EU Council and European Parliament reach agreement on Digital Product Cybersecurity Act
The Cyber Resilience Act (CRA) is a forthcoming EU law aimed at making digital products safer from cyberattacks.
The law will require manufacturers of hardware and software solutions to ensure:
- their resilience to cyberattacks;
- transparency of the security systems used;
- release of security updates throughout the entire product lifecycle (from design and development to launch of the product on the market).
The draft lawwas mentioned in conclusions of the Council of the EU in 2022 and could potentially be the first adopted act among those being drafted in the EU.
Key requirements of the new law:
- One of the key requirements included in the CRA is the requirement for both software and «Internet of Things»-product manufacturers (e.g., biometric readers, smart home assistants, private security cameras) to report cyberattack incidents and product vulnerabilities and malfunctions discovered.
- Manufacturers will be required to conduct a preliminary risk assessment and report to authorities what safety requirements may apply to the product they are creating.
- Security support shall be provided for at least 5 years (except for products which are expected to be in use for a shorter period of time).
- Any security updates that occur during the product lifecycle must remain available to users for 10 years or the remaining support period (whichever is longer).
- Security measures for "importantl" products will require a security audit by a certified organization. The final list of "important" products has not yet been published, but it is likely to include both software (e.g. antivirus or VPN services) and hardware products.
- On December 3, the European Parliament and the EU Council reached consensus on " text and technical aspects of the law." The CRA will enter into force on the 20th day after its publication in the EU's official journal.
- Organizations subject to the CRA will have 36 months to bring the security systems of their products into compliance. There is also a more limited 21-month period after which manufacturers will have an obligation to report to authorities about cyber incidents and vulnerabilities.