Ever heard of it? Cyber Resilence Act!

Suppliers of modern technologies and products in particular must always be up to date with regard to current case law and legislative developments in Europe and respond to developments. For blockchain/Web3 providers, it may be MiCAR, but for other IT providers, it could be the Cyber Resilience Act (CRA), a first draft of which was presented by the EU Commission in September. The law is intended to establish common cybersecurity standards for networked devices and services (“products with digital parts”) and thus help combat cybercrime. Its adoption is expected in 2023 (although it is of course questionable what a final version will look like in the end) and product developers should therefore deal with the contents early on. Currently, it is supposed to come into force already 2 years later. Not much time for normal product development cycles. If security breaches occur within the 24 months, there are active communication obligations even before then.

Key Facts

Providers of modern technologies must constantly inform themselves about current legislation in Europe and adapt to it.
The Cyber Resilience Act (CRA) will establish common cybersecurity standards for networked devices and services.
Planned adoption of the CRA is scheduled for 2023, with possible security gaps within 24 months.
Manufacturers of devices have to consider high requirements in terms of compliance and fines.
Regulations include commitments to standards and the possibility of prohibiting the sale of compromised products.
The Digital Operational Resilience Act (DORA) concerns the cybersecurity of financial providers and web3/blockchain providers.
Product developers should familiarize themselves with the content of the CRA at an early stage in order to react in good time.

The regulations range from a commitment to certain standards to the possibility of being able to prohibit the sale of compromised products. Especially for manufacturers of desktop and mobile devices, virtualized operating systems, issuers of digital certificates, general-purpose microprocessors, card readers, robotic sensors, smart meters and IOT devices, the requirements are currently very high and compliance behind them is mandatory in order not to be subject to severe fines.

Incidentally, for financial providers (to the extent that web3/blockchain companies may be included), the Digital Operational Resilience Act (DORA) was passed by the EU Parliament on November 10, 2022, which also addresses cybersecurity for these companies/providers.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.