What is the Cyber Resilience Act (CRA)?

Written By Bilal Khan

As the Cyber Resilience Act (CRA) is about to be implemented, let's take a closer look at this new law designed to establish a comprehensive framework for the cybersecurity of digital products sold in the EU.

The CRA outlines essential cybersecurity requirements for the design, development, and production of "products with digital elements" (PDEs). PDEs encompass most hardware and software products, with some exceptions like medical devices, national security items, and certain vehicles regulated under other laws.

Manufacturers, developers, and vendors must comply with the CRA's requirements before marketing their products in the EU.

Key Requirements

Annex I of the CRA details the essential requirements, which include:

- Embedding Secure-by-Default principles from the start

- Ensuring products are free from known exploitable vulnerabilities

- Implementing robust authentication and identity or access management systems

- Protecting data confidentiality and integrity (e.g., through encryption)

- Ensuring the availability of essential functions

- Minimizing attack surfaces, including external interfaces

- Providing security-related information

- Facilitating security updates to address vulnerabilities

Additionally, Annex II specifies requirements for vulnerability handling processes throughout a product's lifecycle, including creating a software bill of materials (SBOM).

Products classified as "important" will need to follow relevant standards or undergo third-party assessments to demonstrate compliance.

Once the Act is in force, the Commission will instruct standardisation organisations to draft harmonised standards for these requirements, building on the work by the European agency ENISA, which has been developing cybersecurity certification schemes under the Cyber Security Act, such as the EU Common Criteria (EUCC) for ICT products, the Cloud Certification Scheme (EUCS), and the EU5G Certification Scheme.

A small number of products considered "highly critical" will require mandatory EU certification before they can be sold in the EU.

Compliance Timeline

Following the CRA's enactment, vendors, manufacturers, and developers will have 21 months to comply with incident and vulnerability requirements and 36 months for the remaining requirements.

Global Adoption of Similar Laws

Outside the EU, various governments are adopting measures to enhance hardware and software security standards:

United Kingdom

- Consumer IoT device manufacturers must comply with the UK Product Security and Telecoms Infrastructure (PSTI) Act 2021.

- The UK Government is developing voluntary Codes of Practice for Apps and App Stores, which may become mandatory.

Australia

- The Australian Government plans to legislate a mandatory cybersecurity standard for IoT devices, supported by a voluntary smart device labelling scheme.

- A voluntary Code of Practice for Apps and App Stores is also being developed, aiming to harmonise international software standards.

United States

- The Federal Government is using procurement rules to enhance IoT cybersecurity standards and has introduced a Government IoT security labelling program ("Cyber Trust Mark").

- Over 100 software manufacturers have pledged to build secure-by-design enterprise software products and services.

What Should Vendors, Developers, and Manufacturers Do Now?

Despite the compliance deadlines being at least 21 months and 36 months away, affected organizations should start integrating security considerations into their product development cycles immediately. Failure to comply could prevent new products from meeting the standards required for the EU market in the coming years.

Non-compliance can result in fines of up to €15 million or 2.5% of the organization’s total worldwide annual turnover, whichever is higher.

Manufacturers are advised to begin preparations for these legislative changes without delay. Specifically, they should:

1. Identify which products in their portfolio will be launched after the CRA comes into effect, including new products and those undergoing significant security-related modifications.

2. Determine the necessary compliance category for each product, whether self-assessment, independent conformity assessment, or certification is required.

3. Start compiling a Software Bill of Materials (SBOM) for all software components in their products, noting that the required depth of the SBOM is still under discussion.

4. Establish processes to monitor, fix, and report vulnerabilities, aligning with existing standards like ISO/IEC 29147:2018.

Now is the time to adopt best practices, adhere to existing certifications under the EU Cybersecurity Act, and prioritize security throughout the production process.

Bilal Khan
Previous

Addressing Common Control Failings in Anti-Money Laundering Frameworks: Insights from the FCA’s "Dear CEO" Letter
Next

How does the Digital Operational Resilience Act impact financial service providers and ICT suppliers in the United Kingdom?