Cyber Resilience Act: update of the proposed Regulation

Reading time: 3 minutes - Difficulty: advanced

July 19, 2023: the European Parliament’s Industry Committee amends the Cyber Resilience Act proposed. As anticipated in a previous article, let us see what remains firmly in the EU Regulation for networked digital products and what is changing.

Cyber Resilience Act goal

The Cyber Resilience Act starts from the assumption that protecting consumers and organizations from cybersecurity risks means protecting their data and their infrastructure.

In fact, the legislation covered by the Cyber Resilience Act has the prerogative of ensuring that products with digital components are cybersecured before they are placed on the EU market.

Hence the close link to the New Machinery Regulation (Regulation (EU) 2023/1230): CE marking under the Cyber Resilience Act will also be valid for the purposes of the essential safety requirements found in the now updated version of Directive 2006/42/EC, and effective from 2027.


Learn more about how to prepare for the Cyber Resilience Act


Request a consultation

Do you want to help our page grow? Follow us on Linkedin


Confirmations on the Cyber Resilience Act text

Compared with the first version of the Cyber Resilience Act, the following points remain unchanged:

  • manufacturers’ responsibility for product compliance, including obligations centered on the Cyber Security Risk Assessment, declaration of conformity, and cooperation with relevant authorities
  • vulnerability management by manufacturers, importers, and distributors of networked digital products; business operators will have 12 months from the entry into force of the Cyber Resilience Act to report any vulnerabilities, but with a difference to that presented in the original proposed RegulationRead on to learn more.
  • the willingness to impose a market surveillance framework to enforce these rules


And the changes since the previous version

The version previously proposed by the European Commission resulted in a division of cybersecurity products into 2 + 1 risk classes, with a different attention requirement, as follows:

  • Class II (critical products with certification body requirement), e.g., operating systems for servers, desktop computers and mobile devices, firewalls, intrusion detection and/or prevention systems for industrial use, IoT devices
  • Class I (critical products), e.g., identity management system software and privileged access management software, VPN, PLC, SCADA
  • Default category, subject to self-declaration (non-critical products)


We are now waiting to find out how the categorization of products will be reorganized to comply with the Cyber Resilience Act.

Medical devices, aviation devices and cars are excluded in any case.

As already mentioned, there will be a change in the reference for vulnerability reporting: no longer the ENISA Agency, but a single reporting platform, nonetheless established by ENISA itself.

While a simplified version of the Declaration of Conformity is being considered, consumer protection organizations, on the other hand, are calling for assessments of the level of cybersecurity of more complex products to be carried out by third-party entities, providing greater assurance that direct or indirect connections between network devices comply with what the Regulation stipulates.


While waiting for further developments, keep this information in mind: the area covered by the Cyber Resilience Act is decidedly urgent.


Any questions or comments?


Share us your feedback

Do you want to help our page grow? Follow us on Linkedin


Go back to the blog
Send this to a friend