Summary

The Cyber Resilience Act (CRA) aims to enhance the cybersecurity of products with digital elements within the EU, potentially influencing the economic landscape of the European digital market by impacting competitiveness, innovation, and market dynamics.

Relevant CRA Provisions

• Recital (4)
• Recital (6)
• Recital (15)
• Recital (78)
• Recital (111)
• Article 23
• Article 26
• Article 57

Detailed Explanation

The CRA introduces a harmonized regulatory framework for cybersecurity across the EU, aiming to reduce legal uncertainty and create a level playing field for economic operators. It applies to products with digital elements supplied in the course of a commercial activity, which may include charging for technical support services, monetizing through software platforms, or accepting donations exceeding associated costs. The regulation emphasizes the need for guidance to assist economic operators, particularly microenterprises and small and medium-sized enterprises, in complying with its provisions. Market surveillance authorities are empowered to require economic operators to take corrective actions if compliant products still present significant cybersecurity risks. The Commission plays a crucial role in evaluating national measures and may propose Union-level corrective actions if necessary. Economic operators must provide information to market surveillance authorities upon request and maintain this information for ten years. Online marketplaces and entities providing online intermediation services are subject to specific obligations depending on their role in relation to products with digital elements. ENISA is tasked with supporting the implementation of the CRA, including proposing joint activities and conducting evaluations in exceptional circumstances.

Obligations for Stakeholders

• Manufacturers, Distributors, Importers, and Online Marketplaces: Must ensure products with digital elements comply with the CRA, provide necessary information to market surveillance authorities, and take corrective actions if products present significant cybersecurity risks despite compliance.
• Open Source Software Stewards: Should consider the CRA’s provisions on remote data processing and substantial modifications, ensuring compliance where applicable.
• Microenterprises and Small and Medium-Sized Enterprises: Are particularly targeted by the Commission’s guidance to facilitate their compliance with the CRA.
• Market Surveillance Authorities: Are responsible for evaluating products, requiring corrective actions, and notifying the Commission and other Member States of measures taken.
• The Commission: Must provide guidance, evaluate national measures, and may propose Union-level corrective actions if necessary.
• ENISA: Supports the implementation of the CRA, including proposing joint activities and conducting evaluations in exceptional circumstances.