Hogan Lovells 2024 Election Impact and Congressional Outlook Report
Earlier this month, EU lawmakers met for the second trilogue meeting in the negotiations on the upcoming Cyber Resilience Act (“CRA”). The CRA aims to strengthen cybersecurity in Europe on an unprecedent scale – the European Commission refers to it as the “first ever EU-wide legislation of its kind”. With a political agreement expected soon, this article outlines the key points of the proposed regulation and the current status of the legislative discussion and provides an outlook on the final stages of the legislative process.
The CRA is the centerpiece of the latest European cybersecurity legislative package. It complements existing, predominately sector-specific legislations, such as the Second Network and Information Security Directive (“NIS2”), the Critical Entities Resilience Directive (“CER”), the Cyber Security Act (“CSA”) or the Digital Operational Resilience Act (“DORA”). Its scope also partly overlaps with the Radio Equipment Directive Delegated Act (“RED Delegated Act”) relating to internet-connected radio equipment.
The CRA marks a turning point for the cybersecurity of both consumer and industrial products in Europe. Compared to existing frameworks, it aims to regulate product security at the supplier level, imposing obligations on manufacturers, importers and distributors.
Following the Commission’s proposal in September 2022 (see our previous articles of 25 April 2022 and 4 October 2022; for a UK perspective, please see our article of 28 March 2023) and Council and Parliament’s position in July earlier this year, trilogue negotiations have been ongoing since September. A political agreement now appears to be within reach, with the trilogue expected to conclude at the end of this month.
The CRA introduces a comprehensive set of obligations for manufacturers, importers and distributors of “products with digital elements”. The notion of “products with digital elements” covers most software and hardware products and their remote data processing solutions, ranging from standard software solutions (e.g. text and photo editing software, games, operating systems) to IoT products (e.g. home automation devices, smart toys, routers). The decisive factor is that the foreseeable use of the product with digital elements is its connection to other devices or a network. While complex in nature, the regulation can be broken down into three key pillars:
The CRA will be enforced by “market surveillance authorities” (to be established by EU Member States), with fines ranging from 1% to 2,5% of the company's global annual turnover. This range of fines follows the European trend of enforcement through severe sanctions, such as those introduced in the GDPR and DSA.
EU lawmakers are currently negotiating a final political agreement on the CRA. The trilogue began on 27 September 2023, and the last meeting was held earlier this month on the 8 November 2023. While a lot of common ground seems to have been found, some key aspects of the regulation remain controversial. The following three aspects were at the centre of the discussion at the last trilogue meeting.
A common position on CRA reporting requirements has not yet been found. Legislators have been unable to reach a consensus on which body should be notified in case of an actively exploited vulnerability or a cybersecurity incident: The ENISA, the CRITs, or both? This question is of particular importance, given the sensitive nature of the information included in the notification.
There is also a lack of clarity about the scope of the reporting obligations. Prior to the start of the trilogue, it was rumoured that these obligations might be limited to serious cases, i.e. actively exploited product vulnerabilities, excluding failed attempts and security incidents with severe impact. Such a limitation would provide significant relief to companies during the cybersecurity support period.
Apart from the ongoing debate on the naming of the product categories ("critical" or "impactful"), the discussion focused on the method for determining the criticality of a product and the list of critical products in Annex II. This list may be updated in the future by delegated or implementing acts (to be determined) of the Commission. Part of the proposed actions to regulate highly critical products was to require mandatory safety certification under an existing or yet to be defined framework.
Finally, no agreement has yet been reached on the cybersecurity support period after a product has been placed on the market. The Council stipulated the expected lifetime as relevant period. Parliament argued for a minimum period of 5 years, unless the lifetime of a product is shorter. Notably, a proportionality approach now seems to have found its way into the determination of the support period, which could prevent extensive support obligations after the release of a product.
A final agreement on the CRA between EU lawmakers is expected at the next trilogue meeting on 30 November. This finalisation would fit neatly into the original timetable, with a planned vote on the CRA in March 2024 and ratification before the Parliament elections in June 2024.
The application period of the CRA is still to be determined. While the Commission’s proposal suggested an application period of 24 months, the positions of Parliament and Council envisaged a longer period of 36 months. The legislators' stance on the application of the notification obligations are even further apart, ranging from 12 months (Commission) and 18 months (Council) to 24 months (Parliament).
In any event, it is required to monitor the development on the legislative progress on the CRA framework. We will continue reporting on the development of the CRA to support our clients in organising their development and market release practices accordingly.
Authored by Dr. Henrik Hanssen, Dr. Michael Thiesen, Dr. Christian Tinnefeld, and Joke Bodewits
Timm Smid, a paralegal in our Hamburg office, contributed to the drafting of this article.