Startseite » Blog » Cyber Resilience Act: Explained ✅

Cyber Resilience Act: Explained ✅

September 25, 2024 / By

The Cyber Resilience Act is an EU-wide piece of legislation that aims to introduce binding cyber security requirements for products containing hardware and software. The EU Commission also refers to these as “products with digital elements”. Products with digital elements are defined as “any software or hardware product and its remote computing solution, including software or hardware components, which are placed on the market separately”. In summary, this means that IoT devices and associated software and hardware products are affected. For these products, cybersecurity requirements are intended to ensure that these products are secured throughout their lifecycle.

By 2021, cybercrime has caused financial damage of around 5.5 trillion euros. There are many products on the market that are not secure and consumers are not aware of this. The EU’s main aim with the regulation is to create the conditions for the development of secure products with fewer vulnerabilities and the possibility of vulnerability management throughout their lifecycle, and to create the conditions for users to take cybersecurity into account when choosing and using products.

Connected World Image

When does the Cyber Resilience Act come into law?

The Cyber Resilience Act comes into force at the end of 2024. The companies affected will then have until the beginning of 2027 to prepare for it.

Who is affected by the Cyber Resilience Act?

Highway to 2027

The Cyber Resilience Act (CRA) affects all manufacturers, importers, and distributors of products with digital elements within the EU, as well as those placing such products on the market. The regulation also imposes obligations on EU member states regarding market surveillance and enforcement. Non-compliance can result in fines of up to €14 million or 2.5% of the company’s annual revenue, whichever is higher.

All manufacturers, importers, and distributors in the EU dealing with products that can communicate directly or indirectly with other devices or networks must comply with the CRA. This includes a wide range of products found in everyday life, such as smart home devices, fitness trackers, connected vehicles, digital ovens, and motion sensors. Solutions provided in a Software as a Service (SaaS) are also affected, if they qualify as remote data processing solutions.

The CRA primarily holds manufacturers, importers, and sellers of digital products accountable, setting forth several key requirements that, if not met, could lead to significant penalties:

  1. Cybersecurity Standards: Products must be designed, developed, and manufactured according to strict cybersecurity standards.
  2. Incident Reporting: Cyberattacks must be reported directly to the EU cybersecurity agency, ENISA.
  3. Product Monitoring: Manufacturers must ensure their products are monitored throughout their lifecycle.
  4. Security Updates: Manufacturers are required to provide free security updates for at least five years, or the product’s support period.

The CRA applies to all products with digital components, including operating systems, software, and hardware. It also covers businesses selling or importing these products into the market, impacting a wide array of industries due to the high level of digitalization in modern products and services.

Key responsibilities under the CRA include:

  • Risk Management: Continuous risk assessments must be carried out throughout the product’s development and lifecycle to address potential cybersecurity risks.
  • Vulnerability Management: Companies must ensure their products are protected against known vulnerabilities through established vulnerability management processes.
  • Security Updates: Companies are required to provide timely security updates after a product’s release to safeguard against emerging threats.
  • Compliance: Depending on the product’s risk classification, compliance may involve meeting standardized requirements (such as IEC 62443) or involving external auditors.

Classification of the products concerned into two categories

The CRA distinguishes between two product categories and gives examples of which products are affected. According to the CRA, the designation is “Critical products with digital elements”. There is a Class I and a Class II category, with Class II products being considered more critical than Class I products. The non-listing of a product does not, however, exclude a product. This is because, as described in the chapter above, all products that communicate with other products or networks are affected.

Examples of the Class I category

  • Software for identity management systems and privileged access management software
  • Standalone and embedded browsers
  • Password manager
  • Software that searches for, removes or quarantines malicious software
  • Products with digital elements with the function of a virtual private network (VPN)
  • Microcontroller
  • Microprocessors
  • IACS, PLC, DCS, CNC and SCADA.

Examples of the Class II category

  • Operating systems for servers, desktops and mobile devices
  • Hypervisors and container runtime systems that support the virtualized execution of operating systems and similar environments
  • Infrastructure for public keys and issuers of digital certificates
  • So-called “secure elements”
  • Sensor and control components for robots and robot controllers
  • Router
  • HSMs

EU-Wide Consequences

    • The distribution of cheap products from China will face greater challenges and access to the European Union market will become increasingly difficult.
    • Companies in the hardware and software sector will have to expand their processes and may encounter considerable obstacles in doing so.
    • Even though increased security measures make it more difficult for attackers to exploit vulnerabilities, they can still manage to uncover vulnerabilities if they try hard enough. Companies need to ensure that their products remain updatable, which is a major challenge as most rarely update.
    • The cost of cyber security measures is likely to increase and non-compliance with the new requirements can result in penalties of up to €15 million or 2.5% of annual turnover. While self-assessment protocols are in place to prevent non-compliance, there is no guarantee that these measures will prove effective.
    • Start-ups and small to medium-sized companies may have greater difficulty gaining a foothold in the market or being successful in view of the challenges mentioned.

    Requirements for compliance

    ENISA published a requirements document in order to be compliant against the CRA, which is called “Cyber Resilience Act Requirements Standards Mapping – Joint Research Centre & ENISA Joint Analysis”.

    The procedure is similar to ISO 27001, but the focus is different. While ISO 27001 concentrates more on high-level risks, the CRA requires the focus to be placed on product development. This makes a big difference. From experience, I can say that the security process must be integrated into existing processes in order to achieve the best possible result and interaction. It is also very important to involve employees in this process. Otherwise, employees will reject it and it will take a long time before the process is accepted. There will be a lot of dissatisfaction, which can cost your company a lot of money. It is also important to ensure that the corresponding process is efficient and easy to implement in product development.

    Multiple fingers that point to the middle, which shows a connected Europe.

    Example Process

    We are currently working on an example process, which we want to provide you. It shall help you as guide to get an idea what your process could look like. But this will be take some time.

    Related Posts

    Scroll to Top
    WordPress Cookie Plugin by Real Cookie Banner