Cyber Resilience Act: What You Need To Know
The EU's Cyber Resilience Act (CRA) aims to improve cyber security in Europe significantly. In this article, you can read about the requirements that the new regulations place on your company and what measures you can take to adapt to the new security standards successfully.
Purpose and Aim Of the Cyber Resilience Act (CRA)
Cyber resilience describes a company's ability to recognise cyber attacks in good time, deal with them appropriately and recover from them quickly. The law therefore addresses the cyber security of products with digital elements throughout the entire product life cycle. The CRA applies to products manufactured, imported or distributed within the EU. In this way, it aims to...
...promote the spread of secure technologies,
...protect consumers and
...strengthen trust in digital products.
The aim is to achieve a minimum level of cyber security within the EU.
The regulations are expected to come into force at the end of 2024 and will be implemented in stages until 2027.
Affected Products
The provisions of the Cyber Resilience Act apply to all products with digital elements or products that are connected to networks or other devices:
- Industrial hardware and software products, for example IoT devices
- Software products, for example desktop, web and mobile applications
- Software and hardware products for personal use, for example smart devices
According to the CRA, the products concerned are categorised by risk categories.
Companies and their products also face new requirements in the area of liability. Read the article Stricter Product Liability: What Companies Need To Know to find out what it's all about.
Standard Category
For products in this category, the companies concerned can carry out a self-assessment and self-declaration.
- Programmes for image editing
- Video games
- General software and devices
- All other products that are not categorised as important or critical
Important Products
A conformity assessment and certification by an appropriate authority is required here. These products are divided into two classes:
Class 1:
- Independent and embedded browsers
- Microcontrollers and processors with security-relevant functions
- Password managers
- Operating systems
- Smart home (virtual assistants)
Class 2:
- Firewalls
- Attack detection/prevention systems
- Tamper-proof microcontrollers and processors
- Smart meter gateways
Critical Products
Conformity assessment and certification by a certification centre are mandatory for critical products.
- Smart Cards
- Hardware devices with security boxes
- All products that lead to a critical dependency of essential institutions according to the NIS2 directive
Affected Companies
As the Cyber Resilience Act takes a holistic approach, its regulations apply to the entire supply chain:
- Manufacturers of digital products
- Importers
- Retailers
Requirements For Companies
Even if the requirements vary depending on the role of the company concerned, there are some points that are important for everyone.
Cybersecurity Measures: All manufacturers must make cybersecurity an integral part of the entire product life cycle.
Updates: Updates must be available for at least the next five years.
Documentation and Instructions: Security risks and their elimination must be documented. Users are also entitled to clear instructions. Safety-related incidents should be recorded in order to monitor the condition of the product.
Higher Risk Categories: Stronger security measures are required for products in this category. This includes more extensive risk assessments and more complex security mechanisms.
Reporting Obligations: Manufacturers must report a cybersecurity incident to the European Cybersecurity Agency (ENISA) within 24 hours.
Identity Management and Access Controls: They are designed to protect products from unauthorised access.
Encrypted and Minimised Data Storage: Products should only collect data that is necessary to maintain security.
User Autonomy: CRA wants to empower users to remove their data from devices themselves.
Embedded Security: Manufacturers should take care from the very beginning to minimise the potential for security vulnerabilities during product development.
Resilience and Protective Measures: The aim is to protect essential product functions and keep them available even if security incidents occur.
What You Can Do Now
If you are affected, you should start implementing the requirements of the CRA as early as possible.
- Follow the ‘security by design’ approach from the very start
- Ensure secure use of your products through security updates
- Check your internal processes for CRA compliance
- Establish a sensible, transparent approach to vulnerabilities
Consequences of Violations
In future, a product will only be authorised for the EU market if it fulfils the requirements of the Cyber Resilience Act. It is directly linked to the EU conformity assessment of products.
If a company does not comply with these regulations, the following consequences may occur:
- Fines of up to 15 million euros or up to 2.5 per cent of annual turnover - depending on which is higher.
- Authorities can restrict or even completely prevent access to the market if products violate EU regulations.
- In the case of particularly serious violations, there is a threat of withdrawal of the affected product.
Cyber Resilience - New Challenges, Long-Term Opportunities
The Cyber Resilience Act is presenting new challenges for companies. Those affected must invest in security in order to strengthen the trust of their customers and remain competitive.