Enhancing EU security through the Cyber Resilience Act

Organisations selling technology-related goods and services in the EU marketplace are having to take account of a raft of recent and new Acts and Directives that place requirements on the way they operate and the security of their products. Among these are the Network and Information Security Directive 2 (NIS2), the EU AI Act, the Cyber Solidarity Act, the Critical Entities Resilience Directive and the Cyber Resilience Act (CRA). There are also vertical, or sector-specific, regulations such as the Digital Operational Resilience Act (DORA), which focuses on cybersecurity and ICT risk management in the financial sector.

Much attention has been focused on NIS2, which expands cybersecurity obligations for ‘essential and important entities’ (as defined in NIS2) and their supply chains. Of late, however, organisations have been broadening their attention to include the CRA in an effort to understand the requirements that this new regulation will place on them. Approved by the European Parliament and Council in October 2024, it will be fully applicable by December 2027, although some reporting obligations will begin in September 2026.

Why is the CRA needed?

Unlike NIS2, which applies to entities, the CRA applies to products: specifically, all products with digital elements, which range from simple toys and components to networked robotic tools, autonomous vehicles and spacecraft. There can be security vulnerabilities in any software or hardware, meaning that any product with a digital element is a weak point that cyber criminals can exploit to carry out an attack, and this has become a concern for the EU.

The Cyber Resilience Act addresses two fundamental problems. The first is the low level of cybersecurity of all products with digital elements, making them vulnerable to cyber threats and attacks, which can have profound effects because so many things are now interconnected. The second is the insufficient understanding of this by users.

The CRA isn’t simply repeating existing regulatory requirements in a different guise. Instead, because product security is different from organisational security, the CRA has been established as a complementary regulation to others that already exist. ‘Ship and forget’ is no longer going to be an option for any organisation producing products with a digital element in the EU.

What does the CRA cover?

According to the European Commission (EC): ”The Cyber Resilience Act introduces mandatory cybersecurity requirements for hardware and software products, throughout their whole lifecycle.” This covers all products with any digital element(s) and includes all related remote data processing components.

Manufacturers are obliged to ensure that:

• Cybersecurity is taken into account in planning, design, development, production, delivery and maintenance phases
• All cybersecurity risks are documented
• Actively exploited vulnerabilities and incidents are reported
• Vulnerabilities are handled effectively for the duration of the support period
• Clear and understandable instructions are provided for the use of products with digital elements
• Security updates are made available to users for the time the product is expected to be in use.

A distinction is made between categories of products, which ultimately determines whether they can be ‘self-assessed’ by their manufacturer against specified standards or will need to be assessed by a third party. It’s expected that around 10% of products will fall into the latter group, being subdivided into Important Products Class I and II, and Critical Products.

The list of products that fall under Class I is long but includes many types of software including operating systems, plus hardware such as routers, switches and microprocessors. Class II products include, for example, firewalls and hypervisors, while Critical Products include hardware devices with security boxes, smart meter gateways and smartcards.

Supply chains can be long and complicated, so it’s essential that manufacturers and developers of software and hardware, including components, know their existing and target client sectors. How a component is going to be used may determine the level of assessment required.

Some sectors are specifically excluded from the CRA’s remit due to their specialised nature and existing sector-specific regulations. This includes products developed or modified for national security or defence purposes. The CRA does, however, cover the space sector (when not exclusively military).

Getting prepared

Over the next 2 years, there will be a number of milestones for adoption of various elements related to the standard. There are two key dates that manufacturers specifically need to prepare for:

• First, from 11 September 2026, it will be mandatory to report vulnerabilities and significant security incidents to national authorities and the European Union Agency for Cybersecurity (ENISA).
• From 11 December 2027, full compliance with the CRA is mandatory.

Post-sale requirements

The requirements of the CRA don’t stop once a product has been delivered. Companies will have to provide security updates for their digital products for a minimum of 5 years or the product’s expected lifetime, whichever is shorter. Technical documentation must be continually updated during the support period as a minimum and, along with declarations of conformity, be available for 10 years after a product has been placed on the EU market.

In addition, manufacturers must report any actively exploited vulnerabilities and severe security incidents to their appointed national Computer Security Incident Response Team (CSIRT) and ENISA within 24 hours. They may then need to provide further information within 72 hours and a final report within 14 days for vulnerabilities or within one month for severe incidents. They must also inform any impacted users – and, where appropriate, all users – in a timely manner of an actively exploited vulnerability or severe incident and, where necessary, provide details about risk mitigation and any corrective measures that they might deploy to mitigate the impact.

The aim is to ensure swift action to address vulnerabilities and mitigate the impact of security incidents, thereby improving the overall cybersecurity posture of products in the EU market.

What do companies need to do now?

Although CRA-related standards don’t yet exist, companies should be evaluating how the Act will affect each one of their products so that they can be ready to assess them, or have them assessed, when the standards are published.

The first thing companies need to do is to understand whether they are impacted by the Act or not. In essence, all products with a digital element, including ones that don’t process data themselves but link to remote data processing, come within the scope of the Act. There are some exceptions and there are also prescriptive lists of categories of products that require more stringent conformity assessments.

The next step is to undertake a risk assessment to identify the actions needed to meet the requirements for compliance.

If products are found to be non-compliant, the relevant authorities could insist that they be made compliant, restrict their availability or order that they be withdrawn from the market or even recalled. There will also be provision for financial penalties for non-compliance reaching up to €15 million or 2.5% of a company’s global annual turnover, whichever is higher.

Towards a more secure tomorrow

The CRA specifically focuses on products, which in many respects differentiates it from other security-related regulations. However, this does not mean that all preparatory activities can, or should, be distinct from ongoing work to meet the requirements of other EU Acts and Directives.

The upshot is that while compliance with the CRA is likely to require separate, focused risk assessments and associated changes to products and processes, it is essential that all organisations shift towards seeing cybersecurity as a fundamental part of how they operate.

Download the PDF to read the full article

Find out more

This is an extract from the latest issue of OpenSpace magazine. Subscribe to read the full version and more, including articles on cybersecurity and defence.

Read OpenSpace