Cyber Resilience Act agreement reached as EU legislation edges closer

The European Parliament and the European Council have reached a political agreement over the forthcoming Cyber Resilience Act (CRA). First proposed by the European Commission in September 2022, the CRA is a piece of legislation that aims to improve the cyber security of digital products to the benefit of consumers and businesses across the European Union (EU). It introduces proportionate mandatory cyber security requirements for all hardware and software, with products with different levels of risk having different security requirements. The CRA also sets out a legal obligation for manufacturers to provide consumers with timely security updates for several years after purchase.

The measures are designed to empower users to make better informed and more secure choices, as manufacturers will have to become more transparent and responsible about the security of their products.

The agreement reached is now subject to formal approval by both the European Parliament and the Council. Once adopted, the CRA will enter into force following its publication in the Official Journal. Manufacturers, importers and distributors of hardware and software products will have 36 months to adapt to the new requirements, with the exception of a more limited 21-month grace period in relation to the reporting obligation of manufacturers for incidents and vulnerabilities.

EU CRA aims to address software supply chain risks

A key incentive of the EU CRA is to tackle the increasing security risks and challenges surrounding the software supply chain. “Consumers need to feel safe with the products available on the EU market. The Cyber Resilience Act agreed today will ensure the digital products we use at home and at work comply with strong cybersecurity standards,” said Věra Jourová, vice-president for values and transparency, European Commission. “Those that place these products on the market must be held responsible for their safety.”

The EU CRA fills a gap by completing safety rules so that security by design applies to all products that reach EU consumers and users, added Margaritis Schinas, vice-president for promoting our European way of life, European Commission. “The new rules require every interconnected product sold in the EU to be cyber secure and make sure that our businesses and homes become more secure.”

Criticism of EU CRA

The CRA has had a bumpy road since it was announced last year, receiving widespread criticism of some of its proposals. In October, dozens of global cyber security experts raised concerns about its vulnerability disclosure requirements. An open letter signed by representatives from a wide range of organizations including Google, the Electronic Frontier Foundation, the CyberPeace Institute, ESET, Rapid7, Bugcrowd and Trend Micro claimed that the provisions on vulnerability disclosure are counterproductive and will create new threats that undermine the security of digital products and the individuals who use them.

In July, IT and tech industry groups issued a list of recommendations urging the co-legislators not to prioritize speed over quality in finalizing their positions to avoid unintended outcomes, citing several problematic aspects in the proposal.