The proposed EU Cyber Resilience Act sets out new cybersecurity related requirements for products with "digital elements". Read the blog to learn what these security regulations entail.
What is the EU Cyber Resilience Act?
The proposed EU Cyber Resilience Act (CRA), published by the European Commission on 15 September 2022, outlines cybersecurity requirements for products with digital elements. Its main objectives are to enhance the security of connected products and software in the EU market, ensure manufacturers maintain responsibility for cybersecurity throughout a product's life cycle, and inform consumers about the cybersecurity aspects of the products they purchase.
How does the CRA affect manufacturers?
Manufacturers are required to comply with essential cybersecurity requirements, which include addressing vulnerabilities effectively and undergoing a self-certification conformity assessment. For critical products, a more formal assessment by a central EU body is necessary. They must also provide an EU declaration of conformity, maintain technical documentation, and notify relevant authorities and users about any actively exploited vulnerabilities.
What are the implications for the supply chain?
The CRA introduces obligations for distributors and importers to ensure that non-compliant products do not enter the EU market. This may create tension in the supply chain, particularly as manufacturers may be concerned about distributors and importers reporting vulnerabilities to authorities. Additionally, the reporting obligations under the CRA could add complexity to existing compliance requirements, potentially reshaping contract negotiations and relationships among supply chain partners.
Sign in with LinkedIn