The European Union is following its roadmap to strengthen the cybersecurity framework. After the Cybersecurity Act (Regulation (EU) 2019/881), which created a certification framework and established the European Union Agency for Cybersecurity (ENISA), and NIS 2 (Directive (EU) 2022/2555), which aims at enhancing the cybersecurity of essential and important services, the European Union introduced the protection of connected software and devices, in other words, the cybersecurity of the IoT. In October 2024, the European Council officially adopted the Cyber Resilience Act (CRA) which is about to be published in the EU Official Journal. The Czech Republic is now intensively preparing for the adoption of the Cybersecurity Act, which transposes the NIS 2 Directive, but awareness of CRA is low, even though critical software is being developed in the Czech Republic.
Scope of Application
The CRA sets out cybersecurity requirements for products with digital elements that are made available on the market. A product with digital elements is software or hardware that is directly or indirectly connected to another device or network. IoT products that will fall under the new regulation are laptops, smartphones, hard drives, operating systems, password managers, smart home solutions, and many more (IoT products). On the other hand, the CRA will not apply to medical devices, in vitro diagnostic medical devices, and motor vehicles, which are covered by the General Safety Regulation. The application of the CRA to products subject to sectoral legislation may be limited or excluded if such legislation requires an equivalent or higher level of protection. With regards to free and open-source software, the CRA will only apply if it is distributed and used for commercial activities. Non-commercial open-source software will be excluded from the new regulation.
Categories of IoT Products
The CRA recognizes three categories of products: important IoT products of class I, important IoT products of class II (both listed in Annex III), and other products.
Important IoT products of class I provide functions critical to the cybersecurity of other products or provides functions significantly affecting a large number of other products. Examples of these products are standalone and embedded browsers, password managers, mobile device management software, physical network interfaces, smart home products, and personal wearables.
Important IoT products of class II provide both a critical cybersecurity function and significantly affect a larger number of products. Examples of these products include operating systems for servers, desktops, and mobile devices, hypervisors and container runtime systems that support virtualized execution of operating systems and similar environments, public key infrastructure and digital certificate issuers, firewalls, and intrusion detection and/or prevention systems intended for industrial use.
Obligations for IoT Product Providers
Providers of IoT products – designers, developers, and producers – must meet essential cybersecurity requirements laid down in Annex I of the CRA Providers must ensure an appropriate level of cybersecurity based on the risks, place products on the market without known exploitable vulnerabilities, configure the product to be secure by default, provide with security updates, ensure protection of confidentiality and integrity, etc. Providers also must provide users with security-related information and possibility to securely and easily remove all data and settings.
Providers of IoT products must conduct a thorough risk assessment and manage the cybersecurity risks associated with their products. They have to provide the necessary information and instructions, such as the intended purpose of the product, foreseeable misuse that could lead to cybersecurity risks, security support, etc. Providers must establish processes to identify and address vulnerabilities in their products. They must also report significant cybersecurity vulnerabilities and incidents to the authorities.
Compliance with the CRA
Developers of non-critical products may conduct self-assessments. Class I products may be self-assessed or their providers may choose third-party assessment. For the providers of class II products, third-party assessment is obligatory.
Penalties are dealt with in a similar way to other European regulations – that is, a certain amount or percentage of worldwide turnover.
Providers will have to comply with the regulation within three years after it comes into force. The Czech Office for Cyber and Information Security should step up and actively communicate the new regulation in the same way as it is being done with NIS 2.
By Michal Matejka, Partner, and Eva Fialova, Attorney, PRK Partners
This article was originally published in Issue 11.11 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.
