The Cyber Resilience Act: the EU Commission’s proposal for a horizontal regulation on cybersecurity for products with digital elements

Abstract

The EU Commission presented on 15 September 2022 the proposal for a “Regulation on horizontal cybersecurity requirements for products with digital elements amending Regulation (EU) 2019/1020” (Cyber Resilience Act, CRA). This article sheds light on the “horizontal” character of the CRA proposal by highlighting its main pillars. In particular, the contribution takes into account the new set of obligations placed on economic operators, the conformity assessment procedures as well as the market surveillance framework and the interplay with other legislative initiatives, both in the policy area and outside EU cybersecurity law. Against the backdrop of the sectoral regulatory approach adopted thus far by the Commission vis-à-vis cybersecurity requirements for products, horizontal intervention is needed not only to ensure higher standard of cybersecurity of products with digital elements, but also to ensure legal certainty, avoiding duplicative obligations and further market fragmentation.