EU: Draft Commission guidance on the Cyber Resilience Act

 

The European Commission is currently preparing a Communication that will offer practical guidance on the application of the Cyber Resilience Act (CRA). The objective of this guidance is to support manufacturers, software developers, and other relevant stakeholders in understanding their responsibilities under the Regulation and to promote a consistent interpretation and implementation throughout the European Union. Stakeholders are invited to provide feedback through a public consultation process.

Background

Regulation (EU) 2024/2847 of the European Parliament and of the Council, adopted on 23 October 2024, establishes horizontal cybersecurity requirements for products containing digital elements and amends Regulations (EU) No 168/2013 and (EU) 2019/1020, as well as Directive (EU) 2020/1828. Known as the Cyber Resilience Act (CRA), the Regulation entered into force on 10 December 2024. Its purpose is to reinforce the European Union’s approach to cybersecurity by addressing cyber resilience at the Union level and improving the functioning of the internal market. It does so by creating a harmonised legal framework that sets essential cybersecurity requirements for products with digital elements, both when they are placed on the EU market and throughout their lifecycle.

The CRA builds on the EU’s New Legislative Framework (NLF), which is defined in Regulation (EC) No 765/2008 on accreditation and market surveillance relating to the marketing of products and in Decision No 768/2008/EC, which establishes a common framework for the marketing of products.

Market surveillance and enforcement of the Regulation are carried out by national market surveillance authorities. Products with digital elements that fall within the scope of the CRA are also subject to Regulation (EU) 2019/1020 on market surveillance and product compliance, which amended Directive 2004/42/EC and Regulations (EC) No 765/2008 and (EU) No 305/2011. The European Commission, together with the European Union Agency for Cybersecurity, supports economic operators and Member States in implementing the CRA.

Purpose of the Guidance

The forthcoming guidance aims to assist economic operators in meeting the requirements of the CRA and to support the work of market surveillance authorities, notifying authorities, and notified bodies. Its broader goal is to contribute to the consistent and harmonised enforcement of the Regulation across the European Union.

The document will not address every aspect of the CRA. Instead, it will focus on explaining the reasoning behind selected key provisions and offering clarification on how these provisions may be applied in practice. The guidance relates specifically to the CRA and does not extend to other EU legislation.

It should be noted that the guidance will not be legally binding for economic operators or other parties subject to the Regulation. Only the Court of Justice of the European Union has the authority to provide a definitive interpretation of EU law. Nevertheless, the guidelines represent the European Commission’s interpretation of the CRA and are intended to support compliance and facilitate the effective implementation of the Regulation. In practice, the application of the CRA will always require a case-by-case assessment that takes into account the particular circumstances of each situation.

The Guidance covers items such as:

• Placing on the market
• Combination of hardware and software
• Free and open-source software
• Important and critical products
• Cybersecurity risk assessment
• Remote data processing

To find out more about the Cyber Resilience Act and compliance with it, do not hesitate to contact the Product Compliance Institute directly.