The EU Cyber Resilience Act is a new EU regulation which introduces mandatory requirements to securely design, develop, produce, and maintain products with digital elements. These products can be electronic devices, hardware or software and their components, including remote data processing solutions.
Cybersecurity is considered a matter of public interest due to the critical impact it can have on society. The two major problems the EU want to address with this new regulation are a low level of cybersecurity of products, which often lack the ability to receive security updates to address identified vulnerabilities, and an insufficient understanding or access to information preventing individuals and organisations from choosing products with a good level of security.
While the EU has already introduced other regulations that cover cybersecurity, such as NIS2 and the Cybersecurity Act, neither of these have set mandatory requirements for the security of products. This is now being addressed with the Cyber Resilience Act. A second article reflecting deeper on the technical requirements of the CRA has been published at: Reflections on Cyber-Resilience Act Requirements
Now that a consensus has been reached on the final text of the Cyber Resilience Act, we can start planning and preparing to comply with this new regulation. At close to 200 pages, the document is not lightweight and will take some time to be fully absorbed and integrated by most organisations.
Product Security and Vulnerability Handling
At its core, the CRA aims to help bring secure products to the market, and ensure the necessary mechanisms are in place to keep them secure for the duration of their expected lifetime, with an adequate level of transparency towards clients and authorities.
This regulatory framework should lead to fewer vulnerabilities, fewer abuses of devices that have been installed in the field, and for security to be taken more seriously by product manufacturers throughout the product lifecycle. To achieve this, cybersecurity requirements are in essence becoming part of the CE conformity standards.
From a high-level perspective, the CRA introduces two main sets of requirements for each product made available on the European market:
- Essential requirements to maintain an adequate level of product security, including for its components, for the entire duration of the product lifecycle.
- Vulnerability handling requirements, including notification and reporting of identified and actively exploited vulnerabilities.
Most companies must comply with the Cyber Resilience Act starting in 2026
It is safe to assume your organisation will be subject to this regulation. If the product is being monetised as part of a commercial activity, either through sales of hardware and software, or by providing services, the product must comply with these requirements.
This is equally so for companies that produce products outside of Europe but sell them on the European market, with specific requirements for importers and distributors of technology.
The CRA applies to each type of organisation and business, including SME businesses, with certain categories of products subject to stricter conformity assessment procedures.
There are several exemptions though, due to these products being covered by industry-specific regulations:
- Products which are developed or modified exclusively for defence or national security purposes.
- Spare parts for legacy products made available before the application of the CRA, or identical spare parts that have already undergone a conformity assessment.
- Medical devices and in vitro diagnostic medical devices.
- Vehicle products.
- Aviation products.
Officially, the regulation will apply 3 years from the date of entry into force, which is expected to be during 2024 or early 2025. Certain reporting obligations will apply after 21 months.
Realistically, we can aim to prepare for partial compliance from 2026 onwards, with full compliance required from 2027.
Impact on the supply chain of products
Manufacturers remain responsible for the security of the entire product they bring to market, including the third-party dependencies they contain.
Manufacturers will therefore be expected to perform due diligence on the hardware and software components, including free and open-source software, that are integrated within the products.
At a minimum, this should cover whether the manufacturer of the component is demonstrating conformity themselves by validating their CE mark, verifying components receive regular security updates, and verifying the component is free from known vulnerabilities. If necessary, this can go as far as performing additional security testing.
Non-compliance carries significant consequences
Depending on the nature of the infraction, those responsible can be liable for administrative fines up to 15 million euros, or 2.5% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Furthermore, if a product safety issue causing damage is found to be due to the lack of security updates after placing the product on the market, the liability of the manufacturer could be triggered.
Identifying the next steps
While there is ample time to comply with the upcoming regulation, many processes must be put in place, so now is a good time to begin preparing for these changes. The concrete steps will differ from company to company, and the first step will probably be to assess your current state and perform a gap analysis to identify what work will be required to comply to the new regulation in your specific situation.
It is to be expected that different types of transformation activities will be required to achieve this. Examples could be introducing new policies, integrating security threat assessments and risk analysis during your product design phase, adding new technical security controls to your firmware, such as encrypting data at rest or making secure over the air firmware updates possible, or getting started on security testing and deciding on how conformity testing will be approached.
To learn more about the technical requirements of this regulation, you can continue reading our exploration of the Cyber Resilience Act requirements in our second article where we deep dive on the technical cybersecurity requirements of this act. It can be found here: Reflections on Cyber-Resilience Act Requirements
Amanita Consulting offers trusted cybersecurity services to product manufacturers and has plenty of experience addressing these questions for clients, from both the process and technical perspective.
We can help you get on top of this challenge.
If you want to learn how the Cyber Resilience Act affects your unique circumstances, reach out for a friendly chat to see how we can help.