EU Cyber Resilience Act – European Commission publishes draft guidance to clarify key obligations

The CRA applies to products with digital elements that are made available on the EU market. To understand when a product is considered “placed on the market,” the Guidance refers to both the CRA definition of “making available on the market” and the European Commission’s Blue Guide on the implementation of EU product rules, which explains these concepts in detail. 

The Guidance further clarifies how these concepts apply to software, including standalone products such as apps and computer programs. While the concepts of “making available” and “placing on the market” are well established for more traditional products, including hardware, further guidance is needed for intangible products supplied digitally. 

According to the Guidance, as long as the relevant version of the software is not modified in a way that affects compliance with the CRA, the placing on the market occurs at the moment of the first offering for distribution or use, for example by download or remote access. Accordingly, a standalone software product is placed on the market when its manufacturing phase is complete and that software is first supplied for distribution or use on the EU market in the course of a commercial activity. Multiple downloads or installations of the same version at different times are treated as having been placed on the market at the same initial moment.

The CRA concept of “substantial modification” is key, because a substantially modified product is treated as a new product. This triggers obligations for manufacturers, importers and distributors, and any person who carries out a substantial modification and makes it available on the market for the purposes of the CRA. 

A change is considered a substantial modification if it:

• affects the product’s compliance with the CRA’s cybersecurity requirements;
• alters the level of cybersecurity risk; or 
• results in a change to the intended purpose for which the product was originally assessed. 

For software updates, the Guidance recognises the iterative nature of software development, and provides additional clarification on when a software version should be treated as substantially modified. Manufacturers should assess, on a case-by-case basis, whether a software update introduces new or increased cybersecurity risks, and whether these risks were addressed in its original risk assessment. 

When performing this assessment, manufacturers may consider whether the update: 

• introduces new threat vectors; 
• enables new attack scenarios; or
• changes the likelihood or impact of previously-identified attack scenarios.

In practice, examples of substantial modifications may include: 

• a software update that adds remote connectivity features to a device, introducing new potential attack vectors;
• changing the intended purpose of a monitoring application to include the collection of personal data, creating new privacy and security obligations; or
• replacing or altering encryption protocols in a way that affects compliance with cybersecurity requirements.

The Guidance clarifies how the CRA applies to complex hardware/software systems. It notes that, where a system composed of multiple hardware and software elements is placed on the market as a single product, it constitutes a product for the purposes of the CRA. 

Due to the length and complexity of such systems’ design and development cycles, it may be difficult or disproportionate to modify them to achieve CRA compliance without affecting their intended purpose, safety, reliability or interoperability.

While this does not exempt complex systems from the CRA, it illustrates the application of the CRA’s risk-based approach, which takes into account the product’s characteristics and constraints. In practice, this means that manufacturers of in-scope products are expected to:

• conduct cybersecurity risk assessments to identify the constraints and applicable risks, and implement appropriate mitigation measures; and
• produce technical documentation and provide information and instructions to users to describe these constraints, risks and risk mitigation measures.

The CRA requires manufacturers of in-scope products to determine the support period during which they will handle the product’s vulnerabilities, including identifying, documenting and remediating them. The support period must be at least five years, unless the product is expected to be in use for less than five years. The Guidance clarifies that the five-year period is not intended as a universal default; rather, support periods must be aligned with the product’s expected lifecycle.

In the case of software products, this obligation applies to each version placed on the market. The Guidance clarifies that this means that the manufacturer must declare a new support period for each substantially modified version.

The obligations to address and remediate vulnerabilities only apply to the version last placed on the market, where users of previous versions have access to the latest version free of charge and do not incur additional costs to adjust the hardware and software environment. The Guidance clarifies that manufacturers can rely on this, even if it results in a shorter effective support period for those earlier versions. It also clarifies how the concept of “additional costs” should be interpreted.