Learn More About
Cyber Resilience Act
What is the Cyber Resilience Act?
The Cyber Resilience Act (CRA) is a first of its kind EU legislation that provides a baseline standard for the cybersecurity of connected products with digital elements. Products with digital elements are defined as products with software and/or hardware components and any associated remote data processing solutions.
The CRA aims to address two clearly identified problems commonly found in digital products, these are:
- Products with digital elements are being manufactured with low levels of cybersecurity. This causes widespread vulnerabilities and security updates to address these vulnerabilities are lacking. This makes digital products attractive targets to cybercriminals as a vehicle to attack larger networks.
- Users of products with digital elements have insufficient understanding of product security and lack information that would allow them to make informed decisions on choosing products with proper cybersecurity features.
The CRA is a horizontal legislation, this means it will cover a broad range of products across many sectors. Any product made available on the EU market that is in scope for the CRA will need to affix the CE mark for cybersecurity. Manufacturers, distributors, and importers from outside the EU will also have to comply. The CRA is an important consideration for many businesses developing new products.
What products are in scope and out of scope?
Products with Digital Elements (PDEs) Definition
- any software or hardware product and its remote data processing solutions
- including software and hardware components to be placed on the market separately
- with a data connection to device or network
- that are made available on the EU single market
Open-source software will be subject to light touch regulatory regime, this means the CE mark cannot be affixed to it. For-profit manufacturers using open-source software as part of their product with digital elements are responsible for making sure the open-source software components are compliant with the CRA. Free and Open-Source software requirements will include:
- Creating and documenting a cybersecurity policy to foster the development of a secure product with digital elements
- Vulnerability handling process
- Co-operation with market surveillance authorities
Products Out of Scope
The CRA will not apply to the following products as some are already covered by other specific regulations such as:
- Software as a Service – except for remote data processing solutions relating to a product with digital elements
- Medical devices and in vitro diagnostic medical devices
- Civil aviation safety
- Motor vehicles and their trailers
- Products with digital elements developed or modified exclusively for national security or defence purposes
- or to products specifically designed to process classified information
What are the timelines for the CRA?
The CRA is expected to enter into force by the end of Q4 2024. A 36-month transition period will follow, by the end of which all products with digital elements brought to market after the enforcement date must be fully compliant. Obligations around vulnerability reporting will be enforced after 21 months.
Who does it affect?
Manufacturers including software developers, importers and distributors of software and hardware products with digital elements who make their products available on the EU market will need to comply with the Cyber Resilience Act. Entities outside of the EU who make products available on the EU single market will also need to comply.
The EU Commission conducted an impact assessment on the CRA. This outlined that small and medium sized businesses including micro-SMEs in scope for the Cyber Resilience Act would struggle to comply, mainly due to associated costs and lack of cybersecurity expertise. While this may cause some obstacles to overcome, the CRA seeks to strengthen product security which will benefit manufacturers overall. Customers will be more confident in the security of products they buy and manufacturers and society are strengthened against cyberattacks.
What are the categories of products?
-
Default (lowest risk level
90% of products are estimated to fall into the default category. These products are deemed to have lower risk profiles than products in the other categories. Examples of products that fall into this category include:
- Smart home devices
- Printers
- Bluetooth speakers
- Media player software applications
Manufacturers of products that fall into the default category can self-assess to show compliance with the CRA essential requirements as outlined in Annex I of the CRA. The self-assessment protocol is laid out in CRA Annex VIII.
-
Important Class I
The complete list of products that fall into Important Class I can be found in Annex III of the CRA, this includes;
- Identity management systems, privileged access management software & hardware, and access control readers
- Standalone & embedded browsers
- Password managers
- Software that searches for, removes or quarantines malicious software
- Products with virtual private network function
- Network management systems
- Boot managers
- Operating systems
- Routers and modems intended to connect to the internet and switches
Manufacturers with products that fall into Important Class I can use the self-assess method to demonstrate compliance with the CRA essential requirements as long as they can apply one of the following:
- Harmonised Standard – a European standard developed by a recognised European Standards Organisation, following a request from the European Commission. Manufacturers can use harmonised standards to demonstrate that products comply with an EU legislation. Harmonised standards are currently being created specifically for the CRA.
- Common Specification – a detailed practical set of rules setting out how a product should comply with specific requirements adopted by the European Commission when no harmonised standards exist.
- European Cybersecurity Certification – a scheme ENISA is developing on behalf of the European Commission to create a framework to certify products with digital elements meet the essential requirements of the CRA.
If the manufacturer cannot use one of these schemes for their product, they must apply to have their product assessed by a third-party conformity assessment body.
-
Important Class II
Product types that fall into Important Class II category are:
- Hypervisors and container runtime systems supporting virtualised execution of operating systems
- Firewalls, intrusion detection & prevention systems
- Tamper resistant microprocessors & microcontrollers
Products that fall into Important Class II must complete a third-party conformity assessment even if the product complies with harmonised standards, common specifications or a European cybersecurity certification scheme.
-
Critical Class
Products that fall into the Critical Class are:
- Hardware devices with security boxes
- Smart meter gateways
- Smart cards or similar devices including secure elements
- Other devices for advanced security purposes including secure crypto processing
Products in the Critical Class are of the highest risk and therefore have the strictest compliance process. Critical Class products must complete a European Common Criteria (EUCC) cybersecurity certification assessment conducted by a conformity assessment body.
What are the penalties for non-conformance?
Failure to comply with CRA essential requirements, vulnerability or incident reporting could incur penalties of:
Administrative fines up to €15 Million or 2.5% of global turnover whichever is higher.
Failure to comply with other obligations could incur penalties of:
Administrative fines up to €10 Million or 2% of global turnover whichever is higher.
Supplying misleading information to enforcement bodies or national CSIRT teams could incur penalties of:
Administrative fines up to €5 Million or 1% of global turnover whichever is higher.
Under certain circumstances EU authorities can require the recall or withdrawal of non-compliant products.
Important for SMEs
Administrative fines do not apply to micro or SMEs for failures to meet the 24-hour deadline for early warning notification and subject to the principle that penalties should be effective, proportionate and dissuasive, Member States should not impose other kinds of penalties with pecuniary character on these entities.
How to get help?
Cyber Cert Labs can help manufactures prepare for the CRA by providing education on what the CRA is and what they need to do to comply. Our readiness assessment, aids and guides breakdown of the new processes manufacturers will need to implement at each stage of the product lifecycle. This should make the process of integrating CRA compliance into an already familiar process less daunting. Contact us today to begin your journey to secure your products!