Regulation (EU) 2024/2847 on horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act)

Author (Corporate)	Council of the European Union, European Parliament
Series Title	Official Journal of the European Union
Series Details	(L) 2024/2847
Publication Date	20/11/2024
Content Type	Blog & Commentary, Legislation, News, Policy-making
	Summary: Regulation (EU) 2024/2847 - adopted by the co-legislators on 23 October 2024 - setting out horizontal cybersecurity requirements for products with digital elements. It is also known as the Cyber Resilience Act (CRA). It introduces amendments to Regulation (EU) No 168/2013, Regulation (EU) No 2019/1020 and Directive (EU) 2020/1828. This is a text with EEA relevance. Further information: The cybersecurity of products with digital elements has a strong cross-border dimension. In addition, incidents initially affecting a single entity or Member State often spread within minutes across the entire internal market. While existing legislation applies to certain products, most of the hardware and software products are not yet covered by any framework tackling their cybersecurity. This Regulation lays down rules for the making available on the market of products with digital elements to ensure the cybersecurity of such products. It establishes essential cybersecurity requirements for products design, development and production, and obligations for economic operators in relation to those products with respect to cybersecurity. It sets out essential cybersecurity requirements for the vulnerability handling processes put in place by manufacturers, and related obligations. It lays down rules on market surveillance, including monitoring and enforcement of the requires and requirements. The Act comprises amendments to Regulation (EU) No 168/2013, Regulation (EU) 2019/1020 and Directive (EU) 2020/1828. The draft Regulation was first announced in the European Commission's Cybersecurity Strategy. It was formally adopted by the Commission on 15 September 2022, following the annual State of the European Union (SOTEU) address delivered by the President of the European Commission. The Council of the European Union adopted its general approach to the proposal on 19 July 2023. The relevant committee of the European Parliament adopted its own negotiating position on the same day. An informal agreement between the co-legislators on a compromise text for this file was reached on 30 November. This was formally endorsed by Parliament on 12 March 2024 and by the Council on 10 October. The Act was signed by the co-legislators on 23 October 2024 and published in the Official Journal on 20 November 2024.
Source Link	Link to Main Source http://data.europa.eu/eli/reg/2024/2847/oj
Related Links	Official EUR-LEX: COM(2022)454: Proposal for a Regulation on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=COM:2022:454:FIN EUR-LEX: SWD(2022)282: Staff Working Document accompanying the Proposal - Impact Assessment Report https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=SWD:2022:282:FIN EUR-LEX: SWD(2022)283: Staff Working Document accompanying the Proposal - Executive Summary of the Impact Assessment Report https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=SWD:2022:283:FIN Publications Office of the EU: EU Law Tracker: Proposal for a Regulation on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 https://law-tracker.europa.eu/procedure/2022_272?lang=en European Parliament: Legislative Observatory: Procedure File for Proposal on Cyber Resilience Act (2022/0272(COD)) https://oeil.secure.europarl.europa.eu/oeil/popups/ficheprocedure.do?lang=en&reference=2022/0272(COD) European Parliament: Legislative Train Schedule: Horizontal cybersecurity requirements for products with digital elements https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-european-cyber-resilience-act European Commission: Policies: EU Cyber Resilience Act https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act European Commission: Joint Research Centre: EU Science Hub: Cyber Resilience Act (CRA) https://joint-research-centre.ec.europa.eu/scientific-activities-z/cyber-resilience-act-cra_en European Commission: Register of Commission Expert Groups & Other Similiar Entities: Expert Group on Cybersecurity of Products with Digital Elements (E03967) https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?lang=en&groupID=3967 European Commission: Public Consultations: Cyber resilience act – new cybersecurity rules for digital products and ancillary services (2022) https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services_en European Commission: Press Release, 15/09/2022: State of the Union: New EU cybersecurity rules ensure more secure hardware and software products https://ec.europa.eu/commission/presscorner/detail/en/ip_22_5374 Renew Europe EP Group: Newsroom, 18/07/2023: Cyber Resilience Act will be new international point of reference on cybersecurity https://www.reneweuropegroup.eu/news/2023-07-18/cyber-resilience-act-will-be-new-international-point-of-reference-on-cybersecurity Council of the European Union: Press Release, 19/07/2023: Cyber resilience act: member states agree common position on security requirements for digital products https://www.consilium.europa.eu/en/press/press-releases/2023/07/19/cyber-resilience-act-member-states-agree-common-position-on-security-requirements-for-digital-products/ European Parliament: Press Release, 19/07/2023: Cyber Resilience Act: MEPs back plan to boost digital products security https://www.europarl.europa.eu/news/en/press-room/20230717IPR03029/ Council of the European Union: Press Release, 30/11/2023: Cyber resilience act: Council and Parliament strike a deal on security requirements for digital products https://www.consilium.europa.eu/en/press/press-releases/2023/11/30/ European Parliament: Press Release, 01/12/2023: Cyber Resilience Act: agreement with Council to boost digital products’ security https://www.europarl.europa.eu/news/en/press-room/20231106IPR09007/ European Commission: Press Release, 01/12/2023: Commission welcomes political agreement on Cyber Resilience Act https://ec.europa.eu/commission/presscorner/detail/en/ip_23_6168 European Commission: State of the Union: EU Cyber Resilience Act - Questions & Answers (1 December 2023) https://ec.europa.eu/commission/presscorner/detail/en/qanda_22_5375 European Parliament: Press Release, 12/03/2024: Cyber Resilience Act: MEPs adopt plans to boost security of digital products https://www.europarl.europa.eu/news/en/press-room/20240308IPR18991/ Council of the European Union: Press Release, 10/10/2024: Cyber resilience act: Council adopts new law on security requirements for digital products https://www.consilium.europa.eu/en/press/press-releases/2024/10/10/cyber-resilience-act-council-adopts-new-law-on-security-requirements-for-digital-products/ News EurActiv: Topics: Cyber Resilience Act https://www.euractiv.com/topics/cyber-resilience-act/ Bloomberg, 07/09/2022: Web-Connected Devices May Have to Meet New EU Cybersecurity Rules https://www.bloomberg.com/news/articles/2022-09-07/internet-connected-devices-may-have-to-meet-new-eu-requirements EurActiv, 15/09/2022: Commission presents Cyber Resilience Act targeting Internet of Things products https://www.euractiv.com/section/digital/news/commission-presents-cyber-resilience-act-targeting-internet-of-things-products/ Euronews, 15/09/2022: Brussels plans to introduce cybersecurity requirements for connected devices https://www.euronews.com/my-europe/2022/09/15/brussels-plans-to-introduce-cybersecurity-requirements-for-connected-devices Reuters, 15/09/2022: EU proposes rules targeting cybersecurity risks of smart devices https://www.reuters.com/technology/eu-proposes-rules-targeting-smart-devices-with-cybersecurity-risks-2022-09-15/ The Independent (UK), 15/09/2022: EU wants to toughen cybersecurity rules for smart devices https://www.independent.co.uk/news/ap-brussels-thierry-breton-europe-european-commission-b2167907.html Politico, 15/09/2022: EU pitches cyber law to fix patchy Internet of Things https://www.politico.eu/article/new-cyber-act-to-raise-safety-standards-across-the-bloc/ Forbes Magazine, 15/09/2022: EU Aims To Boost Security Of Connected Devices With New Cyber Resilience Act https://www.forbes.com/sites/emmawoollacott/2022/09/15/eu-aims-to-boost-security-of-connected-devices-with-new-cyber-resilience-act/?sh=44445f5da08a EurActiv, 16/09/2022: EU chief announces cybersecurity law for connected devices https://www.euractiv.com/section/cybersecurity/news/eu-chief-announces-cybersecurity-law-for-connected-devices/ The Irish Times, 01/12/2022: Cyber-resilience Act signals big change in commercial software development https://www.irishtimes.com/business/innovation/2022/12/01/cyber-resilience-act-signals-big-change-in-commercial-software-development/ Organized Crime and Corruption Reporting Project (OCCRP), 21/07/2023: European Parliament Backs Draft Cyber Resilience Act for Secure Digital Products https://www.occrp.org/en/daily/17861-european-parliament-backs-draft-cyber-resilience-act-for-secure-digital-products Commentary and Analysis Orgalim: News, 15/09/2022: Cyber Resilience Act: A crucial step forward https://orgalim.eu/news/cyber-resilience-act-crucial-step-forward Digital Europe: Press Release, 15/09/2022: Cyber Resilience Act: a big step forward for digital resilience but too much too soon https://www.digitaleurope.org/news/cyber-resilience-act-a-big-step-forward-for-digital-resilience-but-too-much-too-soon/ DR2 Consultants: Blog, 16/09/2022: European Cyber Resilience Act: can new requirements for products strengthen your organization’s cybersecurity resilience? https://dr2consultants.eu/european-cyber-resilience-act/ Allen & Overy: Blog, 20/09/2022: EU – New Cyber Resilience Act will provide cybersecurity requirements for hardware and software products https://www.allenovery.com/en-gb/global/blogs/data-hub/eu--new-cyber-resilience-act-will-provide-cybersecurity-requirements-for-hardware-and-software-products EuroConsumers: Activities, 23/09/2022: EU Cyber Resilience Act: will the Hackable Home finally be secured? https://www.euroconsumers.org/activities/cyber-resilience-act-will-hackable-home-be-secured Information Technology and Innovation Foundation (ITIF): Center for Data Innovation: Commentary, 26/09/2022: An Overview of the EU’s Cyber Resilience Act https://datainnovation.org/2022/09/an-overview-of-the-eus-cyber-resilience-act/ Huawei: Blog, 29/09/2022: New Cyber Resilience Act Enhances Cybersecurity Requirements for Digital Products Sold in the EU https://blog.huawei.com/2022/09/29/cyber-resilience-act-enhances-cybersecurity-digital-products-eu/ Ernst & Young, 06/10/2022: Security by Design at Center Stage as EU Cyber Resilience Act Emerges https://www.ey.com/en_fi/consulting/product-security-by-design-center-stage-eu-cyber-resilience-act-emerges Norton Rose Fulbright: Data Protection Report, 17/10/2022: The proposed EU Cyber Resilience Act: what it is and how it may impact the supply chain https://www.dataprotectionreport.com/2022/10/the-proposed-eu-cyber-resilience-act-what-it-is-and-how-it-may-impact-the-supply-chain/ Internet Society: Blog, 24/10/2022: The EU’s Proposed Cyber Resilience Act Will Damage the Open Source Ecosystem https://www.internetsociety.org/blog/2022/10/the-eus-proposed-cyber-resilience-act-will-damage-the-open-source-ecosystem/ Clifford Chance: Briefings, 07/11/2022: EU Cyber Resilience Act - Proposed Cyber-Security Rules for Connected Products https://www.cliffordchance.com/briefings/2022/11/eu-cyber-resilience-act---proposed-cyber-security-rules-for-conn.html EU Law Analysis, 18/11/2022: The Cyber Resilience Act in the context of the Internet of Things http://eulawanalysis.blogspot.com/2022/11/the-cyber-resilience-act-in-context-of.html European Parliamentary Research Service (EPRS): Briefing, 14/12/2022: Strengthening cyber resilience - Initial Appraisal of a European Commission Impact Assessment https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2022)734708 European Consumer Organisation (BEUC), 23/01/2023: The Cyber Resilience Act proposal - BEUC position paper https://www.beuc.eu/position-papers/cyber-resilience-act-proposal Centre for European Policy (CEP): Policy Brief No 1/2023, 24/01/2023: Cyber Resilience Act https://www.cep.eu/en/eu-topics/details/cep/cyber-resilience-act-ceppolicybrief-com2022-454.html Microsoft: Blog, 16/02/2023: Cyber Resilience Act: A step towards safe and secure digital products in Europe https://blogs.microsoft.com/eupolicy/2023/02/16/cyber-resilience-act-cybersecurity-skills/ European Banking Federation (EBF), 06/03/2023: EBF key considerations following the publication of the Cyber Resilience Act (CRA) proposal https://www.ebf.eu/ebf-media-centre/updates/ebf-key-considerations-following-the-publication-of-the-cyber-resilience-act-cra-proposal/ GitHub: Blog, 17/03/2023: Partnering with EU policymakers to ensure the Cyber Resilience Act works for developers https://github.blog/2023-03-17-partnering-with-eu-policymakers-to-ensure-the-cyber-resilience-act-works-for-developers/ Electronic Frontier Foundation (EFF), 30/05/2023: EU’s Proposed Cyber Resilience Act Raises Concerns for Open Source and Cybersecurity https://www.eff.org/deeplinks/2023/05/eus-proposed-cyber-resilience-act-raises-concerns-open-source-and-cybersecurity Digital Europe: News, 19/07/2023: Reaction to the European Parliament’s and the Council’s positions on the Cyber Resilience Act https://www.digitaleurope.org/news/reaction-to-the-european-parliaments-and-the-councils-positions-on-the-cyber-resilience-act/ Digital Europe: Position Paper, 25/09/2023: Building a strong foundation for the Cyber Resilience Act: key considerations for trilogues https://www.digitaleurope.org/resources/building-a-strong-foundation-for-the-cyber-resilience-act-key-considerations-for-trilogues/ European Parliamentary Research Service (EPRS): 18/11/2023: EU cyber-resilience act https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2022)739259 A&O Shearman: Opinion, 04/01/2024: The EU Cyber Resilience Act proposal – what you need to know https://www.aoshearman.com/en/insights/ao-shearman-on-tech/the-eu-cyber-resilience-act-proposal-what-you-need-to-know Clifford Chance: Briefings, 26/03/2024: The EU Cyber Resilience Act – Towards a safe and secure digital market in Europe https://www.cliffordchance.com/briefings/2024/03/the-eu-cyber-resilience-act---towards-a-safe-and-secure-digital-.html Fieldfisher: Insights, 10/06/2024: Update on the EU Cyber Resilience Act for UK companies https://www.fieldfisher.com/en/insights/update-on-the-eu-cyber-resilience-act-for-uk-companies Digital Europe: Policy Papers, 04/09/2024: Developing guidelines for the Cyber Resilience Act https://www.digitaleurope.org/resources/developing-guidelines-for-the-cyber-resilience-act/ PwC Switzerland: Insights, 10/10/2024: Understanding the EU Cyber Resilience Act. A comprehensive guide https://www.pwc.ch/en/insights/regulation/understanding-the-eu-cyber-resilience-act.html Wikipedia: Cyber Resilience Act https://en.wikipedia.org/wiki/Cyber_Resilience_Act
Subject Categories	Internal Markets, Security and Defence
Subject Tags	Consumer Rights \| Protection, Cybersecurity \| Cyber-security, Risk \| Crisis Management
International Organisations	European Union [EU]

Summary:

Further information: