Aiming for harmonized cyber resilience requirements in the EU for products with digital elements
On 1 December 2023, a political agreement was reached on the new EU regulation on cyber resilience, which was announced by the Commission in its 2020 EU Cybersecurity Strategy. The regulation was formally approved by the European Parliament in March 2024. Once published in the EU's Official Journal, most provisions of the CRA will apply three years after its entry into force.
The CRA aims to safeguard consumers and businesses by ensuring that products and software with digital components are cybersecure. It addresses concerns relating to security vulnerabilities in connected products which are increasingly used in the EU. It introduces mandatory cybersecurity requirements that must be met throughout the product lifecycle.
Who is in scope of CRA
The Cyber Resilience Act will apply to all products – including software and hardware – connected directly or indirectly to another device or network, with some exclusions such as open-source software and products covered by existing regulations, like medical devices, aviation, and cars.
“The CRA will be a real game changer for manufacturers, importers and distributors of the Internet of Things, targeting security vulnerabilities across all stages of the product lifecycle.”
What are the main elements of CRA
Among other requirements, manufacturers of products with digital elements caught by the CRA will be required to:
- comply with a set of rules for the design, development and production of products with digital elements before placing them on the EU market;
- document an assessment of the cybersecurity risks associated with such products;
- perform (or have performed) a conformity assessment for products with digital elements and draw up an EU declaration of conformity and affix a CE marking to the product;
- exercise due diligence when integrating third party components, including free and open-source software;
- report actively exploited vulnerabilities to the relevant Computer Security Incident Response Team (“CSIRT”) and to (impacted) users; and
- put in place compliant vulnerability handling processes, including providing relevant security updates, for the duration of the support period (of, in principle, five years).
Importers and distributors of these products are subject to related obligations regarding those processes.
Actions to consider
The CRA will have a significant impact on all manufacturers, importers and distributors of digital products within its scope. Although there's a 36-month implementation period, it's important that those entities falling within the scope start preparing for its implementation. Manufacturers should assess current cybersecurity measures against the upcoming requirements to identify potential compliance gaps and start planning compliance strategies early.