Data regulation and cyber
Learn more
Cyber Resilience Act
Status: In draft
- Commission’s proposal published 15 September 2022
- Commission, Council and Parliament reached a political agreement on the final text on 30 November 2023, further technical meetings scheduled
- Adoption expected for Q1 2024, after formal approval by both the European Parliament and the Council
- Application 36 months later (likely Q1 2027) resp. 21 months later (likely Q4 2025) for the reporting obligations of manufacturers for incidents and vulnerabilities
Summary
Horizontal regulation that covers all wired and wireless products connected to the internet and software.
Scope
- Applies to manufacturers, importers and distributers of wired and wireless products connected to the internet and software placed on the EU market
Key elements
- Obligations for manufacturers: essential cybersecurity requirements; mandatory vulnerability handling process for the expected product lifetime or 5 years (whichever is shorter); conformity assessment (either third party or self-assessment depending on criticality and risk class of the product), high-risk AI products will have to apply the conformity assessment from AI Act.; information /transparency obligation
- Due diligence obligations for importers and distributers: ensuring that products comply with essential cybersecurity requirements and bear the CE marking
Challenges
- Definition of hardware and software products that fall under the CRA is still being discussed
- Overlap with other Acts of the EU Digital Strategy
Key Freshfields contact(s):
-
Dr. Theresa Ehlen Partner
Düsseldorf, Frankfurt am Main
-
Dr. Christoph Werkmeister Partner
Düsseldorf
-
Dr. Lutz Riede Partner
Vienna, Düsseldorf
-
Andrew Austin Partner, Head of London Dispute Resolution
London