I am a seasoned attorney situated at the Bird & Bird Düsseldorf office, with a specialisation in cybersecurity and data protection law, and a co-head of the Bird & Bird International Cybersecurity Steering Group.
I am a Principal Regulatory Counsel in our Regulatory & Public Affairs practice in the Netherlands and Brussels. I have a focus on tech and comms and digital markets regulation, drawing on in-depth business knowledge and extensive experience in TMT and public administration.
As a partner in our international Data Protection and Data Regulation practices, Berend advises on global and domestic data compliance projects, technology contracts, enforcement, and the legal aspects around online innovation and advanced technologies.
Another important piece of European cybersecurity legislation is also moving towards the finish line. On 23 January 2024, ITRE committee approved the provisional agreement on the Cyber Resilience Act (CRA), which will introduce new cyber security and cyber resilience obligations to protect digital products in the EU from cyber threats. On 12 March 2024, the Parliament approved the text.
On a high level, the Cyber Resilience Act:
introduces mandatory cybersecurity requirements for the design, development, production and making available on the market of hardware and software products, including office applications, smart speakers, hard drives, games, operating systems, network interfaces, firewalls and computers and smartphones;
rebalances responsibility for compliance towards manufacturers, who must meet obligations such as providing cybersecurity risk assessments with regard to these products, issuing declarations of conformity, and cooperating with the competent authorities, all for a set period or the expected lifetime of the product;
provides for transparency obligations regarding the security aspects of hardware and software products to allow consumers to take cybersecurity into account when selecting and using products that contain digital elements; and
obligates manufacturers to ensure continued security of their products and put in place vulnerability handling processes to ensure the cybersecurity of digital products, including obligations for importers or distributors in relation to those processes.
This proposal should be seen in context of the wider EU cybersecurity framework, including NIS2 and DORA. The CRA aims to fill the gaps and make existing cybersecurity legislation more coherent by imposing security obligations on hardware and software throughout the supply chain and throughout the product lifecycle.
What are the main elements of the political agreement?
On the product lifetime it was agreed that the manufacturer’s support period for a connected product should correspond to its expected lifetime and that a support period of at least five years is indicated, except for products which are expected to be in use for a shorter period of time;
The European Parliament and the Council reached an agreement on two different lists for important and critical products based on their criticality and the level of cybersecurity risk. For instance, for connected products with a cybersecurity-related functionality and a function which carries a significant risk of adverse effects, third party conformity assessments will be required before the placing on the market. For products with slightly lower risk profiles, such as identity management systems, biometric readers, standalone and embedded browsers, VPN products and network management systems, manufacturers should perform conformity assessments via their internal control procedures;
Products should also have security updates installed automatically and separately from functionality ones;
The Commission will need to adopt further rules to specify the definitions of the product categories.
The new rules will apply three years after the law enters into force. Manufacturers, importers and distributors of hardware and software products will have to adapt to the new requirements within this time period;
In relation to the reporting obligation of manufacturers for incidents and vulnerabilities, there is a more limited 21-month grace period;
Additional support measures for small and micro enterprises were included, such as specific awareness-raising and training activities, as well as support for testing and conformity assessment procedures.
Three European standardisation organisations, ETSI, CEN/CENELEC, are now developing standards and common specifications that should be ready within the three-year period.
Next steps
The final text will now have to be formally adopted also by the Council before it is published in the EU Official Journal and becomes law.