Cyber Resilience Act:

Leak - New Swedish Presidency Council compromise

In its latest draft of the Cyber Resilience Act (CRA), the Swedish presidency of the EU Council identified several products, including microprocessors, as “Class 1” instead of “Class 2“. Self-assessment would be sufficient for the compliance of these class 1 products. Other products including some industrial automation systems and industrial internet of things devices were removed from the list of “critical” products altogether.

The Compromise text straightened the rules regarding obligation to manufacturers. A 10 year period is introduced for some important provisions.

Brief analysis

Reporting obligation to manufacturer

The draft identifies the Computer Security Incident Response Teams (CSIRTs) Network to be the point of contact, instead of the European Union Agency for Cybersecurity (ENISA) as initially proposed by the European Commission. The timeframe remains the same: The manufacturer shall, without undue delay and in any event within 24 hours of becoming aware of it.

CSIRTs shall inform the market-surveillance authorities of all EU countries, and not just the one in which the attack occurred. The CSIRTs network shall then submit information to the European cyber crisis liaison organization network (EU-CyCLONe) if it is relevant for the response to a large-scale cybersecurity incident.

Presumption of conformity and EU cybersecurity certificates

For class I and II the draft compromise specified that certificates should be issued at „substantial“ and „high“ level to be able to provide presumption of conformity with the essential requirement and the CRA assessment procedures (no need to go for an additional third party assessment).

Non-critical products may rely on any assurance level.

10 year-Security update and vulnerability handling

The draft compromise strengthened the rules: security updates and vulnerability handling shall remain available for a minimum duration of 10 years. The manufacturer should mention the date (mm/yy), when possible on the packaging,  untill which it will at least ensure the effective handling of vulnerabilities.

For this period of time, manufacturers who know or have reason to believe that the product with digital elements are not in conformity anymore shall immediately take the necessary corrective measures or to withdraw or to recall the product, as appropriate.

Product lifetime

Regarding this provision, the draft compromise follows the EP IMCO committee draft opinion. Manufacturers are to determine the expected product lifetime taking into account the time users reasonably expect to be able to use the product given its functionality and intended purpose and therefore can expect to receive security updates.

Risk assessment

The draft compromise provides that the risk assessment to be undertake by the manufacturer shall be documented and updated during the expected lifetime of the product. It shall comprise at least an analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use, as well as the specific conditions of use of the product with digital elements.