Your Questions Answered
Frequently Asked Questions
What is the Cyber Resilience Act?
The Cyber Resilience Act (CRA) is a first of its kind legislation that provides a baseline cybersecurity standard for products with digital elements within the European Union. The CRA aims to address two main problems identified in products with digital elements:
- Products with digital elements are being manufactured with low levels of cybersecurity. This is resulting in widespread vulnerabilities and lacking security updates to address said vulnerabilities. This makes these products attractive targets to cybercriminals as a vehicle to attack larger networks.
- Users of products with digital elements have an insufficient understanding of the product. As well as a lack of information that would allow them to make informed decisions on choosing products with proper cybersecurity features and using them in a secure manner.
What products are in scope?
The CRA will apply to any products that adhere to all the following criteria:
- Products that directly or indirectly have a data connection to a device or network. For example, wireless speakers which connect to other devices via a Bluetooth connection or a USB drive that plugs into a computer.
- A hardware and/or software based product.
- Will be sold in the EU internal market.
What are the timelines for the CRA?
The CRA will become a fully enacted legislation. It is estimated to be adopted in full Autumn 2024. It has yet to be decided if the transition period will be 24 or 36 months.
Who needs to comply?
Manufacturers including software developers, importers and distributors of software and hardware products with digital elements who sell on the EU market will need to comply with the CRA. Entities outside of the EU who sell their products in the EU will also need to comply.
What are the categories of products?
There are three categories of products important, critical and default.
Default category
Products that fall into the default category have the lowest cybersecurity risk associated with them. These products do not hold sensitive data or interact with critical networks and so if they are exploited there is minimal risk of a large data breach or the attacker being able to use the product to access more sensitive systems.
Examples of products in this category given by the European Commission include smart speakers, word processers and photo editors.
To be compliant with the CRA products in the default category must adhere to a set of essential requirements (found in Annex I of the CRA) and complete a self assessment to prove compliance to these essential requirements.
Product with higher risk associated with them are separated into two groups Class I and Class II. They can be found in ANNEX III of the CRA text.
Some examples of Class I products:
Network Management Systems, Password Managers, standalone and embedded browsers.
Some examples of Class II products:
Operating systems, HSMs, smartcards, smartcard readers and tokens.
I have more questions ...
If you have questions about the Cyber Resilience Act we are happy to help you. Please contact us and we would be delighted to setup a call with you.