Apr 162024

EU Formally Adopts Cyber Law for Connected Products

William RM Long, Lauren Cuyvers and Subhalakshmi Kumar
, , , , , , , ,

On 12 March 2024, the European Parliament approved the EU Cyber Resilience Act (“CRA”) with a large majority of 517-12 votes in favor of the legislation (with 78 abstentions). The CRA aims to ensure that “products with digital elements” (“PDE”) i.e., connected products such as smart devices, and remote data processing solutions, are resilient against cyber threats and provide key information in relation to their security properties.

Brief Recap of the CRA

The European Commission first proposed the CRA on 15 September 2022. The aim of the CRA is to set cyber standards for manufacturers, distributors and importers of PDE, as well as related remote data processing solutions commercialized in the EU. The CRA imposes product safety-type requirements that will apply throughout the commercial lifecycle of a connected device and seeks to ensure that PDEs comply with a number of essential cybersecurity requirements and are subject to incident and vulnerability notification requirements.  The CRA is not specific in terms of the technical cybersecurity requirements which PDEs have to comply with – this will be specified further in secondary EU legislation adopted by the EU Commission (so-called “delegated and implementing acts”). For more information on the CRA, and its key requirements, please see our previous blog posts here and here.

The CRA was adopted by the EU Parliament just one day before the EU adopted the EU AI Act – see our blog post here – and will come into force alongside a number of other digital data and cyber laws that the EU has been adopting recently, including the EU Digital Markets Act, the EU Digital Services Act, and an updated version of the EU Network and Information Systems Security Directive (NISD2).

Enforcement

The CRA imposes fines of up to €15 million or 2.5% of the total worldwide annual turnover for the preceding financial year, whichever is higher, for non-compliance with any essential cybersecurity requirements. Breaches of other obligations could result in fines of up to €10 million or 2% of global turnover in the last financial year.

Further, EU Member States will each designate one or more market surveillance authorities to ensure supervision and enforcement of the CRA. The CRA has also established a dedicated cooperation group to ensure uniform application of the CRA across the EU. Finally, there are requirements for manufacturers to report e.g., actively exploited vulnerabilities and severe incidents to their Computer Security Incident Response Team (“CSIRT”) and the EU Agency for Cybersecurity (“ENISA”) so that cross-border efforts to mitigate such incidents can be implemented quickly.

Next steps

The Parliament-adopted text will now be formally adopted by the Council after which it will become law. The CRA Act is then likely to enter into force at the end of April or early May. Following entry into force, the majority of the CRA’s provisions will apply 3 years after the publication (although key vulnerability reporting obligations will apply 21 months after this date).

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

William RM Long

London

wlong@sidley.com

Lauren Cuyvers

Brussels

lcuyvers@sidley.com

Subhalakshmi Kumar

London

skumar@sidley.com

You might also like
Top 10 Questions on the EU AI Act

The EU AI Act will be the first standalone piece of legislation worldwide regulating the use and provision of AI in the EU, and will form a key consideration in AI governance programs. The AI Act will have a significant impact on many organizations inside and outside the EU, with failure to comply potentially leading to fines of up to 7% of annual worldwide turnover.

Chambers 2024 Global Practice Guides for Data Protection & Privacy and Cybersecurity
The newest editions of the Chambers Global Practice Guides have been published and, once again, Sidley lawyers have contributed to two guides: Data Protection & Privacy 2024 and Cybersecurity 2024. These publications cover important developments across the globe and offer insightful legal commentary for businesses on issues related to data privacy and cybersecurity, such as regulatory enforcement and litigation, global cooperation to combat cybercrime, international agreement on ‘Software Security by Design,’ a global approach to policy on artificial intelligence, and more. Sidley partner Alan Charles Raul is a contributing editor to both guides in addition to authoring the introductions. The UK chapters of Cybersecurity 2024, covering “UK Law and Practice” and “UK Trends and Development” were authored by Sidley lawyers William Long, Francesca Blythe, Denise Kara, and Eleanor Dodding.
EU Formally Adopts World’s First AI Law

On March 13, 2024, the European Parliament formally adopted the EU Artificial Intelligence Act (“AI Act”) with a large majority of 523-46 votes in favor of the legislation. The AI Act is the world’s first horizontal and standalone law governing AI, and a landmark piece of legislation for the EU.