EU regulation for connected product manufacturing

  • November 16, 2022
  • William Payne

The European Commission, the executive arm of the European Union, has proposed legislation that creates a regulatory framework for companies manufacturing connected or smart products in Europe, with a raft of requirements and penalties. The proposed legislation, the EU Cyber Resilience Act, will also impose obligations on any users of connected OT and Industrial Internet, including the obligation to protect manufacturing and industrial systems and intellectual property. Failure to protect either connected products at every stage of manufacture, use and decommission, and connected Industry 4.0 systems manufacturing any products, requires immediate reporting to national regulators and could result in fines.

A judgement of the CJEU at the end of 2021 removed the principle of ne bis in idem from commercial and regulatory EU Law, where it applied across national jurisdictions. This judgement, which had an immediate impact on the final drafting of the EU Digital Markets Act (EU DMA 2022), means that national authorities can pursue their own separate prosecutions and impose the full fines contained in the legislation, irrespective of identical prosecutions in other EU member states. Germany and Austria have already carried out a number of prosecutions of companies for identical infringements of EU Law.

The proposed act requires harmonised rules for new hardware or software, a framework of cybersecurity requirements governing product planning, design, development, and maintenance across the breadth of the value chain and an obligation to provide a duty of care for the entire product lifecycle.

The CRA affects not only manufacturers, but also their developers and suppliers, as well as distributors and commercial users. The entire value chain of a product development, production and maintenance will be affected by the proposed law.

Any product produced through Industrial Internet manufacturing processes, or being a smart or connected product is affected. But the European manufacturing segments that are being particularly highlighted as likely to be affected are aviation, automobiles, and medical devices. However, the scope of the CRA is such that a much wider swathe of European industry is likely to be affected, including agricultural equipment, capital equipment, smart meters, trains, ship building, smart home technologies and lighting, and white goods.

For standard products that fall into a general category, developers, manufacturers and commercial users can self certify their smart manufacturing processes and their connected products, and any associated processes.

The proposed Act introduces a special category for “critical products”. For products that fall into this category, extra obligations, registration, regulation and reporting mechanisms are proposed on a pan-European basis. “Critical products” must be registered and regulated with a central EU regulatory body, to be set up through the 27 member state regulatory bodies. These critical products will fall into two classes, with the second class covering hardware requirements, while the first class covering more software and connected mechanisms.

Both critical product classes will be assessed and regulated through a central EU body from design and development onwards, with a proposed testing approach similar to that of Germany’s DIN institute, and with quality assurance through the central EU authority.

The Act also sets out requirements for technical documentation, the requirement for precise evaluations and their documentation, and that all documentation should be drafted in plain language.