Cybersecurity regulation

Cyber Resilience Act – EU starts public consultation

Already last year, the EU announced the creation of a Cyber Resilience Act (CRA), as so far no sufficient legal framework exists that anchors specific cyber security requirements for the entire life cycle of a digital product. The proposed legislation serves to strengthen consumer protection and the EU’s competitiveness in the area of digitalisation (of products).

The proposed law regulates cybersecurity requirements for a wide range of digital products and related ancillary services. The subject of the law is tangible digital (wireless and wired) products and non-embedded software in their entire life cycle. Thus, the act covers hardware and software equally. As a horizontal piece of legislation, the act selectively complements existing cybersecurity regulations such as the Cyber Security Act (Regulation (EU) 2019/881) or Delegated Regulation (EU) 2022/30.

The legislative initiative defines the following three main objectives:

  • “Firstly, it aims to enhance and ensure a consistently high level of cybersecurity of digital products and ancillary services.
  • Secondly, it aims to enable users to match the security properties of such products against their needs, including by enhancing the transparency of cybersecurity features. This would protect users from insecure digital products and ancillary services, and incentivise vendors to offer more secure products, thus increasing the trust in the digital single market.
  • Third, it seeks to improve the functioning of the internal market by levelling the playing field for vendors of digital products and ancillary services.”

The legislative initiative is based on the so-called New Legislative Framework (NLF). According to this, the law is to define the basic cybersecurity requirements, which will be concretised by (legally non-binding) harmonised standards for the various product categories. In addition, the act introduces obligations for economic operators as well as provisions on conformity assessment, notification of conformity assessment bodies and market surveillance.

This initiative once again underlines the increasing importance of cybersecurity as a target in product regulation. After all, cybersecurity has a significant impact on product safety. Whether this law will actually achieve a higher level of protection and what concrete additional obligations it will impose on economic operators remains to be seen.

For further details: Wiebe, InTeR 2021, 66 et seq. (available here); Schucht, NVwZ 2021, 532 et seq.

Do you have any questions about this news, or would you like to discuss the news with the authors? Please contact: Dr. Gerhard Wiebe

31. March 2022