Proposal for a Regulation on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020

Author (Corporate)
Series Details COM (2022) 454
Publication Date 15/09/2022
Content Type , ,


Legislative initiative tabled by the European Commission on 15 September 2022, setting out a Cyber Resilience Act (CRA) aimed at protecting consumers and businesses from products with inadequate security features. This is a text with EEA relevance.

Further information:

The cybersecurity of products with digital elements has a strong cross-border dimension. In addition, incidents initially affecting a single entity or Member State often spread within minutes across the entire internal market. While existing legislation applies to certain products, most of the hardware and software products are not yet covered by any framework tackling their cybersecurity.

Four specific objectives are set out in this proposal:

  • ensure that manufacturers improve the security of products with digital elements since the design and development phase and throughout the whole life cycle;
  • ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers;
  • enhance the transparency of security properties of products with digital elements;
  • enable businesses and consumers to use products with digital elements securely.

The draft Regulation was first announced in the European Commission's Cybersecurity Strategy, and it entails amendments to Regulation (EU) 2019/1020. It was formally tabled on 15 September 2022, following the annual State of the European Union (SOTEU) address delivered by the President of the European Commission. The Council of the European Union adopted its general approach to the proposal on 19 July 2023. The plenary of the European Parliament endorsed its own negotiating position on that same day.

Source Link
Related Links
Commentary and Analysis
Orgalim: News, 15/09/2022: Cyber Resilience Act: A crucial step forward
Digital Europe: Press Release, 15/09/2022: Cyber Resilience Act: a big step forward for digital resilience but too much too soon
DR2 Consultants: Blog, 16/09/2022: European Cyber Resilience Act: can new requirements for products strengthen your organization’s cybersecurity resilience?
Allen & Overy: Blog, 20/09/2022: EU – New Cyber Resilience Act will provide cybersecurity requirements for hardware and software products
EuroConsumers: Activities, 23/09/2022: EU Cyber Resilience Act: will the Hackable Home finally be secured?
Information Technology and Innovation Foundation (ITIF): Center for Data Innovation: Commentary, 26/09/2022: An Overview of the EU’s Cyber Resilience Act
Huawei: Blog, 29/09/2022: New Cyber Resilience Act Enhances Cybersecurity Requirements for Digital Products Sold in the EU
Ernst & Young, 06/10/2022: Security by Design at Center Stage as EU Cyber Resilience Act Emerges
Norton Rose Fulbright: Data Protection Report, 17/10/2022: The proposed EU Cyber Resilience Act: what it is and how it may impact the supply chain
Internet Society: Blog, 24/10/2022: The EU’s Proposed Cyber Resilience Act Will Damage the Open Source Ecosystem
Clifford Chance: Briefings, 07/11/2022: EU Cyber Resilience Act - Proposed Cyber-Security Rules for Connected Products
EU Law Analysis, 18/11/2022: The Cyber Resilience Act in the context of the Internet of Things
European Parliamentary Research Service (EPRS): Briefing, 14/12/2022: Strengthening cyber resilience - Initial Appraisal of a European Commission Impact Assessment
European Consumer Organisation (BEUC), 23/01/2023: The Cyber Resilience Act proposal - BEUC position paper
Centre for European Policy (CEP): Policy Brief No 1/2023, 24/01/2023: Cyber Resilience Act
Microsoft: Blog, 16/02/2023: Cyber Resilience Act: A step towards safe and secure digital products in Europe
European Banking Federation (EBF), 06/03/2023: EBF key considerations following the publication of the Cyber Resilience Act (CRA) proposal
GitHub: Blog, 17/03/2023: Partnering with EU policymakers to ensure the Cyber Resilience Act works for developers
European Parliamentary Research Service (EPRS): 10/05/2023: EU cyber-resilience act
Electronic Frontier Foundation (EFF), 30/05/2023: EU’s Proposed Cyber Resilience Act Raises Concerns for Open Source and Cybersecurity
Digital Europe: News, 19/07/2023: Reaction to the European Parliament’s and the Council’s positions on the Cyber Resilience Act

EurActiv: Topics: Cyber Resilience Act
Bloomberg, 07/09/2022: Web-Connected Devices May Have to Meet New EU Cybersecurity Rules
EurActiv, 15/09/2022: Commission presents Cyber Resilience Act targeting Internet of Things products
Euronews, 15/09/2022: Brussels plans to introduce cybersecurity requirements for connected devices
Reuters, 15/09/2022: EU proposes rules targeting cybersecurity risks of smart devices
The Independent (UK), 15/09/2022: EU wants to toughen cybersecurity rules for smart devices
Politico, 15/09/2022: EU pitches cyber law to fix patchy Internet of Things
Forbes Magazine, 15/09/2022: EU Aims To Boost Security Of Connected Devices With New Cyber Resilience Act
EurActiv, 16/09/2022: EU chief announces cybersecurity law for connected devices
The Irish Times, 01/12/2022: Cyber-resilience Act signals big change in commercial software development
Organized Crime and Corruption Reporting Project (OCCRP), 21/07/2023: European Parliament Backs Draft Cyber Resilience Act for Secure Digital Products

EUR-LEX: SWD(2022)282: Staff Working Document accompanying the Proposal - Impact Assessment Report
EUR-LEX: SWD(2022)283: Staff Working Document accompanying the Proposal - Executive Summary of the Impact Assessment Report
European Parliament: Legislative Observatory: Procedure File for Proposal on Cyber Resilience Act (2022/0272(COD))
European Parliament: Legislative Train Schedule: Horizontal cybersecurity requirements for products with digital elements
European Commission: Better Regulation: Have Your Say: Cyber resilience act – new cybersecurity rules for digital products and ancillary services
European Commission: Policies: EU Cyber Resilience Act
European Commission: Press Release, 15/09/2022: State of the Union: New EU cybersecurity rules ensure more secure hardware and software products
European Commission: State of the Union: EU Cyber Resilience Act - Questions & Answers (15 September 2022)
Renew Europe EP Group: Newsroom, 18/07/2023: Cyber Resilience Act will be new international point of reference on cybersecurity
Council of the European Union: Press Release, 19/07/2023: Cyber resilience act: member states agree common position on security requirements for digital products
European Parliament: Press Release, 19/07/2023: Cyber Resilience Act: MEPs back plan to boost digital products security

Wikipedia: Cyber Resilience Act

Subject Categories ,
Subject Tags , ,
International Organisations