What You Need to Know About the EU Cyber Resilience Act

Understand what the CRA entails and how to comply.   

What is the CRA?

The Cyber Resilience Act (CRA) is an upcoming European Union regulation that aims to ensure that all digital products and services (such as software and hardware connected to the Internet) sold in the EU are designed with strong cybersecurity measures. It mandates that manufacturers secure their products throughout their lifecycles.

Who does the CRA apply to?   

The CRA applies to all “products with digital elements” (PDE), which includes any software or hardware product and its remote data processing solutions. “Remote data processing” is any data processing that is a core functionality of the product (without which the PDE can’t fulfill its function) and developed by the PDE manufacturer. PDEs can stem from: 

• Software developers: Companies or individuals creating software applications and systems 
• Hardware manufacturers: Producers of physical devices with digital components, such as IoT devices, smartphones, and computers 
• Service providers: Cloud solutions constitute remote data processing solutions only if they fall under the regulation’s definition. For example, a smart home device with a cloud-hosted platform used to control it from a distance falls under the regulation. 

Certain sectors, such as professional medical devices, motor vehicles, civil aviation systems, and marine equipment, are excluded from the CRA due to existing regulations.

When will the CRA be implemented?

The European Parliament (EP) adopted a “provisional” version of the CRA’s final text on March 12, 2024. However, this is still not the final version of the document. The CRA’s official signature and its publication are expected to happen around October 2024.  

Once the final text is officially adopted, the majority of it will be enforceable after three years (approximately October 2027). However, the incident reporting requirements will apply to manufacturers as soon as two years after enactment (October 2026). 

Prior to the date of application of the CRA, the EU will develop harmonized standards to better enable manufacturers to perform conformity assessments [Recitals 38-38a, 41-41d]. The EU Commission will also publish guidelines to assist companies with applying the CRA [Art. 17c; Recital 4a]. 

What are the requirements of the CRA?

Under Annex 1, the CRA security requirements are in two parts: 

Part 1 - Security requirements relating to the properties of products with digital elements (PDEs) 

1. PDEs shall be designed, developed, and produced to ensure an appropriate level of cybersecurity based on the risks they face. 
   
2. Where applicable, products with digital elements shall: 

• Be sold with the secure default configuration 
• Be protected from unauthorized access 
• Protect the confidentiality and integrity of the data they handle, limiting that data to the minimum necessary 
• And more 

Part 2 - Vulnerability handling requirements 

1. Identify and document the PDE components and their vulnerabilities. Address the vulnerabilities without delay. 
2. Regularly test and review the security of the PDE. 
3. Create an extensive vulnerability-handling plan containing:

• Automatic security updates for fixing the vulnerabilities promptly 
• Advisory messages providing relevant information 
• A vulnerability report platform 
• Vulnerability disclosure policies 

What are the obligations of manufacturers?

Article 10 of the document describes the manufacturer's obligations in relation to the requirements above. To place the PDE on the market, manufacturers will need to craft a risk assessment for the PDE, which will be documented and updated regularly. The assessment needs to include the following: 

• An analysis of cyber risks based on the purpose, use, and environment of the PDE. 
• The requirements from part 1, point 3, which are applicable to the PDE. 
• How the manufacturer will apply part 1, point 1, and how will they handle the vulnerability requirements from part 2. 

When placing a PDE on the market, the manufacturer should include this information in the product's technical documentation. 

Apart from the risk assessment: 

• Manufacturers must verify the integrity of third-party components so they don't compromise the security of the PDE, including open-source components. 
• Manufacturers should handle the PDE's vulnerabilities before and after placing it on the market for the entire support period. 

Reporting security incidents

Article 11 in the document lays out the guidelines for incident reporting in PDEs. Manufacturers must give notice of any actively exploited vulnerability in their products to the designated CSIRT (Computer Security Incident Response Team) coordinator and ENISA (The European Union Agency for Cybersecurity) via a single reporting platform within specified time frames (24 hours for an initial alert, 72 hours for a detailed report, and 14 days for a final report). 

Similarly, severe security incidents must also be reported within 24 hours for an initial alert, 72 hours for detailed information, and one month for a comprehensive final report, with the notifications submitted to both the CSIRT and ENISA through the same platform. 

Product classifications

Default Category: This includes all products with digital elements that do not fall into the higher-risk categories. Products in this category generally require a self-assessment by the manufacturer. 

Important Products (Class I and Class II): 

• Class I: These are products that are important but not critical. They may require more rigorous self-assessment and documentation compared to the default category. 
• Class II: These are more critical than Class I products and typically require third-party assessment to ensure compliance. 

Critical Products: These products pose the highest risk in terms of cybersecurity vulnerabilities and potential impact. They are subject to the most stringent conformity assessment procedures, including mandatory third-party evaluations and possibly more frequent reassessments 

Conformity assessment

The conformity assessment process under the CRA is designed to verify that products comply with the specified cybersecurity requirements. The complexity of the assessment depends on the product’s classification. Here are the steps involved: 

1. Self-Assessment: For less critical products, manufacturers may conduct self-assessments to demonstrate compliance with the CRA’s requirements. This involves creating a technical documentation file that outlines how the product meets the essential cybersecurity standards. 
2. Third-Party Assessment: For more critical products, an independent third-party conformity assessment body (notified body) must conduct the assessment. This ensures an unbiased evaluation of the product’s security features and compliance with the CRA’s requirements 
3. Ongoing Compliance: Manufacturers must also ensure continuous compliance by regularly updating their products to address new vulnerabilities and threats. This may include periodic reassessments by either the manufacturer or a third party, depending on the product category.

Penalties for non-compliance

Non-compliance with the CRA can result in significant fines. Manufacturers and other stakeholders could face fines up to €15 million or 2.5% of their total worldwide annual turnover, whichever is higher. There are also specific penalties for providing inaccurate or misleading information to regulatory bodies. 

How Legit Security helps organizations get ahead of the CRA 

• Automated Compliance: Legit automates compliance checks and ensures your products meet CRA standards from development to deployment.  
• Continuous Monitoring: We provide ongoing monitoring and updates to keep your products secure and compliant over time.  
• Proactive Risk Management: Identify and address security risks early in the development process, minimizing vulnerabilities.  
• Comprehensive Reporting: Generate detailed compliance reports to easily demonstrate adherence to CRA requirements.  
• Vulnerability Management: Manage all your product's vulnerabilities in one place and reduce the noise to prioritize threats before they can be exploited. 

Learn more about how Legit is helping enterprises comply with cybersecurity regulations.