Cyber Resilience Act: overview of its background and goals

The increasing digitalisation and networking of our society has not only produced immense advantages but also considerable challenges.

These above all include cyber-attacks, which are continuously increasing and causing immense economic damage. Against this background, the European Commission passed the Cyber Resilience Act (CRA).

By Manuel Poncza and Michael Kuska, LL.M., LL.M.

• Background and goals of the CRA: The Cyber Resilience Act is part of the EU’s cybersecurity strategy. Its aim is to secure the digital sovereignty of Europe and enhance the cyber-resilience of European companies. In this regard, the CRA pursues several goals. These cover in particular:

• Enhancing the cybersecurity of products with digital elements: The CRA is intended to ensure that all "products with digital elements" sold in Europe observe basic security requirements. This covers both hard- as well as software as long as these have so-called "remote data processing solutions", i.e. can be linked to the Internet.

• The promotion of responsibility and transparency: Manufacturers of products with digital elements are to identify and correct security risks. Moreover, they are to provide transparent information about the security features and gaps of their products. This is intended to reinforce the trust of consumers and increase market incentives for secure products.

Cybersecurity as product security requirement

The CRA achieves these goals systematically by imposing far-reaching obligations in product safety law on manufacturers, importers and traders of products with digital elements. This for example includes the obligation to provide an ongoing guarantee of basic cybersecurity requirements during product development. These basic cybersecurity requirements are specified in a comprehensive catalogue in the CRA.

The other obligations include
• conducting a conformity evaluation,
• preparing and providing technical documentation,
• CE labelling and
• the obligation to correct and report security weaknesses as they become known.

Before distributing products with digital elements, importers and traders must check whether the manufacturer observed these and other obligations. Effects on the manufacture and distribution of lifts

Today, many modern lift systems have networked hardware and software components. Consequently, these will in future be covered by the CRA. However, it must be borne in mind that the CRA makes provision for particular transition periods with exceptions and reverse exceptions. In view of this, close examination is needed in each case to determine whether the CRA affects lifts already distributed or planned for the future.

The regulatory prescription of cybersecurity requirements in the lift and escalator sector is not fundamentally new. For example, numerous cybersecurity risk management requirements already arise from "TRBS 1115 Part 1: cybersecurity for safety-relevant instrumentation and control systems", published in March 2023 by the Federal Institute for Occupational Safety and Health (BAuA).

Framework for cybersecurity risk management

Photo: © okapidesign/ Frei nutzbar gemäß Adobe Firefly-Lizenz

But the central difference between TRBS 1115-1 and the CRA is that TRBS 1115-1 constitutes a framework for cybersecurity risk management. By contrast, the CRA regulates the safety of the products involved with digital elements themselves and as a result is directed not at the operators but rather the manufacturers, importers and traders of such products.

Moreover, the CRA includes numerous requirements for product development and monitoring, for example, weakness management, which TRBS 1115-1 does not do in this form. This means there is a significant difference in the groups addressed and subject to obligations.

In addition, the CRA introduces a new sanctions regime. According to it, the responsible supervisory authorities are given the power to take action directly against relevant economic players. If the necessary preconditions exist, they can institute regulatory and enforcement measures directly against the latter. These can also include fines and mandatory recalls.

Conclusion

The CRA is an important step towards reinforcing cybersecurity in the European Union and applies in addition to TRBS 1115-1. This will lead to a clear enhancement in cybersecurity for lifts and their technical systems. Admittedly, the CRA will only apply from September 2026 or December 2027 but a review should already be conducted regarding the extent to which existing development, testing and procurement processes are in need of adaptation to make appropriate allowance for the CRA’s requirements.

The authors are lawyers specialised in IT security law and salaried partners at the law firm Heuking. Both hold multiple IT security law certifications and awards.

TRBS 1115-1: TRBS 1115-1 is a framework for cybersecurity risk management. This regulation continues to apply in addition to the CRA.