img
Cyber Resilience Act

Readiness Assessment

Ready to Improve Your Product Security?

Cyber Resilience Act

Talk to us today about how we can support you to prepare!  Contact us for a free readiness assessment and receive a high level snapshot detailing your current readiness to comply with the Cyber Resilience Act.

Contact Us
Step 1
Company Details

Fill in some high level company and product information and your contact details.

Step 2
CRA Essential Requirements

Answer the questions related to risk assessment, vulnerability handling & disclosure, security by design and secure coding.

lap
Step 3
CRA Documentation Checklist

Fill in the documentation checklist for the cyber resilience act and submit your answers.

Step 4
CRA Readiness Report

Receive your comprehensive report on your readiness against the cyber resilience act essential requirements to see a snapshot of where you stand today in relation to the CRA.

1.1 //

Early
Assessment

Our CRA Readiness Assessment gives you an opportunity to get an early snapshot against the CRA requirements.  The readiness report will help you plan and budget early to improve your product security and at the same time comply with the new legislation.

1.2 //

Readiness Report

You will receive a high level readiness report on your current status against the essential requirements.  Use our report in your organisation to demonstrate at a high level what the areas of improvement are and where you need to address.

1.3 //

CRA
Expertise

We have been active members of the ECSO CRA working group since August 2023, we are tracking all of the developments so you don’t have to! Reach out to us with any questions your may have on the Cyber Resilience Act.

blogpost blogpost
Learn More About

Cyber Resilience Act

What is the Cyber Resilience Act?

The Cyber Resilience Act (CRA) is a first of its kind legislation that provides a baseline cybersecurity standard for products with digital elements within the European Union. The CRA aims to address two main problems identified in products with digital elements:

  1. Low levels of cybersecurity, reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them.
  2. An insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or using them in a secure manner.
    To address these problems the Cyber Resilience Act will:

  1. Create the conditions for the development of secure products with digital elements (both hardware and software) throughout the product lifecycle and ensure they are placed on the market with fewer vulnerabilities and ongoing monitoring during the products lifetime.
  2. Create the conditions for users of products with digital elements to take cybersecurity features into account when selecting and using products with digital elements.
What products are in scope and out of scope?

The CRA will apply to any Products with Digital Elements (PDEs) that adhere to all the following criteria:

  1. Products that directly or indirectly have a data connection to a device or network. For example, wireless speakers which connect to other devices via a Bluetooth connection or a USB drive that plugs into a computer.
  2. A hardware and/or software based product and its remote data processing solutions including software and hardware components to be placed on the market separately.
  3. Will be made available on the EU internal market.

Free and Open-Source software – there will be obligations for “open-source software stewards” to put in place and document a cybersecurity policy to foster the development of a secure product with digital elements as well as an effective handling of vulnerabilities by the developers of that product and co-operation with market surveillance authorities.

The CRA will not apply to the following products as some are already covered by other specific regulations such as:

  • Software as a Service – except for remote data processing solutions relating to a product with digital elements
  • Medical devices and in vitro diagnostic medical devices
  • Civil aviation safety
  • Motor vehicles and their trailers
  • Products with digital elements developed or modified exclusively for national security or defence purposes
  • or to products specifically designed to process classified information
What are the timelines for the CRA?

The CRA will become a fully enacted legislation. It is estimated to be adopted in full Autumn 2024. The transition period for adoption will be 36 months and 21 months for vulnerability handling requirements.

Who needs to comply?

Manufacturers including software developers, importers and distributors of software and hardware products with digital elements who make their products available on the EU market will need to comply with the CRA.  Entities outside of the EU who make products available on the EU single market will also need to comply.

What are the categories of products?

There are four categories of products
  • Important Class I
  • Class II
  • Critical
  • Default or Unclassified

Products that fall into the default category have the lowest cybersecurity risk associated with them.

Examples of products in this category given by the European Commission include:
  • smart speakers
  • word processers
  • photo editors

To be compliant with the CRA products in the default category must adhere to a set of essential requirements (found in Annex I of the CRA) and complete a self assessment to prove compliance to these essential requirements.

Products with higher risk associated with them are separated into three groups Important Class I, Class II and Critical.  They can be found in ANNEX III of the CRA text. These product can use harmonised standards and third party assessment to conform to the essential requirements. Products in the critical category must use an EUCC conformity assessment.

Some examples of Class I products:
  • IAM/PAM Software
  • Operating systems
  • Password Managers
  • Network Management Systems
  • Microcontrollers
  • VPN
  • SIEM
  • Anti Virus
Some examples of Class II products:
  • Hypervisors & container runtimes
  • Firewalls
  • Intrusion Detection and Prevention
Some examples of Critical products:
  • Smart meter gateways
  • Smartcards or similar devices including secure elements
  • Hardware Security Modules
What are the penalties for non-conformance?

Failure to comply with CRA essential requirements, vulnerability or incident reporting could incur penalties of:
Administrative fines up to €15 Million or 2.5% of global turnover whichever is higher.

Failure to comply with other obligations could incur penalties of:
Administrative fines up to €10 Million or 2% of global turnover whichever is higher.

Supplying misleading information to enforcement bodies or national CSIRT teams could incur penalties of:
Administrative fines up to €5 Million or 1% of global turnover whichever is higher.

Under certain circumstances EU authorities can require the recall or withdrawal of non-compliant products.