The Cyber Resilience Act: the EU Commission’s proposal for a horizontal regulation on cybersecurity for products with digital elements. An introduction

The EU Commission presented on 15 September 2022 the proposal for a ‘Regulation on horizontal cybersecurity requirements for products with digital elements amending Regulation (EU) 2019/1020’ (Cyber Resilience Act, CRA). This long-awaited piece of legislation would complement EU cybersecurity acquis by laying down horizontal cybersecurity requirements for all products with digital elements. This article sheds light on the ‘horizontal’ character of the CRA proposal by highlighting its main pillars. In particular, the contribution takes into account the new set of obligations placed on economic operators, the conformity assessment procedures as well as the market surveillance framework and the interplay with other legislative initiatives, both in the policy area and outside EU cybersecurity law. Against the backdrop of the sectoral regulatory approach adopted thus far by the Commission vis-à-vis cybersecurity requirements for products, horizontal intervention is needed to ensure legal certainty, avoiding duplicative obligations and further market fragmentation.