07 Nov '22
We informed you in an earlier post (Cybersecurity en Cybercrime: European developments | Ploum Rotterdam Law Firm) about the Cyber Resilience Act (CRA). Not to be confused with the NIS2 Directive.
The text of this European Regulation was recently announced. When the Regulation will come into effect is not yet known: if the European Parliament gives the green light, it will come into effect within 24 months. The Regulation does not need to be transposed into Dutch law, and is directly applicable in the Netherlands. Nevertheless, there will presumably be national provisions to enable further implementation of the CRA.
The Regulation contains rules on cyber security requirements related to products. The Regulation aims to fix the lack of a regulation that applies broadly to hardware and software products. The objective is twofold: to create horizontal robust cybersecurity conditions, and to ensure transparency with regard to the level of security of such products.
Products with digital elements that 'are in direct or indirect connection with an end device or network' fall within the scope of the Regulation. This does not apply to some specific categories such as medical devices, motor vehicles or products related to (civil) aviation.
The Regulation contains two categories of obligations: obligations that product providers must fulfil before products are placed on the market, and obligations that must be fulfilled after products are placed on the market.
In short, products must not be subject to exploitable vulnerabilities. They must be designed to ensure an appropriate level of cybersecurity that is proportionate with the risk arising from use. For this reason, the product must be subject to conformity assessment. Even more stringent requirements apply to certain products.
In terms of obligations after products are placed on the market, for the expected lifetime, manufacturers must ensure that vulnerabilities of the product are effectively addressed, thereby ensuring that the product continues to meet security requirements.
A national authority will be designated to monitor compliance with the Regulation. This authority will be enabled to impose sanctions.
The Regulation stipulates that the fines that are to be imposed can be up to EUR 15 million, but if the offender is a company (!), turnover-related fines can be imposed (up to 2.5% of global turnover).
Similar to the NIS2 Directive, the CRA is going to have a major impact, especially on manufacturers of the products covered by the Regulation. The days of cheap webcams of dubious quality and origin will be over when the CRA comes into force.
Keep an eye on our website for all important developments in European and Dutch cybersecurity legislation!
Contact
17 Apr 25
15 Apr 25
03 Apr 25
31 Mar 25
28 Mar 25
20 Mar 25
20 Mar 25
12 Mar 25
06 Mar 25
27 Feb 25
26 Feb 25
24 Feb 25
Met uw inschrijving blijft u op de hoogte van de laatste juridische ontwikkelingen op dit gebied. Vul hieronder uw gegevens in om per e-mail op te hoogte te blijven.
Stay up to date with the latest legal developments in your sector. Fill in your personal details below to receive invitations to events and legal updates that matches your interest.
Follow what you find interesting
Receive recommendations based on your interests
{phrase:advantage_3}
{phrase:advantage_4}
We ask for your first name and last name so we can use this information when you register for a Ploum event or a Ploum academy.
A password will automatically be created for you. As soon as your account has been created you will receive this password in a welcome e-mail. You can use it to log in immediately. If you wish, you can also change this password yourself via the password forgotten function.
