Summary

The EU Cyber Resilience Act (CRA) aims to enhance the cybersecurity of digital products within the Union market, with a particular focus on supporting microenterprises and small and medium-sized enterprises (SMEs). This article analyzes the economic impact of the CRA on the tech industry, assessing both the costs of compliance and the potential economic benefits or drawbacks, including impacts on innovation and competitiveness.

Relevant CRA Provisions

Recitals: Recital 6, Recital 127, Recital 17, Recital 15, Recital 97, Recital 93

Articles: Article 12, Article 33, Article 26

Detailed Explanation

The CRA introduces several provisions aimed at supporting microenterprises and SMEs in complying with its requirements. Recital (6) highlights the need for Commission guidance to assist these entities, particularly regarding the scope of the Regulation, remote data processing, free and open-source software, support periods, and substantial modifications. Recital (127) emphasizes the importance of providing support to SMEs to minimize risks and facilitate compliance. Recital (17) acknowledges the role of free and open-source software in fostering innovation, while Recital (15) clarifies the application of the Regulation to commercial activities. Recital (97) outlines the objectives of regulatory sandboxes in fostering innovation and competitiveness. Recital (93) supports the use of simplified technical documentation for SMEs to reduce administrative burdens.

Article 12 addresses high-risk AI systems, ensuring they comply with essential cybersecurity requirements. Article 33 mandates Member States to provide support measures for microenterprises and SMEs, including awareness-raising, dedicated communication channels, and support for testing and conformity assessment. It also allows for the establishment of cyber resilience regulatory sandboxes. Article 26 requires the Commission to publish guidance to assist economic operators, with a focus on SMEs, covering the scope of the Regulation, support periods, and the concept of substantial modification.

Obligations for Stakeholders

  • Manufacturers: Must ensure their products with digital elements comply with essential cybersecurity requirements, particularly for high-risk AI systems. They may participate in AI regulatory sandboxes to facilitate compliance.
  • Microenterprises and SMEs: Eligible for simplified technical documentation and support measures from Member States, including awareness-raising, training, and access to regulatory sandboxes.
  • Member States: Required to provide tailored support to microenterprises and SMEs, establish communication channels, and may set up regulatory sandboxes under market surveillance authority supervision.
  • Commission: Must publish guidance to assist economic operators, especially SMEs, and maintain a list of delegated and implementing acts.