EU digital legislation
CRA-Update – Episode 3: What are the obligations of the manufacturer under the CRA-E?
In comparison to the other economic operators, the manufacturer is subject to the most comprehensive obligations of the proposed CRA (CRA-E). This is probably because the manufacturer significantly controls the development of the product with digital elements, determines its characteristics and can thus influence the inherent cybersecurity risks. The specific obligations for manufacturers are set out in Art. 10 and 11 of the proposed CRA.
As a main obligation Art. 10 (1) CRA-E stipulates that products with digital elements have to be designed, developed and produced in accordance with the essential requirements set out in Section 1 of Annex I in order to be placed on the market.
Therefore, Section 1 of Annex I stipulates, inter alia, that products with digital elements shall be delivered with a secure by default configuration, including the possibility to reset the product to its original state, be designed to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques as well as ensure that vulnerabilities can be addressed through security updates.
The exact requirements in Section 1 (3) of Annex I that shall be fulfilled depend on the result of the cybersecurity risk assessment that is stipulated in Art. 10 (2) CRA-E. Thus, this assessment is the starting point for the security standards to be met and the result needs to be considered over the entire life cycle of a product with digital elements.
However, the manufacturer must not only ensure a certain nature of the product with digital elements, but also implement vulnerability handling processes, which are specified in Annex I Section 2 CRA-E. This includes a regular review of the product security and a prompt remediation of vulnerabilities, for example, by providing security updates.
All data and details on how the manufacturer ensures that the products and vulnerability handling processes comply with the requirements in Annex I must be recorded in a technical documentation in accordance with Art. 10 (7) and Art. 23 (1) CRA-E. This documentation must include, for example, a general product description, an assessment of the cyber security risks and a description of solutions to ensure compliance. The technical documentation must be retained for a period of 10 years.
In order to enable manufacturers to prove that both products with digital elements and processes meet the requirements of the CRA-E, they must carry out a so-called conformity assessment procedure in accordance with Art. 10 (7) and Art. 24 (1) CRA-E. Depending on the criticality of the product, a certain type of procedure must be completed. When the assessment is concluded and the product is deemed to be CRA compliant, the manufacturer must issue an EU declaration of conformity, keep it for a period of 10 years and attach it to the product. By issuing this declaration, he assumes responsibility for the permanent conformity of the product with digital elements and must also ensure this in the event of a substantial modification within the meaning of recital 23 sentence 1 of the CRA-E to such a product.
Furthermore, according to Art. 10 (6) and (12) CRA-E, the manufacturer is obligated to deal with vulnerabilities or to fulfill corrective measures, whereby according to the current draft, a time limit of a maximum of five years from placing the product on the market applies.
The information obligations include the provision of information and instructions when placing the product on the market in accordance with Art. 10 (10) and Annex II CRA-E. In particular, the manufacturer must provide his contact details and enclose information on the scope of functions and safety features as well as detailed instructions on how to use the product. Furthermore, users must be informed about all circumstances that may lead to significant cybersecurity incidents in connection with a use of the product. In addition, a CE marking must be affixed in accordance with Art. 10 (7) CRA-E.
The notification obligations include, among others, the provision of documentation demonstrating conformity of the product with digital elements and of the processes put in place to the market surveillance authority upon request according to Art. 10 (13) as well as a notification of the cease of operations according to Art. 10 (14) CRA-E. Furthermore, pursuant to Art. 11 (1) and (4) of this regulation, the ENISA and the users of the product with digital elements must be informed about cybersecurity incidents.
Practical recommendations:
Due to the comprehensive requirements set out in the CRA-E, products will have to feature numerous safety functions in the future. In this respect, manufacturers will have to expend more effort in the planning and design of products with digital elements. At the same time, the liability risk increases if the manufacturer's comprehensive obligations are not properly implemented. For this reason, we recommend that companies falling under the definition of a manufacturer deal with the new regulations of the CRA-E at an early stage and adapt as well as implement the corresponding processes in their production operations in good time.
In our CRA-Update series, we regularly present information on the proposed Cyber Resilience Act and keep you informed about changes in the ongoing legislative process. In each of our articles, we give you a brief overview of a specific topic, presenting the most important aspects and practical implications.
CRA-Update
CRA-Update – Episode 11: Final draft of the CRA – Overview on the most relevant amendments
On October 10, 2024, the Council of Ministers adopted the final draft of the Cyber Resilience Act (CRA). The regulation will soon be published in the Official Journal of the European Union and will then enter into force the following day.
We have taken a look at the current text of the regulation and compared it with the European Commission's original draft. We have listed the most important changes for you below.
CRA-Update – Episode 10: Penalties under the CRA-E
With the proposed Cyber Resilience Act (CRA-E), the European Commission has set itself the goal of strengthening the security of products with digital elements with horizontal legal requirements in order to better protect the European internal market from growing cyber threats. Concerning this matter, the regulation contains a large number of obligations that apply to all economic operators in a product supply chain, namely manufacturers, importers and distributors.
CRA-Update – Episode 9: Surveillance authorities
The Commission's draft for the Cyber Resilience Act (CRA-E) mentions different authorities with different tasks for monitoring and compliance with the standards of the regulation.
CRA-Update – Episode 8: The conformity assessment procedure
In order to demonstrate the conformity of products with digital elements with the requirements of the proposed Cyber Resilience Act (CRA-E), manufacturers must carry out a so-called conformity assessment procedure in accordance with Art. 24 (1) CRA-E. For this purpose, the CRA-E basically provides for three different types of procedures, for each of which information can be found in Annex VI. The procedures mentioned there are based on Decision 768/2008/EC, which aims to establish a common framework for legislation harmonizing the conditions for the marketing of products and provides for conformity assessment procedures for this purpose.
CRA-Update – Episode 7: What are vulnerability handling processes put in place by manufacturers and when are they compliant under the CRA?
According to Art. 1 (c) of the planned Cyber Resilience Act (CRA-E) this regulation should also include provisions for vulnerability handling processes put in place by manufacturers. The purpose of these processes is to ensure the cybersecurity of products with digital elements during the whole life cycle.
CRA-Update – Episode 6: When is a product with digital elements in conformity with the requirements of the CRA-E?
The planned Cyber Resilience Act (CRA-E) aims to establish uniform EU cybersecurity requirements for products with digital elements in order to handle the growing threat of cyberattacks. For this purpose, the regulation stipulates numerous obligations that primarily affect the manufacturers of such products.
CRA-Update – Episode 5: What are the obligations of the distributor under the CRA-E?
Being the last economic operator in the supply chain of products with digital elements, the distributor falls within the scope of the proposed Cyber Resilience Act (CRA-E) as well.
According to the definition in Art. 3 (21) CRA-E, a (legal) person can only fall under the term of the distributor if it makes a product with digital elements available on the Union market without affecting its properties and without being already qualified as a manufacturer or importer.
CRA-Update – Episode 4: What are the obligations of the importer under the CRA-E?
The role of the importer becomes relevant within the proposed Cyber Resilience Act (CRA-E) when he makes available a product with digital elements bearing the name or trademark of a (legal) person and being established outside the European Union on the Union market for the first time.
CRA-Update – Episode 3: What are the obligations of the manufacturer under the CRA-E?
In comparison to the other economic operators, the manufacturer is subject to the most comprehensive obligations of the proposed CRA (CRA-E). This is probably because the manufacturer significantly controls the development of the product with digital elements, determines its characteristics and can thus influence the inherent cybersecurity risks. The specific obligations for manufacturers are set out in Art. 10 and 11 of the proposed CRA.
CRA-Update – Episode 1: Which products fall within the scope of the proposed CRA?
The current proposal for a new European Cyber Resilience Act by the European Commission from 15th September 2022 (CRA) applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network (see recital 7 and Art. 2 (1) of the proposed CRA).