InfoGuard AG (Headquarter)
Lindenstrasse 10
6340 Baar
Switzerland
InfoGuard AG
Stauffacherstrasse 141
3014 Bern
Switzerland
InfoGuard Deutschland GmbH
Landsberger Straße 302
80687 Munich
Germany
With the planned future increase in the cyber resilience of digital products, the preparations that hardware manufacturers, software developers, distributors and importers of digital products on the EU market are required to make are also set to intensify. With this in mind, the European Commission presented the draft Cyber Resilience Act (CRA for short) in September 2022. The CRA is designed to improve the cyber security of products that can be connected to each other or to the Internet. This article explains precisely what the CRA is and why the CRA has the potential to become one of the EU’s most important cyber security laws.
The Cyber Resilience Act (CRA) for products with digital elements strengthens cyber security regulations to ensure safer hardware and software products. The CRA and the binding cyber security requirements formulated within it aim to achieve goals including the following:
The CRA applies to products that are: sold to end consumers, used in companies for production, sourced as precursors and further processed, or part of supply chains. The draft CRA envisages a number of measures to increase the cyber security of products.
The CRA is closely linked to other cyber security legislation such as the Network and Information Security Directive (NIS2), the Cyber Security Act, the Artificial Intelligence Act (AI Act) and the General Data Protection Regulation (GDPR, in particular the “data protection by design” and “cyber security” elements).
In addition, the CRA sets out a number of essential requirements for hardware manufacturers, software developers, distributors and importers offering digital products or services on the EU market. The requirements of the CRA include:
Once the products are placed on the EU market, their manufacturers are subject to a duty of care for at least five years. The CRA covers a wide range of hardware and software. The same cyber security requirements apply to all products, but the type of conformity assessment is adapted to the respective risk level.
The CRA divides the products into three categories: class I; class II; not classified (standard category).
The The two categories for critical products are:
Source: European Commission
The categories of class I and class II differ mainly in terms of the prescribed conformity process. Class I must involve the application of a standard or the performance of a third-party assessment to demonstrate compliance. Class II requires a mandatory third-party conformity assessment.
Products already covered by other EU regulations are excluded from the Cyber Resilience Act. These include motor vehicles, aviation systems and medical devices for human consumption, as well as software-as-a-service (SaaS) products covered by the NIS2 Directive. The European Commission is empowered to update and clarify the list of products covered by the Act.
Steps that need to be taken to prepare for the Cyber Resilience Act include the following:
Although the points mentioned seem quite comprehensive, the CRA is still a work in progress. The European Parliament and the Council are currently reviewing the draft. As things stand, the CRA allows two years after its adoption for economic stakeholders and member states to adapt to the new requirements. The obligation to report actively exploited vulnerabilities and incidents will apply after one year.
Sanctions are modelled on the GDPR. In case of violations, the competent regulatory authorities can have products withdrawn from the market and impose fines of up to €15 million or 2.5 percent of the violating company’s global turnover (whichever is higher).
Are you also affected by the Cyber Resilience Act? If you are not yet ready: don’t worry. Our consulting specialists are available to provide you with expert advice and support, for example in the areas of NIST CSF, security assessments, architecture etc. Contact us for a no-obligation discussion and a quote. You can find out more about our Security Consulting Services here: