Mark Young and Aleksander Aleksiev of Covington and Burling write:
Yesterday, the European Commission, Council and Parliament announced that they had reached an agreement on the text of the Cyber Resilience Act (“CRA”). As a result, the CRA now looks set to finish its journey through the EU legislative process early next year. As we explained in our prior post about the Commission proposal (here), the CRA will introduce new cybersecurity obligations for a range of digital products sold in Europe. We’ll provide a more detailed summary of the agreed text once it is finalized and published but in this post we set out a brief summary of key provisions. In terms of timing, the CRA will come into force over a phased transition period starting in late 2025.
The CRA will impose a range of obligations for manufacturers and importers of “products with digital elements” (“PDEs”) – a category which is defined broadly to that include both hardware and software products. The final text has not yet been published, but based on the draft text circulated before the agreement and related reporting, the obligations are set to include:
- Designing PDEs to meet certain essential cybersecurity requirements through risk assessment and protection against known vulnerabilities.
- Submitting PDEs to conformity assessments.
- Notifying identified vulnerabilities (within 24 hours) to the relevant national cybersecurity authority, the entity that maintains the vulnerable PDE and, potentially, ENISA.
- Notifying severe security incidents to ENISA, the relevant national cybersecurity authority, and users of the PDE.
- Conducting due diligence on imported PDEs.
Read more at Inside Privacy.