The EUs Cyber Resilience Act Has Now Been Agreed Inside Privacy
pUpdates on developments in data privacy and cybersecurityppYesterday the European Commission Council and Parliament announced that they had reached an agreement on the text of the Cyber Resilience Act CRA As a result the CRA now looks set to finish its journey through the EU legislative process early next year As we explained in our prior post about the Commission proposal here the CRA will introduce new cybersecurity obligations for a range of digital products sold in Europe Well provide a more detailed summary of the agreed text once it is finalized and published but in this post we set out a brief summary of key provisions In terms of timing the CRA will come into force over a phased transition period starting in late 2025ppThe CRA will impose a range of obligations for manufacturers and importers of products with digital elements PDEs a category which is defined broadly to that include both hardware and software products The final text has not yet been published but based on the draft text circulated before the agreement and related reporting the obligations are set to includeppAlthough the CRA applies broadly to PDEs it is focused particularly on certain Important or Critical PDEs The final list of PDEs in these categories has not yet published but it is likely to include items covering both software such as antivirus software and VPNs and connected devices such as smart home devices connected toys and wearables As with most recent European technology regulation the CRA will come with the threat of high penalties for noncompliance up to 15 million or 25 of global turnoverppCertain details of the CRA were hotly debated between the EU institutions particularly the vulnerability reporting obligations as well as the categories of PDEs considered Important or Critical The vulnerability reporting obligations have been of particular interest to industry with security experts roundly criticizing the proposed vulnerability disclosure framework as being out of step with international standards and likely to lead to increased rather than decreased cybersecurity risks Nonetheless we understand that these provisions have been retained and indeed extended in the agreed text with multiple phased vulnerability disclosures likely being required ppWhat happens nextppThe agreement between the EU institutions paves the way for the CRA to make its way onto the EUs statute books following formal approval which should occur in early 2024 After this obligations under the law will come into force over a phased transition period with the vulnerability reporting obligations kicking in after 21 months that is in late 2025 and the remaining obligations after 3 years that is in early 2027ppThe CRA is just one of many cybersecurity regulations currently being prepared in Brussels a consultation on Cybersecurity Act standards for ICT services just wrapped up discussions on the draft Cybersecurity Certification Scheme for Cloud Services are ongoing see our blog here the consultation for Tranche 2 of Digital Operational Resilience Act DORA technical standards is expected in the coming months and Member States are continuing to work to implement NIS 2 by the October 2024 deadline All of this sets up 2024 to be yet another busy year for cybersecurity regulation in EuropeppppCovingtons Privacy and Cybersecurity Practice regularly advises on cybersecurity laws in Europe and elsewhere If you have any questions about how the raft of new European cyber regulations will affect your business or about developments in the cybersecurity space more broadly our team would be happy to discussppMark Young an experienced tech regulatory lawyer advises major global companies on their most challenging data privacy compliance matters and investigationsppMark also leads on EMEA cybersecurity matters at the firm He advises on evolving cyberrelated regulations and helps clients respond toppMark Young an experienced tech regulatory lawyer advises major global companies on their most challenging data privacy compliance matters and investigationsppMark also leads on EMEA cybersecurity matters at the firm He advises on evolving cyberrelated regulations and helps clients respond to incidents including personal data breaches IP and trade secret theft ransomware insider threats and statesponsored attacksppMark has been recognized in Chambers UK for several years as a trusted adviser practical resultsoriented and an expert in the field fast thorough and responsive extremely pragmatic in advice on risk and having great insight into the regulatorsppDrawing on over 15 years of experience advising global companies on a variety of tech regulatory matters Mark specializes inppAleksander advises clients on legal problems associated with data protection cybersecurity and new technologies He holds degrees in both law and computer engineering which he combines to provide advice that is both legally sound and technologically pragmaticppAleksander has advised companies governments andppAleksander advises clients on legal problems associated with data protection cybersecurity and new technologies He holds degrees in both law and computer engineering which he combines to provide advice that is both legally sound and technologically pragmaticppAleksander has advised companies governments and charitable organizations on a range of technology law issues including data breach response compliance with privacy and cybersecurity laws and IT contract negotiations In addition to his experience advising on European law Aleksander is Australianqualified and has significant experience advising clients in the AsiaPacific particularly on Australian and Hong Kong lawppppAttorney AdvertisingppRepeatedly ranked as having one of the best privacy practices in the world Covington combines exceptional substantive expertise with an unrivaled understanding of the IT industry and of ecommerce and digital media business models in particularp