Proposal for a Regulation on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020

Author (Corporate)
Series Details COM (2022) 454
Publication Date 15/09/2022
Content Type , ,

Summary:

Legislative initiative tabled by the European Commission on 15 September 2022, setting out a Cyber Resilience Act (CRA) aimed at protecting consumers and businesses from products with inadequate security features. This is a text with EEA relevance.

Further information:

The cybersecurity of products with digital elements has a strong cross-border dimension. In addition, incidents initially affecting a single entity or Member State often spread within minutes across the entire internal market. While existing legislation applies to certain products, most of the hardware and software products are not yet covered by any framework tackling their cybersecurity.

Four specific objectives are set out in this proposal:

  • ensure that manufacturers improve the security of products with digital elements since the design and development phase and throughout the whole life cycle;
  • ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers;
  • enhance the transparency of security properties of products with digital elements;
  • enable businesses and consumers to use products with digital elements securely.

The draft Regulation was first announced in the European Commission's Cybersecurity Strategy, and it entails amendments to Regulation (EU) 2019/1020. It was formally tabled on 15 September 2022, following the annual State of the European Union (SOTEU) address delivered by the President of the European Commission. The Council of the European Union adopted its general approach to the proposal on 19 July 2023. The plenary of the European Parliament endorsed its own negotiating position on that same day.
Source Link https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=COM:2022:454:FIN
Related Links
Commentary and Analysis
Orgalim: News, 15/09/2022: Cyber Resilience Act: A crucial step forward https://orgalim.eu/news/cyber-resilience-act-crucial-step-forward
Digital Europe: Press Release, 15/09/2022: Cyber Resilience Act: a big step forward for digital resilience but too much too soon https://www.digitaleurope.org/news/cyber-resilience-act-a-big-step-forward-for-digital-resilience-but-too-much-too-soon/
DR2 Consultants: Blog, 16/09/2022: European Cyber Resilience Act: can new requirements for products strengthen your organization’s cybersecurity resilience? https://dr2consultants.eu/european-cyber-resilience-act/
Allen & Overy: Blog, 20/09/2022: EU – New Cyber Resilience Act will provide cybersecurity requirements for hardware and software products https://www.allenovery.com/en-gb/global/blogs/data-hub/eu--new-cyber-resilience-act-will-provide-cybersecurity-requirements-for-hardware-and-software-products
EuroConsumers: Activities, 23/09/2022: EU Cyber Resilience Act: will the Hackable Home finally be secured? https://www.euroconsumers.org/activities/cyber-resilience-act-will-hackable-home-be-secured
Information Technology and Innovation Foundation (ITIF): Center for Data Innovation: Commentary, 26/09/2022: An Overview of the EU’s Cyber Resilience Act https://datainnovation.org/2022/09/an-overview-of-the-eus-cyber-resilience-act/
Huawei: Blog, 29/09/2022: New Cyber Resilience Act Enhances Cybersecurity Requirements for Digital Products Sold in the EU https://blog.huawei.com/2022/09/29/cyber-resilience-act-enhances-cybersecurity-digital-products-eu/
Ernst & Young, 06/10/2022: Security by Design at Center Stage as EU Cyber Resilience Act Emerges https://www.ey.com/en_fi/consulting/product-security-by-design-center-stage-eu-cyber-resilience-act-emerges
Norton Rose Fulbright: Data Protection Report, 17/10/2022: The proposed EU Cyber Resilience Act: what it is and how it may impact the supply chain https://www.dataprotectionreport.com/2022/10/the-proposed-eu-cyber-resilience-act-what-it-is-and-how-it-may-impact-the-supply-chain/
Internet Society: Blog, 24/10/2022: The EU’s Proposed Cyber Resilience Act Will Damage the Open Source Ecosystem https://www.internetsociety.org/blog/2022/10/the-eus-proposed-cyber-resilience-act-will-damage-the-open-source-ecosystem/
Clifford Chance: Briefings, 07/11/2022: EU Cyber Resilience Act - Proposed Cyber-Security Rules for Connected Products https://www.cliffordchance.com/briefings/2022/11/eu-cyber-resilience-act---proposed-cyber-security-rules-for-conn.html
EU Law Analysis, 18/11/2022: The Cyber Resilience Act in the context of the Internet of Things http://eulawanalysis.blogspot.com/2022/11/the-cyber-resilience-act-in-context-of.html
European Parliamentary Research Service (EPRS): Briefing, 14/12/2022: Strengthening cyber resilience - Initial Appraisal of a European Commission Impact Assessment https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2022)734708
European Consumer Organisation (BEUC), 23/01/2023: The Cyber Resilience Act proposal - BEUC position paper https://www.beuc.eu/position-papers/cyber-resilience-act-proposal
Centre for European Policy (CEP): Policy Brief No 1/2023, 24/01/2023: Cyber Resilience Act https://www.cep.eu/en/eu-topics/details/cep/cyber-resilience-act-ceppolicybrief-com2022-454.html
Microsoft: Blog, 16/02/2023: Cyber Resilience Act: A step towards safe and secure digital products in Europe https://blogs.microsoft.com/eupolicy/2023/02/16/cyber-resilience-act-cybersecurity-skills/
European Banking Federation (EBF), 06/03/2023: EBF key considerations following the publication of the Cyber Resilience Act (CRA) proposal https://www.ebf.eu/ebf-media-centre/updates/ebf-key-considerations-following-the-publication-of-the-cyber-resilience-act-cra-proposal/
GitHub: Blog, 17/03/2023: Partnering with EU policymakers to ensure the Cyber Resilience Act works for developers https://github.blog/2023-03-17-partnering-with-eu-policymakers-to-ensure-the-cyber-resilience-act-works-for-developers/
European Parliamentary Research Service (EPRS): 10/05/2023: EU cyber-resilience act https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2022)739259
Electronic Frontier Foundation (EFF), 30/05/2023: EU’s Proposed Cyber Resilience Act Raises Concerns for Open Source and Cybersecurity https://www.eff.org/deeplinks/2023/05/eus-proposed-cyber-resilience-act-raises-concerns-open-source-and-cybersecurity
Digital Europe: News, 19/07/2023: Reaction to the European Parliament’s and the Council’s positions on the Cyber Resilience Act https://www.digitaleurope.org/news/reaction-to-the-european-parliaments-and-the-councils-positions-on-the-cyber-resilience-act/
News
EurActiv: Topics: Cyber Resilience Act https://www.euractiv.com/topics/cyber-resilience-act/
Bloomberg, 07/09/2022: Web-Connected Devices May Have to Meet New EU Cybersecurity Rules https://www.bloomberg.com/news/articles/2022-09-07/internet-connected-devices-may-have-to-meet-new-eu-requirements
EurActiv, 15/09/2022: Commission presents Cyber Resilience Act targeting Internet of Things products https://www.euractiv.com/section/digital/news/commission-presents-cyber-resilience-act-targeting-internet-of-things-products/
Euronews, 15/09/2022: Brussels plans to introduce cybersecurity requirements for connected devices https://www.euronews.com/my-europe/2022/09/15/brussels-plans-to-introduce-cybersecurity-requirements-for-connected-devices
Reuters, 15/09/2022: EU proposes rules targeting cybersecurity risks of smart devices https://www.reuters.com/technology/eu-proposes-rules-targeting-smart-devices-with-cybersecurity-risks-2022-09-15/
The Independent (UK), 15/09/2022: EU wants to toughen cybersecurity rules for smart devices https://www.independent.co.uk/news/ap-brussels-thierry-breton-europe-european-commission-b2167907.html
Politico, 15/09/2022: EU pitches cyber law to fix patchy Internet of Things https://www.politico.eu/article/new-cyber-act-to-raise-safety-standards-across-the-bloc/
Forbes Magazine, 15/09/2022: EU Aims To Boost Security Of Connected Devices With New Cyber Resilience Act https://www.forbes.com/sites/emmawoollacott/2022/09/15/eu-aims-to-boost-security-of-connected-devices-with-new-cyber-resilience-act/?sh=44445f5da08a
EurActiv, 16/09/2022: EU chief announces cybersecurity law for connected devices https://www.euractiv.com/section/cybersecurity/news/eu-chief-announces-cybersecurity-law-for-connected-devices/
The Irish Times, 01/12/2022: Cyber-resilience Act signals big change in commercial software development https://www.irishtimes.com/business/innovation/2022/12/01/cyber-resilience-act-signals-big-change-in-commercial-software-development/
Organized Crime and Corruption Reporting Project (OCCRP), 21/07/2023: European Parliament Backs Draft Cyber Resilience Act for Secure Digital Products https://www.occrp.org/en/daily/17861-european-parliament-backs-draft-cyber-resilience-act-for-secure-digital-products
Official
EUR-LEX: SWD(2022)282: Staff Working Document accompanying the Proposal - Impact Assessment Report https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=SWD:2022:282:FIN
EUR-LEX: SWD(2022)283: Staff Working Document accompanying the Proposal - Executive Summary of the Impact Assessment Report https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=SWD:2022:283:FIN
European Parliament: Legislative Observatory: Procedure File for Proposal on Cyber Resilience Act (2022/0272(COD)) https://oeil.secure.europarl.europa.eu/oeil/popups/ficheprocedure.do?lang=en&reference=2022/0272(COD)
European Parliament: Legislative Train Schedule: Horizontal cybersecurity requirements for products with digital elements https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-european-cyber-resilience-act
European Commission: Better Regulation: Have Your Say: Cyber resilience act – new cybersecurity rules for digital products and ancillary services https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services_en
European Commission: Policies: EU Cyber Resilience Act https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
European Commission: Press Release, 15/09/2022: State of the Union: New EU cybersecurity rules ensure more secure hardware and software products https://ec.europa.eu/commission/presscorner/detail/en/ip_22_5374
European Commission: State of the Union: EU Cyber Resilience Act - Questions & Answers (15 September 2022) https://ec.europa.eu/commission/presscorner/detail/en/qanda_22_5375
Renew Europe EP Group: Newsroom, 18/07/2023: Cyber Resilience Act will be new international point of reference on cybersecurity https://www.reneweuropegroup.eu/news/2023-07-18/cyber-resilience-act-will-be-new-international-point-of-reference-on-cybersecurity
Council of the European Union: Press Release, 19/07/2023: Cyber resilience act: member states agree common position on security requirements for digital products https://www.consilium.europa.eu/en/press/press-releases/2023/07/19/cyber-resilience-act-member-states-agree-common-position-on-security-requirements-for-digital-products/
European Parliament: Press Release, 19/07/2023: Cyber Resilience Act: MEPs back plan to boost digital products security https://www.europarl.europa.eu/news/en/press-room/20230717IPR03029/
Wikipedia: Cyber Resilience Act https://en.wikipedia.org/wiki/Cyber_Resilience_Act
Subject Categories ,
Subject Tags , ,
International Organisations