The EU Parliament approved the Cyber Resilience Act: what obligations lie ahead for manufacturers, importers and distributors?

Last March 12, 2024, the EU Parliament officially approved the Cyber Resilience Act, marking an important step forward in cybersecurity of products placed on the market.

The Scope of Application of the Approved Cyber Resilience Act

The Cyber Resilience Act aims to go to fill regulatory gaps in the area of security of products with digital elements, in fact, it will not apply to those products for which there is already ad hoc regulation, such as:

• medical devices already regulated by Regulation (EU) 2017/745
• in vitro diagnostic medical devices already regulated by Regulation (EU) 2917/746
• motor vehicles and their components, already regulated by Regulation (EU) 2019/2144,
• products with digital elements certified in accordance with Regulation (EU) 2018/1139

Then, in general, products covered by any sectoral standards that guarantee a similar level of safety are excluded.

Furthermore, the Regulation will not apply equally to all products; rather, these are divided into three categories:

• products with digital elements;
• products with important digital elements divided into Class I and II; and
• products with critical digital elements.

According to this subdivision, therefore, there will be different obligations especially in the area of conformity assessment.

The Regulation, also specifies that except for the accuracy and robustness requirements of the AI Act, the provisions therein will also apply to high-risk AI systems and, under certain conditions, conformity assessment under the Cyber Resilience Act may be carried out as part of conformity assessment under the AI Act, thus creating a dialogue between the two disciplines.

Obligations to manufacturers, importers and distributors

The Cyber Resilience Act places differentiated obligations on manufacturers, importers and distributors, with more serious responsibilities on the former.
Specifically, with regard to the obligations of manufacturers, it is highlighted that they will be responsible for, among others:

• conduct an assessment of the cybersecurity risks associated with a product with digital elements and to take into account the results of that assessment during the planning, design, development, production, delivery and maintenance phases of the product;
• alert the person or entity involved in the manufacture or maintenance of the component to any vulnerability in the component, and address and correct that vulnerability in accordance with the management requirements of the Cyber Resilience Act;
• systematically document cybersecurity aspects related to the product with digital elements, including keeping the cybersecurity risk assessment of the product up to date;
• provide a product support period during which it must be ensured that vulnerabilities will be managed effectively and in accordance with the Cyber Resilience Act. This support period should be predetermined taking into consideration, among other aspects, the expected period of use of the product, the reasonable expectation of the user, and the nature of the product;
• prepare technical documentation as provided for within the Regulations and perform or have performed (in the case of products with important digital elements and products with critical digital elements) conformity assessment procedures, upon successful completion of which an EU Declaration of Conformity will be delivered. This documentation must be kept for at least 10 years, or for a period equal to the duration of the service period if the latter is longer;
• designate a point of contact to enable users to communicate directly and quickly, including to facilitate the reporting of product vulnerabilities with digital elements; and
• notify the CSIRT designated as coordinator and ENISA of vulnerabilities actively exploited in its products and serious incidents of which it becomes aware.
  Importers and distributors, on the other hand, will have milder obligations, consisting of checking that the manufacturer (and also the importer, in the case of the distributor) has fulfilled its information and documentation obligations. In addition, they will have to avoid placing the product on the market if they believe or have reason to believe that a product with digital elements or the processes put in place by the manufacturer do not comply with the Cyber Resilience Act. In the event that the product has already been placed on the market, they will still have to take corrective action or if appropriate, withdraw or recall the product. Finally, they will have to report to the manufacturer any vulnerabilities in the product that they become aware of.

It is important to note, however, that an importer or distributor may be considered a manufacturer for the purposes of the Cyber Resilience Act, and thus be subject to the obligations under the Act, if he or she places a product with digital elements on the market under his or her own name or trademark or makes a substantial modification to a product with digital elements that has already been placed on the market.

Conclusions

It is clear that the Cyber Resilience Act will bring a number of new requirements that manufacturers of products with digital elements will have to comply with. Therefore, it will be necessary for companies to begin to familiarize themselves with the regulatory text so as to promptly adopt measures and policies to assess cybersecurity risks, including during the service period of the product as well as prepare to prepare related technical documentation. To date, the Regulations have been approved by Parliament alone, so the Commission’s approval is missing for the Cyber Resilience Act to become law.

In the same week, the AI Act was also passed; to learn more, the article “AI Act Finalized: Here’s What Was Agreed“.