EU Cyber Resilience Act Approved by Parliament

On March 12, 2024, the European Parliament overwhelmingly approved the EU Cyber Resilience Act (CRA) with a vote of 517 in favor, 12 against, and 78 abstentions. The CRA mandates that products with digital elements, such as connected devices and remote data processing solutions, adhere to stringent cybersecurity standards. This legislation is part of a broader initiative to enhance the security of digital products throughout their commercial lifespan, including adherence to essential cybersecurity requirements and incident reporting obligations.

The CRA was initially proposed by the European Commission on September 15, 2022. It targets manufacturers, distributors, and importers of digital products within the EU, enforcing compliance through significant penalties. Non-compliance with essential cybersecurity requirements could lead to fines up to €15 million or 2.5% of the total worldwide annual turnover from the previous financial year, whichever is greater. Lesser breaches may result in fines up to €10 million or 2% of global turnover.

Each EU Member State will designate market surveillance authorities to oversee the enforcement of the CRA. A cooperation group will also be established to ensure the uniform application of the CRA across the EU. Additionally, manufacturers are required to report actively exploited vulnerabilities and severe incidents to their Computer Security Incident Response Team (CSIRT) and the EU Agency for Cybersecurity (ENISA).

The CRA is set to become law following formal adoption by the Council, anticipated by early May 2024. Most provisions of the CRA will become effective three years post-publication, although key reporting obligations will start 21 months after publication.