user data can be securely removed upon decommissioning; and

Support information: end users need to be provided with information relating to the type of technical support offered by the manufacturer and the end-date of the support period.

In each case, this information needs to be provided “in a language that can be easily understood by users and market surveillance authorities”.

“These new information requirements may be a dramatic shift from what manufacturers were providing before,” said Simon Whittaker. “There is a level of detail required, and an insistence that manufacturers communicate these details in the right language. We will be coaching our customers on how to set up communication frameworks that adhere to these new legal standards.”

Potential consequences of breaching the CRA

The CRA provides regulators with a range of options to compel compliance. They can require the operator to take “corrective measures” to bring a non-compliant PDE into conformity, withdraw it from sale or issue a product recall. In addition, regulators have the power to impose administrative fines for non-compliance of up to €15 million or 2.5% of total worldwide annual turnover.

Conclusion

Reflecting on the implications of the CRA for the tech sector, Keith Dunn, Senior Associate, A&L Goodbody commented: “Until now, cybersecurity legislation across the EU in respect of digital products has been fairly scattergun in nature. As a result, products with inadequate cybersecurity have become more common within the EU, inflicting heavy costs on consumers and businesses. The CRA seeks to reverse this trend and will set a new international benchmark for operators to adhere to. Once it is fully adopted and implemented, operators will have to comply with enhanced cybersecurity requirements, and regulators will have significant firepower at their disposal to deal with those who fail to comply with the rules. The upshot is that cybersecurity considerations will need to take centre-stage throughout the entire lifecycle of a product, from its initial design through to the end of its mandatory support period.”

Anna Cartwright, Senior Associate, A&L Goodbody said: “In our digital society, PDEs are part of our everyday lives (such as smart watches, home cameras, baby monitors, etc) and the EU institutions have, quite rightly, identified the ever-increasing risk of cyberattacks. The CRA represents a huge step towards addressing this risk and creating a more secure digital future. However, the CRA will undoubtedly have significant compliance and cost implications for any businesses falling within its scope. We would encourage businesses to start planning for the CRA now and to reach out if they require guidance.”

Simon Whittaker concluded: “In the past, we’ve seen cybersecurity too often set to one side, even when the cyber threats to businesses continue to increase. This only reinforces the need to do more with implementing robust security measures. Powerful legislation such as the CRA, at our doorstep, will spark a significant shift in baseline cybersecurity – not just in the EU, but globally. The far-reaching impact onbusinesses will make it essential for EU organisations, or those trading within it, to understand and plan the implementation of new processes ahead of its rollout. The good news is that you will have 36 months to prepare, and organisations such as Vertical Structure and A&L Goodbody can help guide you through the process.”

Simon Whittaker

Simon Whittaker has been providing security services & training to both local organisations and some of the world’s largest companies for nearly 20 years. His extensive background in both development & System/Network Administration provides a great view on how best to compromise and secure required services & applications, while also ensuring that training courses, content & practicals can be aimed at the right audiences.

His work involves working with companies to test and improve secure coding practices, penetration & security testing and providing security consultancy to companies that are keen to improve their processes & procedures.

In addition, he also has significant experience in developing & implementing efficient and effective practices across departments to assist with securing and retaining external quality recognition such as ISO27001.

Contact Simon for technical queries regarding the CRA

Anna Cartwright

Anna Cartwright is a Senior Associate in A&L Goodbody's Corporate and M&A group in Belfast. Anna specialises in corporate transactional and corporate advisory matters. She has advised on a wide range of transactions at a local, national and multi-jurisdictional level, including private acquisitions and mergers, group reorganisations, investments, shareholders' agreements, joint ventures and partnerships. Anna has acted for businesses in a variety of sectors including retail, manufacturing, food production, sports, healthcare, leisure, technology and IT. Anna is a qualified solicitor in Northern Ireland and in England and Wales.

Contact Anna for any legal queries regarding the CRA

Keith Dunn

Keith Dunn is a Senior Associate in A&L Goodbody's Commercial & Technology team in Belfast. He advises clients on a wide range of commercial matters with a particular focus on data protection and cyber security. Keith regularly assists clients in the planning, drafting and negotiation of a broad-spectrum of commercial agreements, including agency, distribution, intellectual property, licensing, manufacturing, outsourcing, research, supply and technology transfer. Through his work, Keith has developed particular experience assisting clients in the research and development sector. He regularly advises clients in the negotiation of collaborative arrangements between universities, other publicly-funded organisations and private companies.

Contact Keith for any legal queries regarding the CRA

Article References

Proposal for a Regulation on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 (Cyber Resilience Act) (procedure 2022/0272(COD). https://eur-lex.europa.eu/lega...

Thanks for reading. Look out for our next instalment in this series, co-authored by Vertical Structure and A&L Goodbody Northern Ireland LLP, on the EU Cyber Resilience Act. Coming soon.