EU Cyber Resilience Act View online

European Cyber Resilience Act:

Council Experts provide extended definitions for CRA products’ categorisation

 
Download the Swedish presidency compromise proposal

The Council Horizontal Working Party on Cyber issues (HWPCI) discussed on Wednesday 15th February the CRA proposal (leak attached). To that end, the Presidency has issued a new compromise text on the list of critical products (Article 6 & Annex III) and conformity assessment (Articles 18-24).

 

Clarification of the difference between class I and class II critical products through a set of criteria;

Class I product listed in annex II meet one of the following criteria:

1.  The cybersecurity-related functionality, including securing authentication and access, intrusion prevention and detection, endpoint security or network protection);

2.  The product performs a central system function, including network management, configuration control, virtualisation, processing of personal data, or an impact on a large number of other digital products.

Class II products listed in annex III should meet at least two of the following criteria:

1. Criteria listed in the first paragraph applicable to class I;

2. Criteria listed in the second paragraph applicable to class I;

3. Intended application in sensitive environments, including in industrial control settings or and by NIS essential entities.

 

Highly critical products

The Council specifies the applicable CSA assurance level for highly critical products.

·   The Commission is empowered to adopt delegated acts to require a certificate under an EU CSA Scheme at assurance level “substantial” or “High”.

Introduction of new criteria.

·   A critical dependency of entities of a type referred to in Annex I to the Directive NIS 2 (EU) 2022/2555 on the category of products with digital elements;

·    Incidents and exploited vulnerabilities can lead to disruptive events for critical supply chains.

 

Other provisions

The Council provides a template for a simplified EU declaration of conformity.

Presumption of conformity though an EU certification scheme (if recognized by implementing act according to art.18):

·       Class 0: at any assurance level;

·       Class 1 and 2: level substantial to high.

 

Extensive revision of the categories of critical products in Annex III.

 
Eurosmart
Square de Meeûs 35 - 1000 Brussels - BELGIUM
EU transparency register #21856815315-64
Twitter LinkedIn
Modify your subscription    |    View online