The Cyber Resilience Act: Consultation on the Technical Description Opens

On 13 March, the EU Commission published a consultation, inviting stakeholders to provide feedback on the implementing regulation that defines the technical descriptions of important and critical products with digital elements under the Cyber Resilience Act (EU 2024/2847) (‘CRA’). The CRA aims to address the increasing concerns surrounding cyberattacks, which the EU Commission estimates have resulted in global cybercrime costs amounting to 5.5 trillion euros by 2021.

The consultation seeks to define products that may face enhanced conformity assessment procedures under the CRA. Stakeholders are encouraged to submit their input by 15 April 2025 using the template provided by the Commission.

Background

The Cyber Resilience Act has two primary objectives:

• Creating conditions for the development of secure products with digital elements: This involves ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufacturers take security seriously throughout a product's lifecycle.
• Creating conditions allowing users to take cybersecurity into account: This focuses on enabling users to consider cybersecurity when selecting and using products with digital elements.

The CRA mandates that products with digital elements which have the core functionality of a product category shall be subject to the conformity assessment procedures as specified under Article 32 of the Act. Upon this background, the draft implementing regulation seeks to define the technical descriptions of these “important and critical products” with digital elements.

Categories of Important and Critical Products

Annex I of the Implementing Regulation categorises "important products with digital elements" into two classes:

Class 1 Products  include identity management systems, standalone and embedded browsers, password managers, software for removing malicious software, VPN products, network management systems, security and event management, public key infrastructure software, operating systems, routers, microprocessors and microcontrollers with security-related functionalities, smart home virtual assistants, and personal wearable products.

Some of the technical descriptions of the Class 1 Products can be summarised as follows:

Identity management systems: These systems manage identity lifecycle processes, including provisioning, maintenance, authentication, authorisation, and deprovisioning. They include products such as biometric readers, single sign-on software, and multi-factor authentication software.

Routers, Modems and Switches: Devices that manage data flow between IP-based networks.

Network Management Systems: These systems collect information about and configure network elements such as servers, routers, and mobile devices, and can be deployed on-premise or in the cloud.

Class 2 Products include hypervisors and container runtime systems, firewalls, intrusion detection and prevention systems, tamper-resistant microprocessors, and tamper-resistant microcontrollers.

Annex II details "critical products with digital elements," including hardware devices with security boxes, smart meter gateways within smart metering systems, and smartcards or similar devices.

Key Considerations for Businesses

For businesses, particularly those in sectors such as finance, healthcare, technology, and consumer goods, ensuring compliance with the CRA and its implementing regulation is important. Compliance can help businesses mitigate risks and enhance their cybersecurity posture.

At this stage, it is important for businesses to thoroughly review the technical descriptions provided in the consultation to determine applicability to their operations and provide feedback during the consultation period as needed. This can, for example, relate to the substantive content, wording or level of detail contained in the draft implementing regulation.

Key Considerations:

1. Conformity Assessment Procedures: Products with core functionalities that fall into the categories listed in Annex III and IV may be subject to more stringent conformity assessment procedures. If any of these products are relevant to a business's operations, the business should anticipate the need to undergo these assessments to demonstrate compliance with the Act.
2. Stakeholder Engagement: The consultation process provides an opportunity for businesses to contribute to the development of the regulation. By providing feedback, businesses can help shape the final version of the Act to ensure that it effectively addresses their cybersecurity needs.