The EU Cyber Resilience Act (CRA) is a piece of legislation designed to significantly enhance the cybersecurity of hardware and software products with digital elements placed on the European Union market. It’s the first regulation of its kind globally to impose such comprehensive cybersecurity requirements across the entire product lifecycle.
The CRA came into force on the 10th of December 10 2024 with most obligations applying in full 36 months after that (likely December 2027), giving companies time to adapt.
Here’s a summary of its key aspects:
Scope and Applicability
The CRA applies to a wide range of “products with digital elements”, including both hardware and software, that can be connected to a device or network, either directly or indirectly. This encompasses everything from smart home devices (e.g., baby monitors, smart TVs, toys) to industrial control systems, operating systems, and even software components like firmware and libraries.
It generally applies to products placed on the EU market, regardless of where they are manufactured, meaning it impacts both EU and non-EU companies.
Certain products already covered by existing EU legislation (e.g., medical devices, motor vehicles, aviation) are excluded to avoid overlapping regulations.
The CRA primarily applies to commercial products and includes exemptions for non-commercial and open-source projects, communities, and foundations. Commercial products based on open-source components are still covered by the legislation.
Core Objectives
Security by Design and Secure by Default
Cybersecurity must be considered right from the start of product design. Products should have secure default configurations and ideally not even support insecure configurations.
Enhanced Transparency
The legislation aims to improve the transparency of the cybersecurity status of products enabling consumers and businesses to make informed decisions about the products they purchase and use.
Lifecycle Security
Manufacturers are accountable for the cybersecurity of their products throughout their entire lifecycle, including providing ongoing security updates and vulnerability management.
Key Obligations for Manufacturers
Conduct Risk Assessments
Evaluate cybersecurity risks and implement controls throughout the product’s planning, design, production, and maintenance phases.
Meet Essential Cybersecurity Requirements
Ensure products comply with specified security criteria, such as protection against unauthorised
access, data confidentiality and integrity and resilience against intrusions and denial of service attacks.
Vulnerability Management
Implement robust processes for identifying, documenting, and fixing vulnerabilities without delay. This includes providing free, timely security updates to users for a defined support period (at least five years, or longer if the product’s expected use is longer).
Transparency and Documentation
Provide clear user instructions, technical documentation, and information about the product’s cybersecurity features and support period.
Incident Reporting
Notify the competent Computer Security Incident Response Team (CSIRT) and the European Union Agency for Cybersecurity (ENISA) of actively exploited vulnerabilities and severe incidents within 24 hours of becoming aware of them, with follow-up reports.
Conformity Assessment and CE Marking
Undertake a conformity assessment (either self-assessment or third-party certification depending on the product’s risk category) and affix the CE marking to indicate compliance.
Product Categorization and Conformity Assessment
The level of conformity assessment required varies by category, with “Important” and “Critical” products often requiring third-party assessments.
Products are categorised into “Default,” “Important” (Class I and II), and “Critical” based on their cybersecurity risk and potential impact.
The CRA includes a comprehensive list of product types that are considered important in Annex III, and critical in Annex IV. Products outside of these list are categorised as default.
It is important to note that a product including an Important, or Critical component can still be classed as default risk if that element is not the product’s primary function. For example a device simply running an operating system is not automatically a class 1 product but the operating system is, with the additional conformity obligations residing with the supplier of the OS, not the device manufacturer.
Enforcement and Penalties
Non-compliance can result in significant administrative fines, up to €15 million or 2.5% of the total worldwide annual turnover of the preceding financial year, whichever is higher, for manufacturers.
In essence, in common with many other security standards such as ETSI EN 303 645, the CRA aims to raise the bar for cybersecurity across a vast array of digital products, shifting the responsibility for security from end-users to manufacturers and promoting a more secure digital environment within the EU.