On 13 September 2023, negotiations began between European
institutions to adopt the text of the EU Cyber Resilience Act (the
“CRA”). If adopted, the CRA will impose a set of software
security, cybersecurity, and vulnerability management requirements
on products with digital elements (i.e., software or hardware
products and their remote data processing solutions) placed on the
EU market.
Background
The CRA was first proposed in September 2022 by the EU
Commission (“Commission”) to establish essential
requirements for cybersecurity and vulnerability handling for
products with digital elements placed on the EU market. After
amendments were proposed by the European Council and the European
Parliament on 19 July 2023, the text for the final version is now
being debated.
Key Aspects
Scope
Under the scope of the draft CRA are products with digital
elements, including software or hardware and their remote data
processing solutions. Certain products already subject to
cybersecurity requirements in sectoral legislation are outside the
scope of the CRA, such as medical devices, aviation or connected
vehicles. Open-source software developed outside the course of…
