CRA: A political agreement is reached between the Council and the Parliament
The European Parliament and the Council reached a political agreement on the Cyber Resilience Act last night following months of negotiations.
Today’s agreement is a milestone towards a safe and secure digital single market in Europe. Connected devices need a basic level of cybersecurity when sold in the EU, ensuring that businesses and consumers are properly protected against cyber threats. This is exactly what the cyber resilience act will achieve once it enters into force – José Luis Escrivá, Spanish Minister of Digital Transformation
The CRA, in a nutshell
The CRA is a worldwide pioneer legislation in the realm of cyber resilience. It introduces a comprehensive set of mandatory requirements for all software and hardware providers that with the aim of improving the level of cybersecurity of digital products in the EU market.
Tech manufacturers and operators will be obligated to adhere to cybersecurity measures throughout the entire life cycle of their products, spanning from the design phase to post-market placement. Cybersecurity requirements will depend on the risk level associated to the product. Moreover, the legislation calls for manufacturers to enhance transparency and responsibility regarding the cybersecurity of their products.
Upon the implementation of the CRA, hardware and software will need to have the CE marking to circulate in the EU market, which will only be granted after compliance with the regulation have been approved.
The political agreement follows months of negotiations
The agreement, welcomed by the Commission, follows months of discussions, as the Parliament and the Council did not agree on the first reading of the Commission’s proposal. The agreed text maintains the primary directions of the first, especially concerning:
- Responsibility for compliance towards manufacturers.
- Processes for handling vulnerabilities by manufacturers to ensure the cybersecurity of digital products, along with obligations for economic operators .
- Actions to enhance transparency regarding the security of hardware and software products.
- Establishment of a market surveillance framework for enforcing the rules.
The co-legislators failed reach a consensus on several aspects of the Commission’s proposals. Some modifications to specific sections of the Commission’s proposal have been put forward in the new agreement, primarily concerning:
- The scope of the legislation, with a simpler methodology for the classification of the digital products.
- A general extension of the expected product lifetime to 5 years, except for products designed to be in use for a shorter period.
- Strengthened role of the EU Agency for Cybersecurity (ENISA)
- Extension of the adaptation period for manufacturers to three years after the legislation enters into force.
- Support measures for Small and Micro Enterprises, such as support for testing and conformity assessment procedures.
Following the provisional agreement, it will now be subject to formal approval by the EU Parliament and the Council. Then, the text will be submitted to the representatives of the member states in the EU for endorsement.