The Swedish presidency of the EU Council has circulated a new compromise text, obtained by EURACTIV, touching upon the relation with other EU laws, the notifying authorities, enforcement and penalties.

The Cyber Resilience Act is a legislative proposal to introduce baseline cybersecurity requirements for connected devices going through the ordinary legislative process.

The partial compromise results from the discussion held on 15 February in a meeting of the Horizontal Working Party on Cyber Issues, a technical body of the EU Council of ministers. The new document will be discussed at a technical meeting on Wednesday (1 March).

The changes to the text are not particularly significant, signalling that the discussions in the Council might not be mature enough to tackle more sensitive issues like the delegated powers of the European Commission and the timeline for the regulation’s entry into force.

Interplay with other legislation

AI systems considered at high risk of causing harm will comply with the AI Act’s cybersecurity requirements if they respect the essential requirements listed in the Cyber Resilience Act and demonstrate that with an EU declaration of conformity.

In relation to the General Product Safety Regulation, the text clarifies that its obligations for economic operators, market surveillance provisions, enforcement, and international cooperation apply to connected devices not covered by the new cybersecurity law or other EU harmonisation legislation.

Similarly, compliance with the cybersecurity obligations under the EU’s Machinery Regulation could be demonstrated with the conformity declaration issued under the draft cybersecurity law.

Notifying authorities

Following the new legislative framework, the CRA required certain critical products to prove their conformity with the cybersecurity requirements via external audits. That would mean that the national governments would have to appoint a notifying authority to select the accredited auditors, the notified bodies.

The notifying authority might delegate its role to a private company but would still be responsible for the contractor’s compliance with the regulation.

A new article has been added mandating EU countries to put in place an appeal procedure that product manufacturers might use to challenge the decision of the accredited auditors.

Enforcement

A market surveillance authority can take appropriate measures if it conducts an evaluation and finds that an Internet of Things product and the manufacturer’s internal process comply with the regulation but still present significant security risks.

In the most extreme cases, the authority might mandate the withdrawal of the product from the market or its recall, provided that the measure is proportionate to the risk for people’s safety, fundamental rights, the integrity of critical entities identified under the revised Networks and Information Security Directive (NIS2), and public interest more broadly.

Penalties

The CRA’s penalty regime differentiates the gravity of offences. Lack of compliance with the essential requirements and reporting obligations related to an actively exploited vulnerability can lead the manufacturer to be fined up to €15 million or 2.5% of the annual turnover.

The less serious offences could entail administrative fines of up to €10 million or 2% of the annual turnover.

The new text limits this class to breaches of all other obligations for economic operators, the declaration of conformity, some provisions related to the EU’s CE marking of conformity, conformity assessment procedures, technical documentation, and access to data.

Notified bodies might also incur this category of sanctions if they violate their requirements, subcontracting rules, and operational and information obligations.