Skip to main content
Reglamento Ciberresiliencia

Cyberresilience Act, how it affects your business?

On December 10, 2024, the new law came into force REGULATION (EU) 2024/2847OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 October 2024 on horizontal cybersecurity requirements for products containing digital elements and amending Regulation (EU) No 168/2013 and Regulation (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyberresilience Act)

In the age in which we live, where everyone is digitally connected, it must be taken into account that all products with digital elements integrated into an electronic information system can serve as transmitters of an attack for malicious actors. Consequently, even the least critical equipment and software can facilitate the initial compromise of a device or network, allowing malicious actors to gain privileged access to a system or move laterally between systems.

The Cyberresilience Act aims to set boundary conditions that enable the development of products with secure digital elements, ensuring that products consisting of computer hardware and software are placed on the market with fewer vulnerabilities. It also aims to create conditions that enable users to take into account the cybersecurity when choosing and using products with digital elements

The Cyberresilience Act sets out a number of essential cybersecurity requirements for the design, development and manufacturing of products with digital elements and for the vulnerability management process, as well as rules for placing products with digital elements on the market and rules on market surveillance.

Below, we will look at the most important obligations that this regulation imposes on manufacturers, importers and distributors of products with digital elements.

What obligations does the Cyberresilience Act impose?

Obligations for Manufacturers

When placing a product containing digital elements on the market, manufacturers shall ensure that the product has been designed, developed and produced in compliance with the essential cybersecurity requirements set out in that Regulation.

Manufacturers shall carry out a cybersecurity risk assessment associated with a product containing digital elements and take into account the outcome of this assessment during the planning, design, development, production, delivery and maintenance phases of the product, with the aim of minimising cybersecurity risks, preventing incidents and minimising their impact, including those related to the health and safety of users. This risk assessment must be included in the technical documentation for the product.

Manufacturers shall ensure that each security update made available to users during the support period remains available after its release for a minimum period of ten years or for the remainder of the support period, if this is longer.

Manufacturers shall ensure that products containing digital elements are accompanied by user information and instructions, in paper or electronic form. Such instructions and information shall be provided in a language easily understood by users and market surveillance authorities. They shall be clear, comprehensible, intelligible and legible.

Obligations for Importers:

Importers shall only place on the market products with digital elements that meet the essential cybersecurity requirements and provided that the processes established by the manufacturer meet the essential cybersecurity requirements.

Importers shall indicate their name, registered trade name or trademark, postal address, e-mail address or other digital contact details and, where applicable, the website where they can be contacted on the product containing digital elements, on its packaging or in a document accompanying the product. The contact details shall be provided in a language easily understood by end-users and market surveillance authorities.

Before placing a product containing digital elements on the market, importers shall ensure that:

  1. the manufacturer has carried out appropriate conformity assessment procedures;
  2. the manufacturer has drawn up the technical documentation;
  3. The product with digital elements bears the marking and is accompanied by the EU declaration
  4. the manufacturer has complied with:
    1. has ensured that your product bears a type, batch or serial number or any other element that allows its identification or that such information appears on its packaging or in a document accompanying the product with digital elements.
    1. The name, registered trade name or trademark of the manufacturer, as well as their postal address, email address or other digital contact information and, where applicable, the website where they can be contacted, are indicated on the product, on its packaging or in a document accompanying the product with digital elements.
    1. Manufacturers shall ensure that the end date of the support period, including at least the month and year, is specified in a clear and comprehensible manner at the time of purchase, in an easily accessible manner.

Obligations for Distributors

Before marketing a product with digital elements, distributors must verify that:

a) The product bears the CE marking;

b) The manufacturer and the importer have complied with the obligations mentioned above and set out in the Regulation.

Creating a single notification platform

For the purposes of notifications of vulnerabilities in products containing digital elements, as well as serious incidents impacting the security of such products and in order to simplify notification obligations for manufacturers, ENISA will create a single notification platform.

Requirements that products with digital elements must have

On the other hand, as we have said before, the Regulation also tells us the requirements that products with digital elements must apply in order to be marketed, these are:

  1. will be marketed without known exploitable vulnerabilities;
  2. They will be marketed with a secure default configuration;
  3. ensure that vulnerabilities can be addressed through security updates, including, where appropriate, automatic security updates installed in an appropriate timeframe enabled as a default setting
  4. They will ensure protection against unauthorized access through appropriate control mechanisms
  5. will protect the confidentiality of personal or other data stored
  6. will protect the integrity of personal or other data stored
  7. They will only process personal or other data that are adequate, relevant and limited to what is necessary for the intended purpose of the product with digital elements.
  8. will protect the availability of essential and basic functions
  9. They will minimise the negative impact of the products themselves or of connected devices on the availability of services provided by other devices or networks;
  10. They will be designed, developed and produced to limit attack surfaces
  11. They will be designed, developed and produced to reduce the impact of an incident, through appropriate mechanisms and techniques to mitigate the exploitation of vulnerabilities;
  12. will provide security-related information by logging or monitoring relevant internal activity,
  13. They will offer users the ability to securely and easily delete all data and settings permanently and, where such data can be transferred to other products or systems, they will ensure that this is done securely.

Technical documentation

The Cyberresilience Act also tells us that it must contain the technical documentation, which is as follows:

The technical documentation shall contain all relevant data or details relating to the means used by the manufacturer to ensure that the product with digital elements and the processes established by the manufacturer comply with the essential cybersecurity requirements.

The technical documentation shall contain at least the following information:

  1. A product overview with digital elements.
  2. A description of the design, development and production of the product with digital elements and the vulnerability management processes.
  3. An assessment of the cybersecurity risks against which the product with digital elements has been designed, developed, produced, delivered and maintained.
  4. Relevant information taken into account to determine the support period.
  5. A list of harmonised standards, fully or partially implemented.
  6. Reports of tests carried out to verify product compliance with digital elements and vulnerability management processes with essential cybersecurity requirements.
  7. a copy of the EU declaration of conformity.
  8. Where applicable, the materials nomenclature of the computer programs.

For more information see this post from European Commission.

Author: Mariona Heredia, Lawyer.

If you need more informarion, contact us!


    Information on data protection

    Company name
    LEGAL IT GLOBAL 2017, SLP
    Purpose
    Providing the service.
    Sending the newsletter.
    Legal basis
    Compliance with the service provision.
    Consent.
    Recipients
    Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.
    Rights
    You may access, rectify or delete your data and exercise the rights indicated in our Privacy Policy.
    Further information
    See the Privacy Policy.

    Us
    Services