Earlier this month, the European Commission (EC) adopted a proposal for the Cyber Resilience Act (CRA), a piece of legislation that seeks to establish common cybersecurity rules for digital products and associated services within the EU market.
The CRA is the latest in a string of regulatory instruments developed by the EU to enhance the bloc’s cyber resilience. Starting with the first Network and Information Security Directive, the EU has spent the last decade legislating to meet the objectives of its Cybersecurity strategy, a task that has only become more urgent in light of the ongoing conflict in Ukraine, where cyberattacks have played a prominent role.
While a number of existing laws cover cybersecurity in specific sectors, the new Act uses the sweeping term “products with digital elements” to ensure that cybersecurity standards are applicable to any software or hardware that could potentially be subject to attack along digital vectors.
This includes all internet-enabled devices within the Internet of Things (IoT) category that has been somewhat excluded from the EU’s legal framework. The CRA will grant the EC new powers to impose fines on IoT manufacturers that fail to meet the necessary security standards and recall or ban non-compliant products.
See also: EU Proposes Tougher Cybersecurity for ‘Internet of Things’ Products
The CRA also imposes obligations to report any actively exploited vulnerability as well as any incident that impacts a product’s security to the European Union Agency for Cybersecurity (ENISA) within 24 hours of becoming aware of it.
Since its mandate was expanded by the EU’s Cybersecurity Act last year, ENISA has become a core pillar of the EU’s cyber defense and resilience regime, a position that is reinforced by the new watchdog role it will play under the CRA.
The new Act will also require market surveillance authorities to be designated or created in each EU member state, which will have responsibility for enforcement at the national level and will cooperate with ENISA and the European Data Protection Board (EDPB).
Consequences of the CRA
Much like the U.S. Cyber Incident Reporting For Critical Infrastructure Act that was signed into law in March, the CRA will oblige manufacturers and developers to carry out and report compliance assessments that are likely to incur significant costs for some firms.
Read more: US Cybersecurity Law Increases Reporting Duties For Most Firms
Of course, many companies will find that the requirements of the CRA mirror existing industry standards and best practices. However, the obligation to report an actively-exploited vulnerability in their product or an incident that impacts the security of their product adds to the growing burden on companies to notify authorities of different types of incidents — including personal data breaches and cyber incidents.
Just as the EU’s General Data Protection Act (GDPR) spawned an entire field of compliance officers and data protection professionals, the obligations under the CRA and the concurrent second Network and Information Security Directive (NIS2) are likely to reshape the makeup and mandate of the cybersecurity profession as a whole.
Related: EU Agrees on Cybersecurity Laws to Protect Financial Sector
For larger firms especially, including international tech giants, both the CRA and NSI2 will have lasting implications for the way they do business in Europe. Both pieces of legislation strengthen the EC’s oversight of non-EU companies and expand its ability to enforce change and impose fines.
The EU’s position on cyber resilience has been framed in terms of digital sovereignty, which the European Parliament defines as “Europe’s ability to act independently in the digital world.” As such, while the concept touches on defense in the militaristic sense of the word, it also includes the protection of the EU’s economic and commercial interests.
Read on: Big Techs Continue to Navigate Legal Quagmire of EU Data Sovereignty
In the words of European Commissioner for the Internal Market Thierry Breton, “by introducing cyber security by design, the Cyber Resilience Act will help protect Europe’s economy and our collective security.”
As is often the case, the sheer size of the internal market means that even companies based outside of the EU have little choice but to comply with new legislation or risk losing an important revenue stream.
Emphasizing this point, in comments made to Computer Weekly, Keiron Holyome, BlackBerry Vice President for the U.K. and Ireland, Eastern Europe, Middle East and Africa said that “this act should not be viewed as a European requirement, but in fact a new global standard.”
For all PYMNTS EMEA coverage, subscribe to the daily EMEA Newsletter.