noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

Delaware State Police

Troopers Arrest Man for Georgetown Home Burglary
Town of Cicero, IL

Berwyn-Cicero Masonic Lodge honors Senior Director, County Commissioner[...]
Arizona Department of Transportation

April recap: Specialty Plate Spotlight

Crime and Judiciary

Covington & Burling LLP

03/13/2024 | News release | Distributed by Public on 03/13/2024 19:11

The Cyber Resilience Act is One Step Closer to Becoming Law

Yesterday, the European Parliament approved the Cyber Resilience Act ("CRA"), which sets out cybersecurity requirements for "products with digital elements" ("PDEs") placed on the EU market. The term PDE is defined broadly to include both hardware and software products, such as antivirus software, VPNs, smart home devices, connected toys, and wearables. The approved text is available here.

The text adopted by the European Parliament is identical to the compromise version between the Parliament and the Council in December 2023, which we described here. To recap, primary obligations in the CRA apply to manufacturers of PDEs, who must:

implement certain "essential" cybersecurity requirements on their PDEs;
carrying out conformity assessments on PDEs; and
notify competent authorities and others about identified vulnerabilities and serious cybersecurity incidents.

As with most recent European technology regulation, non-compliance could result in significant fines: up to the higher of €15 million or 2.5% of global turnover.

In the coming weeks, we will be posting a series of blogs analyzing the key obligations of the CRA in more detail, such as the obligations to implement "essential" cybersecurity requirements, report vulnerabilities, and undergo conformity assessments.

Next steps

The CRA will have to be formally adopted by the Council before it becomes law. That will likely be in April 2024. The final version of the CRA will then be published in the EU's Official Journal. The majority of the provisions in the CRA will apply in full three years after the date of publication (although vulnerability reporting obligations will apply 21 months after this date).

* * *

Covington's Privacy and Cybersecurity Practice regularly advises on cybersecurity laws in Europe and elsewhere. If you have any questions about how the raft of new European cyber regulations will affect your business, or about developments in the cybersecurity space more broadly, our team would be happy to discuss.

Sharing and Personal Tools

Please select the service you want to use:

Back

View original format