The Cyber Resilience Act (CRA), the EU’s upcoming legislation to boost the security of digital products, is now only one step away from being officially adopted.
After days of debate within EU institutions, the European Parliament and the EU Council reached a political agreement on the legislation on December 3.
First proposed by the EU Commission in September 2022, the CRA aims to introduce security requirements for connected device manufacturers within the Union.
The EU institutions had already announced a provisional agreement on November 30, where it was reported that they reached a consensus on “most technical aspects of the law.”
Why is the Cyber Resilience Act a First-of-Its-Kind Legislation?
One key requirement included in CRA is the mandate for manufacturers of internet of things (IoT) devices and other connected objects to report serious cyber incidents and actively exploited vulnerabilities that have not been patched yet.
This is the first time such a requirement is being imposed by a transversal, sector-agnostic law.
Manufacturers will have to conduct a risk assessment to inform which security requirements apply to their product. They will have to provide support for at least five years unless the product has a shorter expected lifetime.
Any security update provided during that support period should remain available for either 10 years or the remainder of the support period – whichever is longer.
Manufacturers will be able to self-assess their compliance with the security requirements mentioned in the text. Products considered as “important” or “critical” will require a security audit conducted by a certified organization.
Why Was the Legislation Contentious?
Some of the debates between the three EU institutions before the final agreement revolved around the following issues:
- The scope of the products concerned
- The requirement to report to the European Cybersecurity Agency (ENISA) or local computer security incident response teams (CSIRTs)
- The possibility for EU countries to reinvest the revenues from penalties into cybersecurity capacity-building activities
- National security exemptions
The agreement is now subject to formal approval by the European Parliament and the Council. Once adopted, CRA will enter into force on the 20th day following its publication in the EU’s Official Journal.
Organizations affected by the CRA will then have 36 months to adapt to the new requirements, except for a more limited 21-month grace period related to the reporting obligation of manufacturers for incidents and vulnerabilities.
Read more: EU Cyber Resilience Act Could be Exploited for Surveillance, Experts Warn