What should Directors know about the EU Cyber Resilience Act?

Introduction

The digital world is increasingly connected as the prominence of Internet of Things (IoT) devices continues to grow exponentially. Everything from smart watches to critical infrastructure is online, making cybersecurity a global priority for the safety and security of people and international infrastructure. The growing number of connected devices comes with a skyrocketing cost of cybercrime as digital hardware and software products are one of the main avenues for cyberattacks. In our connected environment, a cybersecurity incident in one product can affect an entire organisation or a complete supply chain, often propagating across the borders within a matter of minutes. The cybersecurity of these products has a particularly strong cross-border dimension, as products manufactured in one country are often used by organisations and consumers across the entire world

What is the EU Cyber Resilience Act (CRA)?

The EU Cyber Resilience Act is a European regulation that was activated on 10 December 2024 and describes broad cybersecurity requirements for products with digital elements (PDE).

Any product with a digital element, hardware or software, made available on the European market will need to meet a minimum expectation of security -whether free or paid- sold or distributed within the European Union to ensure that manufacturers take security seriously throughout their product’s life cycle. This new regulation will come into force for all organisations as of 24 October 2027. 

The EU CRA applies to all products with digital elements (PDE), which includes any software or hardware product and its remote data processing solutions. Examples are:

  1. End devices: laptops, tablets, smartphones, sensors and cameras, smart robots, smart cards, smart meters, mobile devices, smart speakers, routers, switches and industrial control systems.
  2. Software: firmware, operating systems, mobile apps, Virtual Private Networks (VPN)  software, security tools, antimalware tools, desktop applications and video games
  3. Components (both hardware as well as software): computer processing units (CPU), video cards and software libraries

“Remote data processing” is any data processing that is a core functionality of the product (without which the PDE cannot fulfill its function) and developed by: 

  1. Hardware manufacturers: Producers of physical devices with digital components like IoT devices, smartphones, smartwatches and computers
  2. Software developers: Companies or individuals creating software applications and systems
  3. Service providers: Cloud solutions constitute remote data processing solutions 

Remark: certain sectors are excluded from the EU CRA due to already existing regulations, such as professional medical devices, military hardware, automotive vehicles, civil aviation systems and marine equipment. Free and open-source software (FOSS) does not fall under CRA regulations unless it is part of a commercial activity. 

 

EU CRA key objectives

The key objectives of the EU CRA are to reduce vulnerabilities in digital products, minimise the risk of cyberattacks and ensure a high level of cybersecurity for all products on the market. 

  1. Manufacturers, importers and distributors: must comply with these security standards by offering products that are secure by design and secure by default. In addition, they must offer security updates free of charge for the lifetime of the products, and report actively exploited vulnerabilities to the European Security Agency ENISA,  or face fines and product bans. They need to demonstrate compliance to the CRA through self-attestation (98% of the products) or third party conformity assessment (for most critical products)
  2. Businesses: may need to update procurement processes to ensure compliance with the EU CRA.
  3. Consumers: gain access to safer and more reliable digital products which meet specific cybersecurity standards, increasing consumer protection from cyberattacks.

The EU CRA aims to fill gaps in current cybersecurity frameworks and practices by ensuring that products are secure by design, fully disclose software dependencies and that products can be reset to secure default configuration as needed. The importance of the EU CRA lies in its horizontal approach, covering a wide range of products and industries throughout the supply chain in order to ensure cybersecurity is no longer an afterthought but a fundamental part of the development and production process. 

 

EU CRA product classifications*

  1. Default Category: all products with digital elements that do not fall into the higher-risk categories. Products in this category generally require self-assessment by the manufacturer. Examples are games, smart speakers or desktop applications.

  2. Important Products:

  • Class I: may require more rigorous self-assessment and documentation compared to the default category. Examples are password managers and browsers

  • Class II: require third-party assessment to ensure compliance. Examples are operating systems and firewalls

  1. Critical Products: subject to the most stringent conformity assessment procedures, including mandatory third-party evaluations and more frequent reassessments. Examples are smart cards, and smart meters.

*EU is still working on implementing regulations regarding the definitions of these products. This will influence with is in scope and what is out of scope.

EU CRA key requirements

The EU CRA enforces rigorous standards to ensure cybersecurity from a product’s development to end-of-life stages by establishing: 

  1. Rules for making products with digital elements (PDE) available on the market, in order to guarantee their cybersecurity;

  2. Essential requirements for the design, development and production of these products;

  3. Essential requirements for the vulnerability management processes put in place by manufacturers;

  4. Rules and provisions for market surveillance and enforcement.

Manufacturers, importers and distributors of PDE must consider cybersecurity throughout the entire lifecycle of the PDE.

  1. Secure by design: Products must be developed with security as a primary concern, including configurations that minimise vulnerabilities. PDEs shall be designed, developed, and produced to ensure an appropriate level of cybersecurity based on the risks they face. This risk assessment shall be documented and updated regularly. When placing a PDE on the market, the manufacturer should include this information in the product's technical documentation. 

  2. Software Bill of Materials (SBOM): Manufacturers must maintain a SBOM, a detailed list of the software components used in a product, to facilitate identifying and addressing vulnerabilities. Manufacturers must verify the integrity of third-party components so they do not compromise the security of the PDE, including open-source components.

  3. Vulnerability management (VM): Manufacturers should identify and document the PDE's components and vulnerabilities before and after placing it on the market for the entire support period.   Manufacturers must continually test and assess their products for vulnerabilities. Once discovered, vulnerabilities must be remediated promptly and manufacturers must provide secure updates.

  4. Transparency and disclosure: If a vulnerability is identified and fixed, manufacturers must disclose this information to the public, ensuring that users are informed and can take appropriate action. Where applicable, products with digital elements shall:

  • be sold with the secure default configuration
  • be protected from unauthorised access
  • protect the confidentiality and integrity of the data they handle limiting that data to the minimum necessary.

Importers of PDE are forbidden to place on the market products that do not comply. 

1

Reporting security incidents under EU CRA

Manufacturers must give notice of any actively exploited vulnerability in their products to the designated European CSIRT (Cyber Security Incident Response Team) coordinator and ENISA (EU Agency for Cybersecurity) via a single reporting platform within specified time frames (24 hours for an initial alert, 72 hours for a detailed report, and 14 days for a final report). 

Severe security incidents in a product must be reported to the CSIRT coordinator and ENISA through the same platform within 24 hours for an initial alert, 72 hours for detailed information, and one month for a comprehensive final report.

EU CRA Conformity Assessment

The conformity assessment process under the EU CRA is designed to verify that products comply with the specified cybersecurity requirements:

  1. Self-Assessment: For less critical products, manufacturers may conduct self-assessments to demonstrate compliance with the EU CRA’s requirements. This involves creating a technical documentation file that outlines how the product meets the essential cybersecurity standards. 

  2. Third-Party Assessment: For more critical products, an independent third-party conformity assessment body must conduct the assessment. This ensures an unbiased evaluation of the product’s security features and compliance with the EU CRA’s requirements 

  3. Ongoing Compliance: Manufacturers will have to ensure continuous compliance by regularly updating their products to address new vulnerabilities and threats. This may include periodic reassessments by either the manufacturer or a third party, depending on the product category. Ongoing compliance is still under discussion since the legal framework is currently not compliant to the accreditation framework.

The complexity of the assessment depends on the product’s classification.

 

Accountability under the EU Cyber Resilience Act

  1. For manufacturers : fines up to €15 million or 2.5% of their total worldwide annual turnover, whichever is higher. 

  2. For authorised representatives, importers, distributors, assessment bodies and their subcontractors : fines of up to €10 million or 2% of total worldwide annual turnover, whichever is higher.

  3. Providing inaccurate, incomplete or misleading information to notified bodies or market surveillance authorities : fine of up to €5 million or 1% of total worldwide annual turnover, whichever is higher.

Alongside the potential loss of the requisite CE mark, the EU CRA will effectively ban non-compliant products from being distributed or sold in the EU. 

Exclusions for micro or small enterprises manufacturers, which can not be financially sanctioned for failure to meet notification deadlines for severe incidents and actively exploited vulnerabilities and for open-source software stewards which can not be subject to financial penalties, regardless of the violation of the EU CRA. 

 

Conclusion on the EU Cyber Resilience Act

The EU Cyber Resilience Act introduces comprehensive legislation for products with digital elements (PDE) to ensure ongoing security which will come into force as of 24 October 2027. By requiring companies that produce, sell or distribute products with digital elements in the EU to prioritise security throughout their product lifecycle, the EU aims to protect consumers of those products. By embedding cybersecurity into the fabric of the development process and ensuring compliance with the EU CRA, companies can mitigate risks while gaining a competitive edge in the market by offering more secure, resilient products with digital elements. 

One final comment 

Those organisations implementing the EU NIS2 or DORA will be able to recycle a majority of their work invested in security compliance for EU CRA as well. But it is essential to understand that, unlike NIS2 or DORA, the EU CRA regulates products, not entities. 

Article authored by the GUBERNA Sounding Board Committee for Cybersecurity

For any comments, questions, queries on cybersecurity issues, you can get in touch with Sounding Board committee members here. 


 

References (Authentic sources)

  1. https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act 

  2. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R2847 

  3. https://ccb.belgium.be/en/cyber-resilience-act-cra