Products with digital elements (i.e. software, including standalone software, and hardware and its remote data processing, including hardware and software components) whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.

Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 (COM(2022) 454 final); (16 page(s), in English), (87 page(s), in English)

Legislative proposal published by the European Commission on 15 September 2022, setting out a Cyber Resilience Act (CRA) aimed at setting horizontal cybersecurity requirements for products with digital elements.

The measures proposed are based on the New Legislative Framework for EU product legislation, and would apply to different economic operators operating on the EU internal market, including manufacturers, importers and distributors of products with digital elements. The rules would apply equally to EU and non-EU economic operators for the products with digital elements intended to be placed on the EU market. The draft rules lay down:

1.    rules for the placing on the market of products with digital elements to ensure their cybersecurity;

2.    essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products;

3.    essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes. Manufacturers will also have to report actively exploited vulnerabilities and cybersecurity incidents.

4.    rules related to conformity assessment and applicable procedures to verify the essential requirements (based either on self-assessment or third-party assessment depending on the criticality of products) as well as a list of "critical products" which require a stricter conformity assessment procedure. The proposal distinguishes between critical products of class I and class II, reflecting the level of cybersecurity risk related to these products.

5.    rules on market surveillance and enforcement.

Where compliance of the product with the applicable requirements has been demonstrated (through conformity assessment), manufacturers shall draw up an EU declaration of conformity and will be able to affix the CE marking. The CE marking will indicate the conformity of products with digital elements so that those products can move freely within the EU internal market.

In order facilitate conformity with the essential requirements for manufacturers of products with digital elements, the adoption of the Cyber Resilience Act may lead to standardisation, i.e. the development of "harmonised standards" as per Article 3(34) and Article 18 of the proposal. Such standardisation work will be developed in accordance with the EU Regulation on Standardisation (Regulation (EU) 1025/2012) (see Recital 38 and Article 3 (34) of the proposal) and will take into account existing European and international standards. Therefore, in the preparation process that could lead to the development of "harmonized standards" that would support the implementation of the CRA, the European Commission will support studies carrying out mapping and gap analysis of existing cybersecurity standards for products with digital elements.

Bilateral (inter-governmental) Mutual Recognition Agreements (MRAs) for conformity assessment and marking of regulated products can also be considered in the CRA context (see Recital 67 of the proposal).