https://ploum.nl/uploads/Artikelen_en_Track_Records_en_expertise/Cyber/cybersecurity-g259a2c456_1920.jpg

European Cyber Resilience Act creates more producer responsibility and threatens with high fines

07 Nov '22

We informed you in an earlier post (Cybersecurity en Cybercrime: European developments | Ploum Rotterdam Law Firm) about the Cyber Resilience Act (CRA). Not to be confused with the NIS2 Directive.

The text of this European Regulation was recently announced. When the Regulation will come into effect is not yet known: if the European Parliament gives the green light, it will come into effect within 24 months. The Regulation does not need to be transposed into Dutch law, and is directly applicable in the Netherlands. Nevertheless, there will presumably be national provisions to enable further implementation of the CRA.

Objective

The Regulation contains rules on cyber security requirements related to products. The Regulation aims to fix the lack of a regulation that applies broadly to hardware and software products. The objective is twofold: to create horizontal robust cybersecurity conditions, and to ensure transparency with regard to the level of security of such products.

Products

Products with digital elements that 'are in direct or indirect connection with an end device or network' fall within the scope of the Regulation. This does not apply to some specific categories such as medical devices, motor vehicles or products related to (civil) aviation.

Obligations

The Regulation contains two categories of obligations: obligations that product providers must fulfil before products are placed on the market, and obligations that must be fulfilled after products are placed on the market.

In short, products must not be subject to exploitable vulnerabilities. They must be designed to ensure an appropriate level of cybersecurity that is proportionate with the risk arising from use. For this reason, the product must be subject to conformity assessment. Even more stringent requirements apply to certain products.

In terms of obligations after products are placed on the market, for the expected lifetime, manufacturers must ensure that vulnerabilities of the product are effectively addressed, thereby ensuring that the product continues to meet security requirements.

Enforcement and sanctions

A national authority will be designated to monitor compliance with the Regulation. This authority will be enabled to impose sanctions.

The Regulation stipulates that the fines that are to be imposed can be up to EUR 15 million, but if the offender is a company (!), turnover-related fines can be imposed (up to 2.5% of global turnover).

Impact

Similar to the NIS2 Directive, the CRA is going to have a major impact, especially on manufacturers of the products covered by the Regulation. The days of cheap webcams of dubious quality and origin will be over when the CRA comes into force.

Keep an eye on our website for all important developments in European and Dutch cybersecurity legislation!

Contact

Attorney at law

Jouko Barensen

Expertises:  Fraud and white collar crime, Administrative law, Waste law, Environmental criminal law, Cybersecurity , Transport and Logistics, BRZO, Enforcement and sanctions,

Attorney at law

Hugo van Aardenne

Expertises:  Fraud and white collar crime, Administrative law, Cybersecurity , Enforcement and sanctions, International Sanctions and Export Controls, Interne onderzoeken,

Share this article

Stay up to date

Click on the plus and sign up for updates on this topic.

Expertise(s)

Met uw inschrijving blijft u op de hoogte van de laatste juridische ontwikkelingen op dit gebied. Vul hieronder uw gegevens in om per e-mail op te hoogte te blijven.

Personal data

 

Company details

For more information on how we use your personal information, please see our Privacy statement. You can change your preferences at any time via the 'Edit profile' link or unsubscribe via the 'Unsubscribe' link. You will find these links at the bottom of every message you receive from Ploum.

* This field is required

Interested in

Personal data

 

Company details

For more information on how we use your personal information, please see our Privacy statement. You can change your preferences at any time via the 'Edit profile' link or unsubscribe via the 'Unsubscribe' link. You will find these links at the bottom of every message you receive from Ploum.

* This field is required

Interested in

Create account

Get all your tailored information with a My Ploum account. Arranged within a minute.

I already have an account

Benefits of My Ploum

  • Follow what you find interesting
  • Get recommendations based on your interests

*This field is required

I already have an account

Benefits of My Ploum

Follow what you find interesting

Receive recommendations based on your interests

{phrase:advantage_3}

{phrase:advantage_4}


Why do we need your name?

We ask for your first name and last name so we can use this information when you register for a Ploum event or a Ploum academy.

Password

A password will automatically be created for you. As soon as your account has been created you will receive this password in a welcome e-mail. You can use it to log in immediately. If you wish, you can also change this password yourself via the password forgotten function.