On October 10, 2024, the Council of the European Union announced that it had adopted the Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1010 and Directive (EU) 2020/1828 (the Cyber Resilience Act).

The Cyber Resilience Act provides essential cybersecurity requirements:

• for the design, development, and production of products with digital elements, and obligations for economic operators in relation to those products with respect to cybersecurity; and
• for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the time the products are expected to be in use, and obligations for economic operators in relation to those processes.

Definitions

Under the Cyber Resilience Act, a 'product with digital elements' is defined as 'a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately.'

While a 'manufacturer' is considered 'a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetization or free of charge.'

Obligations

Annex I of the Cyber Resilience Act outlines essential cybersecurity requirements, including, among other things:

• designing, developing, and producing products with digital elements, in such a way that they ensure an appropriate level of cybersecurity based on the risks;
• ensuring that products with digital elements:
  • are made available on the market without known exploitable vulnerabilities;
  • are available on the market with a secure by default configuration;
  • vulnerabilities can be addressed through security updates;
  • are protected from unauthorized access by appropriate control mechanisms;
  • protect the confidentiality of stored, transmitted, or otherwise processed data;
  • process only data, personal or other, that are adequate, relevant, and limited to what is necessary in relation to the intended purpose;
  • minimize the negative impact of the product themselves or connected devices on the availability of services provided by other devices or networks; and
  • provide the possibility for users to securely and easily remove on a permanent basis, all data and settings, and that such data can be transferred to other products or systems.

For compliance with Annex I, manufacturers must assess cybersecurity risks for products with digital elements, exercise due diligence when integrating components from third parties, and designate a single point of contact for users, among other things. Notably, manufacturers must also establish a reporting mechanism for vulnerability incidents, providing an early warning notification within 24 hours of becoming aware of an incident, and a vulnerability notification within 72 hours of becoming aware.

Next steps

The Cyber Resilience Act must now be signed by the Presidents of the Council and of the European Parliament, before being published in the Official Journal of the EU.

The Cyber Resilience Act enters into force 20 days after its publication in the Official Journal and provides for its entrance into effect 36 months after its publication.

You can read the press release here and the Cyber Resilience Act here.