The Cyber Resilience Act is a draft law of the European Commission that has been in progress since October 2021 and was presented in September 2022. Its main objective is to improve the cyber security of products that can be connected to each other or to the internet. The framework conditions apply to all products with digital elements - regardless of whether they are sold to consumers or in the B2B sector.
The draft law stipulates that manufacturers and providers of products with digital elements must pay attention to "security by design " from the outset and ensure secure use over a defined period of time through security updates. Depending on the criticality of the product, the draft distinguishes between "non-critical", "critical" and "highly critical" products. Stricter requirements are envisaged for critical products, e.g. for conformity assessment, which is to be carried out on the basis of harmonized EU standards.
Another important aspect of the draft legislation is the obligation for manufacturers to close security gaps throughout the entire product life cycle, but for a maximum of five years. Users must be informed about fixed vulnerabilities and cybersecurity incidents. In addition, manufacturers must report cyber security incidents and actively exploited vulnerabilities to the European Cyber Security Agency (ENISA) within 24 hours .
The provisions of the Cyber Resilience Act will generally apply 24 months after coming into force, although certain obligations, such as the obligation to report security incidents, will apply 12 months after coming into force.
The draft legislation is currently being discussed. It will probably be some time before the final text of the law is finalized and the law comes into force. The specialist media have reported that it is expected to be introduced in 2024. Whether this is actually feasible remains to be seen. The exact dates for the introduction of the law are not yet known.
Nevertheless, if you are one of the companies affected, prepare now to meet the upcoming requirements of the Cyber Resilience Act. We would be happy to support you with our expertise.
If the requirements of the Cyber Resilience Act are not met, there is a risk of severe penalties. These can be imposed by a competent authority in the member states and include fines of up to 15 million euros or up to 2.5 percent of the total global annual turnover of the previous financial year, whichever is higher. In Germany, the Federal Office for Information Security (BSI) would be the competent authority.
It is also envisaged that the authorities can take graduated measures. They can demand the elimination of an identified risk and the restoration of conformity, restrict or prohibit the provision of a product on the market or even order a product recall.
The Cyber Resilience Act is likely to have an impact on a wide range of industries and businesses. In principle, the Act affects all companies that manufacture, distribute or use products with digital elements. This includes a wide range of industries, from the electronics and digital industry to the automotive industry, the toy industry and many others.
One specific example is the electronics and digital industry. Companies in this sector that manufacture microcontrollers, industrial automation and control systems or parts of the Internet of Things used in factories are directly affected by the new regulations. They must ensure that their products comply with the prescribed security standards and that they are able to provide security updates throughout the entire product life cycle.
Retailers and importers of products with digital elements are also affected. They must ensure that the products they place on the market meet the requirements of the Cyber Resilience Act. There are no size-related exceptions, meaning that both small and large companies must comply with the new regulations.
The Cyber Resilience Act applies not only to companies in the EU, but to all companies that want to sell their products on the European market. The requirements of the Act must therefore also be met by companies outside the EU in order to be allowed to offer their products in the EU.
Nevertheless, at least for some industries, regulatory requirements relating to cybersecurity are not an entirely new challenge. For example, cybersecurity standards in the automotive industry are laid down in the ISO/SAE 21434 cybersecurity standard and in the UNECE WP.29 regulations.
The Cyber Resilience Act is an ambitious project, but it also raises a number of unanswered questions. One key point of criticism concerns the practical feasibility of the law.
Bitkom points out that the requirements of the law could pose major challenges for many companies. This is because the draft law stipulates that the prescribed security standards must be implemented within 24 months of the regulations coming into force. In this context, the German Chamber of Industry and Commerce points out that many companies could have difficulties recruiting the necessary specialists to meet the requirements of the Cyber Resilience Act on time.
The TÜV Association and the German Electrical and Electronic Manufacturers' Association (ZVEI) do not view the draft law exclusively positively either. Although they welcome the introduction of binding cybersecurity requirements in principle, they are calling for more stringent requirements. In particular, the broad definition of "critical products" and "highly critical products" is viewed critically. The ZVEI warns that it could become difficult for companies to bring products to market if this classification leads to significant delays.
In the midst of the challenges and uncertainties that the Cyber Resilience Act brings with it, sepp.med is at your side as a reliable partner. With decades of experience in regulatory consulting and software security, we support companies in meeting the requirements of the new law.
Implementing the new cybersecurity law will be a challenge for many companies, especially due to the shortage of cybersecurity specialists. sepp.med can provide active support here with comprehensive advice from experienced experts and reliable implementation by our agile teams. Our goal is to make your digitalization a success through fast and compliant results.
Our experts are happy to pass on their knowledge in courses and training sessions to bring your team up to speed on IT and software security. This way, you can be sure that you have the right answers to all questions - whether for an upcoming audit or for your day-to-day work.
The Cyber Resilience Act is an important step towards a more secure digital future. Let 's shape this future together! We look forward to accompanying you on this journey.
You are currently viewing a placeholder content from OpenStreetMap. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
You need to load content from hCaptcha to submit the form. Please note that doing so will share data with third-party providers.
You are currently viewing a placeholder content from Google Maps. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.