The Swedish presidency of the EU Council has recently released a new compromise text on the Cyber Resilience Act.

Following a discussion on the 15th of February,  in a meeting of the horizontal working policy on cyber issues, a partial compromise has come about in relation to the Cyber Resilience Act (“CRA”). According to a report from Euractiv, with a new compromise text touches on the relation of the CRA to other EU laws, the notifying authorities, enforcement and penalties. Overall, this legislative proposal addresses the baseline requirements for connected devices. 

With the new legislative framework, certain critical products are required by the CRA to prove their conformity via external audits.

The text clarifies that the obligations for economic operators, market surveillance provisions, enforcement, and international cooperation under the general product safety regulation apply to connected devices which are not covered by the new cybersecurity law on any other EU harmonization legislation. Compliance can be demonstrated with the conformity declaration issued under the draft cyber security law. With the new legislative framework, certain critical products are required by the CRA to prove their conformity via external audits. Conformity with the cyber security requirements is necessary for AI systems considered to present a high risk of causing harm. There is also an addition to the legislation which mandates EU countries to implement an appeal procedure to be taken by product manufacturers to challenge the decisions of accredited authors.

The notifying authority is responsible for enforcement and penalties, but may delegate this role to a private company. 

 While the notifying authority may choose to delegate its role to a private company, the authority will remain responsible for the contractor’s  compliance with the regulation. In the event that’s an Internet of things product and the manufacturer’s internal process still presents significant security risk while in compliance with the regulation, a market surveillance authority can take appropriate measures. The authority may go as far as mandating the withdrawal of the product from the market, provided this measure is proportionate to the risk posed to  the rights and safety of individuals, public interest, and the integrity of critical entities. Under the CRA a manufacturer can be fined up to €15 million or 2.5% of its annual turnover, for lack of compliance with the essential requirements and reporting obligations. Fines of up to €10 million or 2% of the annual turnover could be applied for less serious offenses.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.