CRA Categories Explained

The Cyber Resilience Act (CRA) is a new legislation that will be enacted in the EU in 2024. The CRA aims to create a baseline cybersecurity standard for products with digital elements sold in the EU. This will reduce cybersecurity vulnerabilities in products being sold in the EU and consequently reduce the number of cybersecurity incidents that leads to data loss/theft, cybercrime such as ransomware attacks or cyberespionage.

This all sounds great, but how will the CRA actually work? How will it be implemented and who does it apply to? Cyber Cert Labs is here to answer these questions and explain the ins and outs of this new legislation.

The CRA will apply to any products that adhere to all the following criteria:

  1. Products that directly or indirectly have a data connection to a device or network. For example, wireless speakers which connect to other devices via a Bluetooth connection or a USB drive that plugs into a computer.
  2. A hardware and/or software based product.
  3. The product will be sold in the EU internal market.

All products that come under these criteria are then split into three categories. These categories are based on the cybersecurity risk of the product. The EU Commission estimates 90% products will fall into the lowest security category, the ‘default category’. Then there is two higher risk categories; critical class I and critical class II. Lets look at these categories in more detail.

Introduction

Default category

Products that fall into the default category have the lowest cybersecurity risk associated with them. These products do not hold sensitive data or interact with critical networks and so if they are exploited there is minimal risk of a large data breach or the attacker being able to use the product to access more sensitive systems.

Examples of products in this category given by the European Commission include smart speakers, word processers and photo editors.

To be compliant with the CRA products in the default category must adhere to a set of essential requirements (found in Annex I of the CRA) and complete a self assessment to prove compliance to these essential requirements.

Critical Class I

The products in critical class I have a high cybersecurity risk due to the sensitivity of data held or the criticality of networks it interacts with. Examples of products in this category given by the European Commission include password managers, firewalls and microcontrollers.

To be compliant with the CRA products in the critical class I category must adhere to the essential requirements of the CRA. To prove compliance critical class I category products must be in conformity with a harmonised standard or complete a third party assessment to show compliance.

A harmonised standard is a European standard developed by a recognised European Standards Organisation eg. CEN or ETSI. A harmonised standard is created following a request from the European Commission to one of these organisations. Manufacturers can use harmonised standards to demonstrate that products comply with relevant EU legislation. In this case if a product with digital elements already conforms with harmonised standard published in Official Journal of the European Union it will automatically be presumed to conform to the CRA.

The third party assessment is conducted by a recognised notified body using criteria set out in the CRA and will certify a product is compliant or not. The notified bodies are appointed by Member States who then inform the European Commission. The European Commission keeps a list of notified bodies, which is publically available.

Critical Class II

The products in class II are of the highest security risk, these include operating systems, CPUs and industrial firewalls.

Products that fall in critical class II must meet the essential requirements of the CRA and undergo a third party assessment, as discussed in class I, to be deemed compliant with the CRA.

Components – who is responsible?

What if you have a product that contains components you obtained from a third-party that need to be compliant under the CRA? For example, you make a lamp that is voice activate, the lamp uses a microprocessor to interpret the voice command to turn it on or off. You bought the microprocessor from a third-party and therefore did not manufacturer it, but you will be using it as a component in a product you are manufacturing. Who here is responsible for making sure the microprocessor is compliant with the CRA?

Simply put it is the responsibility of the manufacturer of the microprocessor to make sure that it is compliant with the CRA if it is being sold in the EU. However, you as a manufacturer must ensure you do your homework on your third-party components. The CRA stipulates that manufacturers using third-party components must exercise due diligence to ensure they source components that do not compromise the security of their product. Manufacturers must report vulnerabilities they discover in a third-party component to the component’s manufacturer.

This gets a bit more complicated if you are sourcing a component from outside the EU. If the components manufacturer is selling directly into the EU then it is their responsibility to comply with the CRA. But if you are buying components and importing them from outside the EU, there is separate responsibilities for importers. You as an importer then become responsible for ensuring compliance with the CRA.

The nuances of how the CRA will work in practice as opposed to theory still need to be hashed out. The upcoming vote on the final version of the legislation after amendments in Autumn 2023 should shed some more light on complicated areas such as importing third party components from outside the EU.

Manufacturing products with components that need to be CRA compliant?

  • Who is responsible for CRA compliance?
  • What is the responsibility of the manufacturer?
  • What is the EU going to do to make things easier?