Cyber ​​Resilience Act passed

The Cyber ​​Resilience Act (CRA) is an EU regulation for security in hardware and software products with digital elements, which was adopted by the Council of the European Union on October 10, 2024. After publication in the Official Journal of the EU, the Cyber ​​Resilience Act will come into full force with a transition period of 36 months. From this point on, dealers, manufacturers and importers face fines of millions comparable to those under the General Data Protection Regulation (GDPR) and the NIS2 Directive. In view of long product development cycles and comprehensive process requirements, affected companies should take action now.

[Update 20.11.2024: The CRA was published in the Official Journal of the EU on 20.11.2024. The requirements must be met from 11 December 2027. Certain reporting obligations apply from 11 September.]

The CRA defines binding cybersecurity requirements across the entire product lifecycle. Affected products range from baby monitors, smart watches and computer games to firewalls and routers. For the first time, the principles of “security by design” and “security by default” are to be enshrined in law by the EU. These requirements are necessary because vulnerabilities in these products pose a significant threat to the security of companies and consumers.

Goals of the act

The aim of the CRA is to increase the resilience of digital products on the European market. The regulation is intended to

  • ensure that hardware and software products in the EU have fewer vulnerabilities
  • ensure that manufacturers remain responsible for cybersecurity throughout the life cycle of a product
  • improve transparency regarding the security of hardware and software products
  • ensure better protection for commercial users and consumers

The CRA supplements the cybersecurity requirements of the NIS2 Directive. As an EU regulation, the CRA, like the GDPR, applies directly in all member states through a decision of the European Parliament and the Council. National implementation, as with the NIS2 Act, is not required for the essential parts of the CRA. However, member states can issue stricter requirements under certain conditions – for example in the area of ​​national security.

Who is affected?

The extent of the companies affected by the CRA is also less comparable with NIS2 than with the General Data Protection Regulation (GDPR). While the NIS2 Directive only applies to defined essential and important institutions above a certain size, the CRA affects all companies with a few exceptions, even if they are not based within the EU. This is because the CRA applies to all products with digital elements that are brought to market within the EU.

This affects products with digital elements or components that are designed to establish a direct or indirect data connection with other devices or networks. This can include both software and hardware.

Definition of product with digital elements: Any software or hardware product and its remote data processing solutions, including software or hardware components to being placed on
the market separately;
. (Source: European Cyber Resilience Act, Chapter 1, Article 3 (1))

This affects companies that manufacture these products as well as retailers and importers. It is not important whether the products are marketed for payment, monetized or free of charge.

Exceptions

The CRA is generally relevant for all industries. There are no size-related exceptions. However, the following sectors are excluded:

  • Products with digital elements provided by public authorities or used for national security or defense
  • In vitro diagnostics and other medical devices with existing regulations
  • Vehicles, flight systems and areas for which regulations with equivalent requirements already exist

Cloud services are only exempt from the CRA if they do not constitute “remote data processing solutions” for a product with digital elements. This is already the case if, for example, a mobile application requires access to an interface (API) that is provided via a service developed by the manufacturer. In this case, the Software-as-a-Service (SaaS) service falls within the scope of the CRA as a remote data processing solution.

Obligations

The CRA divides cybersecurity requirements into two areas. On the one hand, it sets requirements for the properties of digital products, and on the other hand, it sets requirements for dealing with vulnerabilities.

1. Security requirements for the properties of digital products:

This includes limiting the attack surface as much as possible throughout the development process in accordance with the principle of “security by design” and delivering digital products without known exploitable vulnerabilities. With consideration of the principle of “security by default”, it must be ensured that the products are provided with a secure standard configuration. In addition, the use of cryptography to protect confidentiality and integrity is prescribed. In addition, the principle of data minimization applies, whereby personal or other data may only be stored for as long as is absolutely necessary for the digital product to function.

2. Requirements for dealing with vulnerabilities:

The security of the product with digital elements must be regularly and effectively tested and verified. A strategy for coordinated vulnerability disclosure must be written and implemented. Software updates must be provided for a period of at least five years from market launch, unless the product has a shorter lifespan due to its specific nature.

3. Reporting obligations to be observed:

Users must be informed about fixed vulnerabilities and cybersecurity incidents. In addition, serious cybersecurity incidents and any actively exploited vulnerabilities must be reported to the European Agency for Cybersecurity (ENISA) within 24 hours. For this purpose, ENISA will provide a central reporting platform.

4. Transparency regarding the software components used:

In order to identify vulnerabilities in components of products with digital elements, all components must be documented, including by creating a software bill of material in a common machine-readable format (SBOM).

Classification of products

The products are classified according to the following three classes:

  • Normal” products with digital elements: This “standard category” includes a large proportion of IT products with basic security relevance, such as everyday consumer electronics, photo processing products, intelligent toys, televisions or refrigerators.
  • important products with digital elements:
    • Class 1: e.g. identity management and access control systems, biometric readers; standalone and embedded browsers; password managers; software for searching, removing and quarantining malware; products with digital elements with the function of a virtual private network
    • Class 2: e.g. hypervisors and container runtime systems; firewalls
  • critical products with digital elements: This class includes, for example, hardware devices with security boxes; smart meter gateways; devices for secure crypto processing; chip cards or similar devices. An external audit of the security standards is mandatory.

Conformity assessment

All digital products sold on the European market must have a conformity assessment, which should be carried out on the basis of harmonized EU standards. The conformity is documented on the product with the “CE mark”. Depending on the classification of the products, the conformity assessment can be carried out by

  • an internal control procedure;
  • the EC-type examination procedure;
  • based on comprehensive quality assurance audited by a third party;
  • through the European Cybersecurity Certification Scheme

An example

A mechanical engineering company installs computer chips to control a machine. According to the CRA, the manufacturer of these computer chips must prove that they have complied with EU-wide harmonized cybersecurity standards during development and production. The documentation must be provided via a software parts list. In addition, the manufacturer must also document any vulnerabilities known to them.

Before the chip is placed on the market, the manufacturer must also carry out a conformity assessment procedure. Only then can the CE marking be affixed. The mechanical engineering company must also implement the specified conformity assessment procedure for its part of the supply chain. Both companies must also provide updates and fulfill reporting and information obligations after the chip and machine have been placed on the market.

Interaction with NIS2

The CRA helps companies affected by the NIS2 Directive to meet supply chain security requirements. It is also expected that NIS2 will indirectly require important and essential entities to control the use of CRA-compliant software and hardware, since Article 21 requires companies to take into account relevant European and international standards in their supply chain risk management measures.

Penalties

Violations of the CRA requirements may result in fines of up to EUR 15 million or, in the case of large companies, up to 2.5 percent of the total worldwide annual turnover of the previous financial year, whichever is higher.

What should affected companies do now?

Since the CRA sets out comprehensive obligations for the companies concerned, they should already make themselves familiar with the regulatory requirements for their products and the development process. They should also carry out risk assessments and prepare the necessary documentation to demonstrate compliance.

If you need support in designing, implementing or testing the requirements of CRA or NIS2 in your company, we are available to provide you with tailor-made offers and accompany you step by step on the path to conformity assessment.

We would be happy to have a non-binding discussion with you!
Contact us at office@certitude.consulting

Outlook

The regulation empowers the European Commission to issue so-called delegated acts in the months following the CRA’s adoption to clarify technical details. However, some technical definitions will be decisive in determining whether a product is subject to stricter rules as a critical or important product. It can therefore be assumed that the Commission’s delegated acts will increase legal certainty. In addition, the Commission is empowered to determine further categories of critical products in order to regulate them more strictly.

Autoren: Markus Hefler, Florian Schweitzer (Certitude Consulting)