Dear privacy pros, I hope you have a nice weekend ahead because if these first few weeks of 2024 are any indication, we are all going to be busy this year. Data Privacy Day is just around the corner and the IAPP Member Engagement team has been busy planning no less than 85 meet-ups around the world for privacy pros to celebrate, network and exchange in conversation.
This week also marked one of the final steps toward formal adoption of the Cyber Resilience Act. The European Parliament's Industry, Research and Energy Committee adopted the provisional agreement reached by co-legislators 30 Nov. 2023, marking the end of trilogue negotiations. The text still needs to be formally adopted by Parliament and the European Council, which may take several weeks, before publication to the Official Journal of the European Union.
The European Commission proposed this regulation on cybersecurity requirements for "products with digital elements" — hardware and software — with two main objectives: to encourage a life-cycle approach to connected devices and to ensure they are placed on the market with fewer vulnerabilities, as well as to enable users to take cybersecurity into account when selecting and using connected devices.
The CRA defines the chain of responsibility in the cybersecurity ecosystem. Among others, it introduces:
- Obligations to include a cybersecurity risk assessment in the technical documentation of a new connected device placed on the market.
- Obligations to report incidents impacting the security of connected devices as well as "actively exploited vulnerabilities" — both within 24 hours of becoming aware of the incident.
Once the text is formally adopted and published to the OJEU, manufacturers, importers and distributors of hardware and software products will have 36 months to comply. Reporting obligations concerning actively exploited vulnerabilities and incidents will apply earlier, 21 months from the CRA's entry into force.
The CRA was discretely, though heavily, debated among lawmakers and the community. Its successful implementation will depend on several questions, including whether the final text clearly states criteria for categorizing connected devices and associated responsibilities, whether European cybersecurity certification schemes will be available and appropriate as a tool to demonstrate conformity with essential requirements, and how it will interact with other pieces of legislation with cybersecurity relevance — such as the NIS2 Directive, Radio Equipment Directive and the upcoming AI Act, where applicable.
The IAPP published more interesting resources this week:
- The IAPP Global Legislative Predictions 2024 gathers insights from privacy professionals in 56 countries — including many in the EU/EEA — around the globe for an on-the-ground look at what lies ahead for 2024.
- The EU Data Act: 101 infographic provides an overview of the legislation that entered into force 11 Jan., with a transition period running until 12 Sept. 2025.