Cyber Resilience Act adopted in plenary with publication postponed to Autumn 2024
The European Parliament (EP) adopted a “provisional” version of the final text of the Cyber Resilience Act (CRA) at the plenary sitting held yesterday, on 12 March. However, the CRA text (adopted with 517 votes in favour, 12 against and 78 abstentions) does not correspond to the very final version of the legal act since the standard legal-linguistic revisions needed ahead of the first-reading adoption by the Parliament and Council are still undergoing.
While the political agreement reached in trilogue has been approved in January by a large majority of the members of the leading Committee on Industry, Research, and Energy (ITRE), the final version of the CRA regulation will not be ready by the end of the current parliamentary term.
This is mainly due to the priority files selected in the Council of the EU, which has opted to prioritize other legislative matters, delaying the finalisation of the CRA until after the March plenary session. The provisional version of the CRA final text is therefore still subject to further refinement with a view to aligning the different linguistic versions and any other technical (not substantial!) adaptations that may be needed.
Under the next parliamentary term, a corrigendum procedure will be launched to rectify any errors potentially identified in the CRA provisional text voted at the March plenary sitting. The corrigendum will then be examined by the ITRE Committee and announced in plenary at the earliest opportunity. According to this process, the Parliament is entitled to endorse one version of the text, which is the English one in this case, and approve all the other translations once available, without another plenary vote. Based on this, an additional vote isn't expected unless a request is made by a political group or a group of MEPs reaching at least the low threshold. Only once the corrigendum is approved in Parliament, the Council of the EU will vote on the Cyber Resilience Act and the legal text will be considered officially adopted by co-legislators at first reading.
In light of the procedural delays registered, the official signature of the Cyber Resilience Act and its publication in the EU Official Journal (OJEU) is expected in September/October 2024 (precise timeframe still to be confirmed). As a result, this will have an impact on the entry into force and consequent application date of the new regulation on cybersecurity requirements for products with digital elements. Initially expected by mid-2024 at the latest, the CRA will instead enter into force not before this Autumn 2024 with consequent applicability in September/October 2027.
CECE will continue to closely follow the next steps of this relevant file for the industry. The Project Team on data policy (PT Data), responsible for the file in CECE, delivered a preliminary assessment of the key CRA final provisions. In addition, PT Data is currently working, in conjunction with the Project Team on Machinery (PT Machinery), on a common interpretation of the links between the CRA and the Machinery Regulation to ensure a smooth implementation of the cybersecurity requirements for machinery products.
More news