The Cyber Resilience Act (CRA) aims at further harmonising and improving cybersecurity in Europe. It represents a significant step in bolstering cybersecurity measures in Europe by adopting a risk-based methodology. Essentially, this means that products with a higher risk profile will be subjected to stricter requirements, and a set of common foundational rules will be applied across all manufacturers, importers, and distributors of such products, to both large and small companies.
The CRA includes rules for placing products on the market with digital elements to ensure the cybersecurity of such products. It specifies essential cybersecurity requirements within two categories: 1) for the design, development, and production of products with digital elements and related obligations for economic operators; and 2) for the vulnerability handling process put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle and obligations for economic operators in relation to these processes. The CRA also stipulates rules on market surveillance and enforcement of these requirements.
Small Business Interest
While the CRA is a relatively broad regulation, the following key aspects are of particular interest to our small to medium-size enterprise (SME) member companies:
What’s Next?
The Parliament’s Internal Market and Consumer Protection Committee has recently adopted its opinion on the CRA, resulting in a few changes. These modifications range from the inclusion of incomplete products with digital elements under the EU Machinery Regulation to the regulation of connected products using artificial intelligence. New obligations also included a mandate to minimize red tape and fees for SMEs across the EU, but also to harmonise the CRA with other EU regulations, such as the NIS2 and the GDPR.
We appreciate the recognition of micro, small, and medium-sized businesses as crucial economic players in the digital market. However, we hope that our concerns highlighted above are addressed in the final version of the regulation as well. We strongly believe that a more flexible approach that sets up an incentive structure would enhance cybersecurity across the EU and advance the Digital Single Market without subjecting SMEs to potentially untenable compliance costs. Furthermore, to align with the Cybersecurity Act, any EU-wide certification for cybersecurity included in the CRA should also remain voluntary and recognise self-assessments as the default conformity assessment mechanism.
The Committee on Industry, Research, and Energy (ITRE) is slated to adopt its opinion on the 19th of July, and the final vote on the regulation is likely to happen in September. Then the Council of the EU and the European Parliament will start political negotiations called trialogues. We’ll be monitoring these developments closely and will keep you informed.