The EU Cyber Resilience Act (CRA) intends to establish security principles, features, and measures that encompass hardware, software, and maintenance for certain products sold in the European Union. This guide, written by Iris Desbrousses from i46, explains what manufacturers and importers must know about the EU Cyber Resilience Act (CRA), and how it will likely impact product development and updates.
Content Overview
FREE CONSULTATION CALL (US, EU & UK)
- Request a free 30-minute call with Ivan Malloci to learn how we can help you with:
- Find product requirements
- Certification and labeling
- Lab testing
What is the Cyber Resilience Act (CRA)?
The Cyber Resilience Act is a game-changer for cybersecurity in the European Union. Initially proposed in September 2022, the CRA achieved a significant milestone in December 2023 by gaining formal adoption as a regulation by the Council of the European Union. This was followed by approval from the European Parliament in March 2024.
However, the process isn’t quite complete. The adopted version is currently undergoing final revisions to ensure all language versions are aligned and any minor technical adjustments are made. Only after this revised version is approved will the Council hold a final vote, officially adopting the CRA.
This process takes place as a response to the escalating cyber threat landscape and the vulnerabilities embedded in many digital products and aims to establish a robust framework to ensure cybersecurity across the lifecycle of products.
The CRA addresses these challenges by introducing mandatory cybersecurity requirements for manufacturers, software developers and distributors of products with digital components. This includes a broad spectrum of items, from consumer electronics like smart TVs to critical industrial control systems.
By harmonizing rules across the EU, the Act ensures uniform cybersecurity standards for all stakeholders. Moreover, the CRA mandates a comprehensive security approach throughout the product lifecycle. Manufacturers must prioritize security from the initial design stage to post-sale maintenance.
What is the current status of the Cyber Resilience Act (CRA)?
This is the current status and timeline of the Cyber Resilience Act (CRA):
1. Proposal (September 2022): The EC initiated the process by proposing the CRA.
2. Council and Parliament Approval (December 2023 – March 2024): The proposed CRA went through a first review by both the Council of the European Union and the European Parliament. In December 2023, the Council formally adopted the CRA as a regulation. The European Parliament followed in March 2024, signifying approval.
3. Finalization (Current stage): The CRA is undergoing final technical revisions and adjustments are made. The next parliamentary term will see a “corrigendum procedure” to address any errors identified in the provisional text voted on by the Parliament.
4. Official Adoption and Publication (Expected: Autumn 2024): Once the corrigendum is approved by the Parliament, the Council holds a final vote, officially adopting the CRA. This will be followed by publication in the EU Official Journal.
5. Enforcement
Which products are covered by the Cyber Resilience Act (CRA)?
The Cyber Resilience Act applies to all connected devices distributed in the European Union. Here’s a breakdown of what falls under its scope:
Firstly, hardware products: This includes everyday items such as smartphones and laptops, as well as industrial machinery and internet-connected toys (and yes, this would be on top of other EU legislations for which these products already require compliance). Essentially, if it has a physical form and connects to a network, it likely falls under the purview of the CRA.
Secondly, software: The CRA covers operating systems and any operational software that interacts with a network or device. Whether it’s the software running a smart speaker or controlling a factory robot, the CRA applies.
While there are a few exceptions (e.g., software distributed in open-source, from which the developers do not derive any commercial activity), the general rule is that if a product incorporates digital elements and is used within the EU, it will be subject to the requirements of the CRA.
What are the requirements of the Cyber Resilience Act (CRA)?
The CRA outlines a comprehensive set of requirements, which can be split into four categories matching the Act’s four primary objectives.
Secure by design
Firstly, the CRA mandates that manufacturers prioritize security from the outset of product design and development. This commitment must extend throughout the product’s lifecycle, ensuring continuous protection for users. Key provisions include ‘Security by Design and Default,’ requiring products to be built with security in mind and robust security features enabled by default (e.g: strong password enforcement, automatic security updates, etc.).
Manufacturers must also implement effective ‘Vulnerability Management’ processes, ensuring timely identification, patching, and disclosure of vulnerabilities. For example, if an exploited vulnerability or an incident impacting the security of the product (e.g: a breach) is detected, the manufacturer must notify ENISA within 24 hours of becoming aware of it. Furthermore, the CRA mandates a ‘Minimum Support Period’ of at least five years for security updates post-market introduction, with possible extensions of up to ten years in certain cases.
Consistent cybersecurity requirements
Secondly, the CRA establishes consistent cybersecurity requirements across all EU member states. This harmonization simplifies compliance for manufacturers selling products across different countries within the EU.
Product security features
In addition, the CRA emphasizes transparency from manufacturers regarding the security features of their products. This empowers consumers and businesses to make informed purchasing decisions. Manufacturers are required to provide clear labelling indicating the security features and duration of support for each product. They must also provide detailed information about their security practices and policies for vulnerability disclosure that is readily accessible to the public.
Security updates
Lastly, the CRA aims to enhance the usability of products for secure day-to-day use. This involves designing security features such as automatic security updates to be intuitive and user-friendly. Manufacturers must also provide comprehensive documentation on how to securely configure and operate their products.
How can businesses make sure that their products are compliant?
There are several key steps companies can take. First, a thorough risk assessment is essential. This helps identify vulnerabilities and guide the development of strong security measures. “Security by design” should be the guiding principle, with for instance secure coding for software and secure boot for hardware.
Constant vigilance is also crucial. Companies need meticulous software component management through Software Bill of Materials, prompt patching, and well-defined incident response plans. Additionally, transparency with users builds trust.
Overall, navigating the requirements of the CRA can be challenging. One of the main concerns the i46 team typically hears from manufacturers is the lack of official harmonized standards for measuring compliance. To some companies, this situation brings them back to the early days of the GDPR, when the lack of clear implementation standards led to involuntary non-compliance and fines for many.
Nonetheless, the Act details its key requirements in Annex I: Essential Requirements. These essentially can be used as a checklist for companies seeking self-compliance and are written
While the essential requirements offer a solid foundation for building CRA-compliant products, partnering with a compliance expert such as i46 provides a strong guarantee of product compliance and helps avoid the hefty fines outlined in the CRA.
Does the Cyber Resilience Act (CRA) require CE marking?
Yes, the CRA leverages the existing CE marking process. This means manufacturers and developers placing products with digital elements on the European market will need to demonstrate compliance with the CRA’s cybersecurity requirements. Once they achieve this compliance, they can create an EU Declaration of Conformity, which paves the way for affixing the CE marking to their product.
This CE marking itself is not defined within the CRA, but rather functions as an indicator established by existing regulations. By displaying the CE marking, it signifies that the product adheres to the cybersecurity standards outlined in the CRA. Ultimately, this allows for the free movement of compliant products within the European Union’s internal market.
Will the Cyber Resilience Act (CRA) result in a new regulation?
The Cyber Resilience Act has already become a regulation after being approved both by the Parliament and the Council.
While some technical revisions are ongoing, the CRA is now a concrete regulation shaping the future of cybersecurity standards within the European Union.
Will the Act impact existing regulations and directives?
The CRA is a new regulation designed to strengthen cybersecurity but it won’t directly change existing regulations, like the Radio Equipment Directive (RED). Instead, it will introduce a complementary layer of mandatory cybersecurity requirements for products with digital elements.
This means manufacturers will need to ensure their products comply with existing regulations, and where applicable to the new cybersecurity requirements established by the Cyber Resilience Act.
When will it enter into force?
After being recently approved, the CRA awaits final adoption after minor adjustments. Once finalized (expected in autumn 2024), manufacturers will have 36 months to achieve full compliance.
However, the Reporting Requirements for incidents and vulnerabilities will be enforceable as of the 21st month following the Act’s entry into force.
How can you help companies ensure compliance with the Act?
At i46, we understand the challenges manufacturers face when it comes to the CRA. Our comprehensive solution streamlines the entire compliance process, allowing companies to focus on their core business.
We take a step-by-step approach, starting with a completely free initial assessment. This assessment helps us understand a manufacturer’s device or software and determine its current certifiable status under the CRA. Once we have a clear picture, we can guide them through the process of achieving compliance.
Our team of experts can identify and fix any vulnerabilities in a product, ensuring it meets the highest security standards. We’ll also pinpoint any missing features required for compliance and integrate them seamlessly.
But achieving compliance is just the first step. Because cybersecurity is an ongoing process, i46 offers a secure platform (i46.io) that continuously monitors devices. This real-time monitoring provides valuable insights into their overall security posture, allowing for proactive vulnerability management.
In addition, i46 also understands the importance of administrative tasks. i46 can simplify the annual CRA reporting requirements and conduct yearly checkups to ensure a manufacturer’s compliance status remains current. Additionally, we can act as their designated EU Authorized Representative, handling communication with European authorities on their behalf.
By partnering with us, manufacturers can achieve and maintain compliance, ensuring secure and successful access to the European market.
