The Cyber Resilience Act (“CRA”) regulates the cybersecurity of products with digital elements by imposing cybersecurity requirements on the design, development, and production of these products. It also imposes cybersecurity obligations on market operators in relation to these products. Products with digital elements include smart doorbells and refrigerators, routers, security cameras, fitness trackers, connected printers, connected vehicles, and other devices with a Wi-Fi or network connection. We previously wrote two blogs about cybersecurity requirements in general and specifically in relation to manufacturers. In this blog, we analyse the obligations for importers and distributors of products with digital elements.
Recap
Under the CRA, products with digital elements (software or hardware products and solutions for remote data processing) may only be placed on the market if they comply with the ‘essential security requirements’ set out in Annex I to the CRA. These include requirements relating to (i) the availability of (automatic) security updates, (ii) prevention of unauthorised access, (iii) confidentiality of (personal) data, (iv) availability of basic functions and essential functions, and (v) incident management. Products with digital elements must be designed, developed, and manufactured in such a way as to ensure an appropriate level of cybersecurity. The strictest obligations in this regard apply to manufacturers of digital products, which were discussed in detail in our previous blog.
In short, the CRA requires manufacturers to comply with security requirements before the launch of a product with digital elements (ex ante) and to continue to take appropriate security measures throughout the product's lifetime (ex post). Products with digital elements must be designed and developed in such a way that cybersecurity is built in from the outset (security by design). Default settings must offer maximum security (security by default) and automatic security updates must always be enabled. Compliance with the CRA requirements must be demonstrated by means of a CE marking.
The CRA also assigns responsibilities to importers and distributors of digital products. An importer is a natural or legal person established in the European Union (“EU”) who places a product with digital elements on the market under the name or brand of a natural or legal person established outside the EU. A distributor is a natural or legal person in the supply chain, other than the manufacturer or importer, who makes a product with digital elements available on the EU market without altering its characteristics.
Obligations for importers of digital products
The obligations for importers of products with digital elements are set out in Article 19 CRA.
An importer may only place such products on the market and market them if they comply with the cybersecurity requirements set out in Part I of Annex I and if the processes established by the manufacturer comply with the requirements set out in Part II of Annex I of the CRA. The second part of this annex addresses the requirements for manufacturers’ responses to vulnerabilities. Importers must verify that the manufacturer has followed the appropriate conformity assessment procedures, prepared the technical documentation, affixed the CE marking to the product, and included the required declarations and user information in a comprehensible language. Each product must also be accompanied by instructions and the information specified in Annex II of the CRA. In short, most of the importer’s obligations concern verifying whether the manufacturer of a digital product has fulfilled its obligations.
The CRA also requires importers to actively cooperate with authorities. If an importer identifies a potential (technical) security risk related to a particular digital product, they may not place the product on the market until it has been brought into conformity with the CRA and the competent authorities have been informed of the issue and the measures taken. The importer must, in any case, attempt to take corrective action themselves. Such measures may include recalling a product or withdrawing it from the market.
Importers must also keep a copy of the EU declaration of conformity for at least ten years (or longer if required by the product’s support period) after the product has been placed on the market and ensure that the technical documentation is available to market surveillance authorities upon request. If requested by the competent authority, the importer must provide additional documentation, in a comprehensible language, demonstrating the product’s conformity with the cybersecurity requirements. If the manufacturer ceases its activities and can no longer fulfil its obligations, importers must notify the authorities and, where possible, inform the end users of the affected product.
Obligations of distributors of digital products
The obligations for distributors of digital products are laid down in Article 20 CRA.
Distributors also have a responsibility to monitor the cybersecurity requirements of products with digital elements. For instance, distributors must verify that importers and manufacturers have fulfilled their respective obligations under the CRA. Compliance with the CRA is therefore subject to checks by all parties involved. Like importers, distributors must ensure that the products they make available on the market bear a CE marking. Additionally, distributors must verify that the manufacturer and importer have provided them with the required documentation.
If a distributor suspects that a product or the manufacturer’s processes do not meet the cybersecurity requirements, the product may not be sold until this has been resolved. In the event of a major security risk, the manufacturer and the supervisory authority must be informed immediately. If a distributor discovers that a product that has already been sold does not comply with the rules, they must ensure that the product is repaired, recalled, or withdrawn from the market. If a vulnerability is discovered, the manufacturer must be informed immediately. If it involves a serious cyber risk, the authorities must also be notified and informed immediately. As with importers, distributors must first resolve any vulnerabilities or defects themselves.
At the request of the supervisory authority, distributors must provide all necessary information or documents, in writing or digitally, in understandable language. In addition, the distributor must also cooperate with measures aimed at eliminating the cyber security risks of a product. If a distributor knows that the manufacturer is no longer able to fulfil its obligations, it must immediately report this to the supervisory authorities and, where possible, the end users of the product must also be informed.
Extension of the manufacturer’s obligations
There are situations in which the obligations of manufacturers can also apply to importers and distributors. This occurs when an importer or distributor places, or makes available, a product with digital elements on the market under their own name or brand, or when they make a significant modification to a product that has already been placed, or made available, on the market. In such cases, they are considered to be the manufacturer and must comply with the requirements set out in Articles 13 and 14 CRA.
Conclusion
The CRA not only imposes strict cybersecurity obligations on manufacturers of digital products but also requires importers and distributors to exercise active oversight and due diligence within the supply chain. Importers and distributors may only place on the market or trade products with digital elements that demonstrably comply with the CRA’s cybersecurity requirements.
Both importers and distributors must verify that the manufacturer has fulfilled their obligations, take action in case of potential (cyber)security risks, and cooperate closely with the competent authorities in identifying and addressing vulnerabilities. In certain cases – such as selling under their own brand or making significant modifications to a product – they may even be considered the manufacturer, with the associated responsibilities.
In this way, the CRA emphasizes the importance of cybersecurity throughout the entire lifecycle of a digital product and makes it clear that every link in the chain, from manufacturer to distributor, has a role to play in protecting end users from digital threats.
If your organisation is involved in placing, or making available, products with digital elements on the market and you want to understand what the CRA means for you, please contact us: we are happy to provide guidance.
The Cyber Resilience Act (“CRA”) regulates the cybersecurity of products with digital elements by imposing cybersecurity requirements on the design, development, and production of these products. It also imposes cybersecurity obligations on market operators in relation to these products. Products with digital elements include smart doorbells and refrigerators, routers, security cameras, fitness trackers, connected printers, connected vehicles, and other devices with a Wi-Fi or network connection. We previously wrote two blogs about cybersecurity requirements in general and specifically in relation to manufacturers. In this blog, we analyse the obligations for importers and distributors of products with digital elements.
Recap
Under the CRA, products with digital elements (software or hardware products and solutions for remote data processing) may only be placed on the market if they comply with the ‘essential security requirements’ set out in Annex I to the CRA. These include requirements relating to (i) the availability of (automatic) security updates, (ii) prevention of unauthorised access, (iii) confidentiality of (personal) data, (iv) availability of basic functions and essential functions, and (v) incident management. Products with digital elements must be designed, developed, and manufactured in such a way as to ensure an appropriate level of cybersecurity. The strictest obligations in this regard apply to manufacturers of digital products, which were discussed in detail in our previous blog.
In short, the CRA requires manufacturers to comply with security requirements before the launch of a product with digital elements (ex ante) and to continue to take appropriate security measures throughout the product's lifetime (ex post). Products with digital elements must be designed and developed in such a way that cybersecurity is built in from the outset (security by design). Default settings must offer maximum security (security by default) and automatic security updates must always be enabled. Compliance with the CRA requirements must be demonstrated by means of a CE marking.
The CRA also assigns responsibilities to importers and distributors of digital products. An importer is a natural or legal person established in the European Union (“EU”) who places a product with digital elements on the market under the name or brand of a natural or legal person established outside the EU. A distributor is a natural or legal person in the supply chain, other than the manufacturer or importer, who makes a product with digital elements available on the EU market without altering its characteristics.
Obligations for importers of digital products
The obligations for importers of products with digital elements are set out in Article 19 CRA.
An importer may only place such products on the market and market them if they comply with the cybersecurity requirements set out in Part I of Annex I and if the processes established by the manufacturer comply with the requirements set out in Part II of Annex I of the CRA. The second part of this annex addresses the requirements for manufacturers’ responses to vulnerabilities. Importers must verify that the manufacturer has followed the appropriate conformity assessment procedures, prepared the technical documentation, affixed the CE marking to the product, and included the required declarations and user information in a comprehensible language. Each product must also be accompanied by instructions and the information specified in Annex II of the CRA. In short, most of the importer’s obligations concern verifying whether the manufacturer of a digital product has fulfilled its obligations.
The CRA also requires importers to actively cooperate with authorities. If an importer identifies a potential (technical) security risk related to a particular digital product, they may not place the product on the market until it has been brought into conformity with the CRA and the competent authorities have been informed of the issue and the measures taken. The importer must, in any case, attempt to take corrective action themselves. Such measures may include recalling a product or withdrawing it from the market.
Importers must also keep a copy of the EU declaration of conformity for at least ten years (or longer if required by the product’s support period) after the product has been placed on the market and ensure that the technical documentation is available to market surveillance authorities upon request. If requested by the competent authority, the importer must provide additional documentation, in a comprehensible language, demonstrating the product’s conformity with the cybersecurity requirements. If the manufacturer ceases its activities and can no longer fulfil its obligations, importers must notify the authorities and, where possible, inform the end users of the affected product.
Obligations of distributors of digital products
The obligations for distributors of digital products are laid down in Article 20 CRA.
Distributors also have a responsibility to monitor the cybersecurity requirements of products with digital elements. For instance, distributors must verify that importers and manufacturers have fulfilled their respective obligations under the CRA. Compliance with the CRA is therefore subject to checks by all parties involved. Like importers, distributors must ensure that the products they make available on the market bear a CE marking. Additionally, distributors must verify that the manufacturer and importer have provided them with the required documentation.
If a distributor suspects that a product or the manufacturer’s processes do not meet the cybersecurity requirements, the product may not be sold until this has been resolved. In the event of a major security risk, the manufacturer and the supervisory authority must be informed immediately. If a distributor discovers that a product that has already been sold does not comply with the rules, they must ensure that the product is repaired, recalled, or withdrawn from the market. If a vulnerability is discovered, the manufacturer must be informed immediately. If it involves a serious cyber risk, the authorities must also be notified and informed immediately. As with importers, distributors must first resolve any vulnerabilities or defects themselves.
At the request of the supervisory authority, distributors must provide all necessary information or documents, in writing or digitally, in understandable language. In addition, the distributor must also cooperate with measures aimed at eliminating the cyber security risks of a product. If a distributor knows that the manufacturer is no longer able to fulfil its obligations, it must immediately report this to the supervisory authorities and, where possible, the end users of the product must also be informed.
Extension of the manufacturer’s obligations
There are situations in which the obligations of manufacturers can also apply to importers and distributors. This occurs when an importer or distributor places, or makes available, a product with digital elements on the market under their own name or brand, or when they make a significant modification to a product that has already been placed, or made available, on the market. In such cases, they are considered to be the manufacturer and must comply with the requirements set out in Articles 13 and 14 CRA.
Conclusion
The CRA not only imposes strict cybersecurity obligations on manufacturers of digital products but also requires importers and distributors to exercise active oversight and due diligence within the supply chain. Importers and distributors may only place on the market or trade products with digital elements that demonstrably comply with the CRA’s cybersecurity requirements.
Both importers and distributors must verify that the manufacturer has fulfilled their obligations, take action in case of potential (cyber)security risks, and cooperate closely with the competent authorities in identifying and addressing vulnerabilities. In certain cases – such as selling under their own brand or making significant modifications to a product – they may even be considered the manufacturer, with the associated responsibilities.
In this way, the CRA emphasizes the importance of cybersecurity throughout the entire lifecycle of a digital product and makes it clear that every link in the chain, from manufacturer to distributor, has a role to play in protecting end users from digital threats.
If your organisation is involved in placing, or making available, products with digital elements on the market and you want to understand what the CRA means for you, please contact us: we are happy to provide guidance.