The EU commission proposed the Cyber Resilience Act (CRA) in 2022.
From baby-monitors to smart-watches, products and software that contain a digital component are omnipresent in our daily lives. Less apparent to many users is the security risk such products and software may present.
The EU legislative procedure for such regulations can be a complex back and forth between council and parliament. Still, adoption is a clear event. When will it happen?
Signature of the Act and publication in the Official Journal is then slated for around September/October 2024. 📰
Could things still change, and the final version of the CRA be voted on before the end of this term? In theory, yes - the Council could still change its priorities. 📈 But in practice, it's unlikely, and the CRA will undergo the corrigendum procedure. 🔄
The legislation was approved with 517 votes in favour, 12 against and 78 abstentions. It will now have to be formally adopted by Council, too, in order to come into law. (press release)
The European Union's Cyber Resilience Act (CRA) has been progressing towards adoption, with negotiations among European institutions having begun on September 13, 2023. The CRA aims to impose a comprehensive set of requirements related to software security, cybersecurity, and vulnerability management for products with digital elements placed on the EU market. The negotiations include discussions on the final version of the text, which, once adopted, will establish essential requirements for cybersecurity and vulnerability handling for these products.
The CRA covers a wide range of products with digital elements, excluding certain ones already subject to cybersecurity requirements in sectoral legislation. It outlines specific obligations for manufacturers, such as conducting cybersecurity risk assessments, implementing essential security mechanisms, managing vulnerabilities effectively, and reporting cybersecurity incidents. The Act distinguishes between critical and non-critical products, with stricter conformity procedures for the former.
European institutions have successfully concluded negotiations on the CRA, and its completion is anticipated in early 2024. The act's adoption will likely include a grace period before its requirements become effective, suggesting that, assuming adoption by mid-2024, the CRA would start to apply in 2025-2026 at the earliest.
Businesses should start preparing for compliance with the CRA by training development teams, evaluating the scope of coverage, critically assessing product safety and vulnerability handling practices, and preparing support documentation in line with forthcoming obligations【5†source】【6†source】.
The EU Cyber Resilience Act is expected to enter into force in early 2024. Manufacturers will then have 36 months to apply the rules after their entry into force. The European Commission will periodically review the Act and report on its functioning¹. This Act aims to enhance cybersecurity by introducing mandatory requirements for products with digital components, ensuring better protection for consumers and businesses. When it comes into effect, software and internet-connected products will bear the CE marking to indicate compliance with the new standards, empowering users to make informed choices about their cybersecurity¹. 🌐🔒
Source: Conversation with Bing, 23/02/2024
(1) EU Cyber Resilience Act | Shaping Europe’s digital future. https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act.
(2) Cyber resilience act: member states agree common position on security .... https://www.consilium.europa.eu/en/press/press-releases/2023/07/19/cyber-resilience-act-member-states-agree-common-position-on-security-requirements-for-digital-products/.
(3) Cyber resilience act: Council and Parliament strike a deal on security .... https://www.consilium.europa.eu/en/press/press-releases/2023/11/30/cyber-resilience-act-council-and-parliament-strike-a-deal-on-security-requirements-for-digital-products/.
The final compromise version of the EU Cyber Resilience Act is no longer marked 'LIMITE' and can be found on https://berthub.eu/cra/cra-coreper-en23.pdf #CRA
I have not figured out yet, where to find official timelines for such stuff. From a Discord I got:
both the Parliament and the Member States will vote on their individual positions next week, July 19th
The next steps are a plenary vote in September (EP negotiating mandate) and the start of trilogues soon after.