Suppliers of modern technologies and products in particular must always be up to date with regard to current case law and legislative developments in Europe and respond to developments. For blockchain/Web3 providers, it may be MiCAR, but for other IT providers, it could be the Cyber Resilience Act (CRA), a first draft of which was presented by the EU Commission in September. The law is intended to establish common cybersecurity standards for networked devices and services (“products with digital parts”) and thus help combat cybercrime. Its adoption is expected in 2023 (although it is of course questionable what a final version will look like in the end) and product developers should therefore deal with the contents early on. Currently, it is supposed to come into force already 2 years later. Not much time for normal product development cycles. If security breaches occur within the 24 months, there are active communication obligations even before then.

The regulations range from a commitment to certain standards to the possibility of being able to prohibit the sale of compromised products. Especially for manufacturers of desktop and mobile devices, virtualized operating systems, issuers of digital certificates, general-purpose microprocessors, card readers, robotic sensors, smart meters and IOT devices, the requirements are currently very high and compliance behind them is mandatory in order not to be subject to severe fines.

Incidentally, for financial providers (to the extent that web3/blockchain companies may be included), the Digital Operational Resilience Act (DORA) was passed by the EU Parliament on November 10, 2022, which also addresses cybersecurity for these companies/providers.