The Cyber Resilience Act (CRA) is the name of the new EU Regulation aimed at strengthening the cyber security of smart devices. The Regulation defines binding cyber security requirements that must be met by manufacturers, importers and distributors of IoT products for the European market. It serves to supplement existing legal provisions and is due to be formally approved in the near future. Does your company deal with networked products on a commercial basis? If so, read on to find out which security requirements must be met and how you can prepare your smart devices for the strict standards.
The Cyber Resilience Act (CRA) will come into force in 2024, making it the most comprehensive law designed to regulate the cyber security of IoT products in Europe to date. The European Parliament adopted the CRA on 12 March, and the EU Council will approve the CRA by the end of the second quarter – an act that will officially enshrine it in law. Note that, unlike the NIS2 Directive, it does not need to be transposed into national law to be valid. The requirements will come into force during 2027 after a transition period of 36 months. The transitional period for reporting security incidents and vulnerabilities is 21 months.
These transitional periods of 36 or 21 months could pose a considerable challenge, as the development of new products and software usually takes several years. In particular, the retrospective adaptation of hardware and software product components to the new requirements can be extremely time-consuming in individual cases. Without the necessary foundations, such as a solid development process or the inclusion of security-by-design or security-by-default, retrospective implementation of the requirements may even be impossible or involve disproportionately high effort and costs. For this reason, some manufacturers, particularly in the automotive industry, have started to discontinue older products.
With the imminent approval of the CRA by the EU Council and the associated commencement of the transitional periods, it is important that companies check whether they fulfil the requirements of the EU Regulation. Measures to correct any discrepancies identified must be implemented before the end of the transition periods.
Who is affected by the Cyber Resilience Act?
All manufacturers, importers or distributors of products that communicate with or can be connected directly or indirectly to an external device or network are obliged to comply with the EU’s Cyber Resilience Act Regulation.
Our everyday lives are full of an almost endless array list of products that feature exactly these properties – the digital oven, the motion detectors for your home lighting, the fitness tracker on your arm, the car in the garage and a whole range of smart home devices – to name just a few examples.
Do you want to know if your product is also covered by the Cyber Resilience Act (CRA)? Contact us to find out. Our experts will also support you in identifying potential gaps and discrepancies with a CRA gap assessment.
What does the Cyber Resilience Act aim to achieve?
The most important goal of the CRA is to improve the protection of consumers and companies who buy and use products with digital components. In particular, the aim is to guarantee standards in terms of cyber security for IoT products available on the EU market. The CRA is also intended to create greater transparency with regard to the security of hardware and software products.
In order to achieve these goals, the CRA defines the requirements for placing products with digital components on the market in the EU. The cyber security specifications that need to be met and the manufacturers’ duty of care extend over the entire life cycle of the products.
What are the minimum requirements set out in the CRA?
- Integration of cyber security in all phases from planning to maintenance
- Obligation to document cyber security risks
- Obligation to report actively exploited vulnerabilities and incidents
- Obligation to monitor and rectify vulnerabilities during the product life cycle (maximum five years)
- Obligation to provide clear and understandable instructions for use
- Commitment to security updates for at least five years
The challenge of open source code/software in your own IoT products
The CRA was revised due to concerns about the original rules on liability when using open source code/software. The previous drafts placed the obligation to comply on the creators of the software. However, the current version explicitly excludes open source organisations and natural persons who contribute to open source projects from liability. This means that the responsibility for compliance lies with the companies that use open source code/software commercially or market it as part of their products.
An inventory of all the components used is essential in order to be able to take responsibility for solutions that use open source code/software. The German Federal Office for Information Security recommends the creation of a “software bill of materials ” (SBOM).
Gap assessment to determine the CRA maturity level
Would you like an overview of how well you are already positioned for the CRA or what else needs to be done? Let our experts perform a CRA gap assessment to show you whether and which deviations from EU requirements can be found in your security strategy.
Support with the implementation of specific measures
To help you meet your CRA requirements, InfoGuard has over 230 experts at your disposal, be it with our Risk Management & Compliance Services or 24/7 Cyber Defence & Incident Response Services from our ISO 27001 certified Cyber Defence Centre in Switzerland. Get in touch with us – our cyber security experts will be happy to help you.
