+41 41 521 80 00 | info@lexcellence.swiss

Open jobs!

EU Commission Tables the Proposed EU Cyber Resilience Act: Understanding the Act and Its Potential Effects on the Supply Chain

EU Commission Tables the Proposed EU Cyber Resilience Act: Understanding the Act and Its Potential Effects on the Supply Chain

Friday, 2 December, 2022

In an effort to establish uniform cybersecurity rules for connected devices and services, the European Commission issued the Cyber Resilience Act (CRA) on September 15, 2022. The European Union has been fighting cybercrime for a while. This legislation aims to safeguard consumers and the market from cyber events as part of the EU's journey to the digital decade and to complete the digital transformation of the EU by 2030.

The CRA establishes standard cybersecurity guidelines for producers, creators, and distributors of goods with digital components, encompassing both hardware and software. These demands cover the capacity for upgrades, adherence to meticulous software development procedures, and evaluation of cybersecurity concerns. Every manufacturer who adheres to industry best practices for cybersecurity and software and hardware lifecycle development must fulfill these requirements. The degree of conformity with these standards varies depending on the product type. However, it can be either self-assessed, certified by a third party, or implied using EU standards.

 

Details of the Cyber Resilience Act's Goals

The Commission identifies four distinct objectives for the Cyber Resilience Act to mitigate vulnerabilities and counteract rising cybersecurity costs:

  • Ensuring that producers enhance the security of covered items for their entire life cycle
  • Provide a unified, comprehensive framework for Eu data protection compliance
  • Make cybersecurity procedures, product characteristics, and manufacturer information more transparent
  • Provide ready-to-use, safe products to customers and enterprises

According to the Commission, manufacturers must conduct routine tests to find weaknesses in their products to avoid hefty penalties. Additionally, unless the software-as-a-service is a component of vital remote data analysis solutions for a product with digital features, the Cyber Resilience Act does not apply. Only free, open-source software created or provided during commercial activity should be subject to the Cyber Resilience Act.

In the Act's recitals, commercial activity is defined as charging for a good or a customer support service, offering a software platform where the creator charges for additional services, or exploiting a person's personal information for purposes that don't increase security, interoperability, or compatibility.

 

Application of the Law and Penalties for Non-compliance

The CRA will be under the general control of the European Union Agency for Cybersecurity (ENISA). It will collect information from manufacturers of vulnerabilities being actively exploited and prepare technical reports every two years on new developments in product cybersecurity threats.

The CRA will be implemented nationwide by "market surveillance authorities." These organizations, which may be newly established or preexisting ones like data protection authorities, will be chosen by national governments. Authorities in charge of market surveillance will have the authority to order the removal or recall of a product from the market and to levy fines of up to 14.8 CHF million or 2.5% of the total annual global revenue, whichever is greater.

Member States may enact additional sanctions, provided they are efficient, reasonable, and deterrent.

 

Source:

https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act

1
2
3
4
1
2
3
4