What is the Cyber Resilience Act (CRA)?
As we await the Cyber Resilience Act's entry into force imminently, we examine the law, which is set to introduce a wide-ranging framework governing the cybersecurity of digital products sold in the EU.
The draft Act sets out essential cyber security requirements for the design, development, and production of "products with digital elements" (PDEs). Broadly speaking, PDEs refer to all hardware and software products with some exceptions, such as medical devices, national security, and vehicles regulated elsewhere.
Manufacturers, developers, and vendors will need to meet the CRA requirements before the product can be put on the market in the EU.
What are the requirements?
All the essential requirements are set out in Annex I of the CRA, broadly covering:
• Embedding Secure-by-Default principles from the outset
• Ensuring the product does not have any known exploitable vulnerabilities
• Implementing authentication and identity or access management systems
• Protecting the confidentiality and integrity of data (e.g., through encryption or other technical means)
• Protecting the availability of essential functions
• Designing, developing, and producing products to limit attack surfaces, including external interfaces
• Providing security-related information
• Ensuring vulnerabilities can be addressed through security updates
It also sets out essential requirements for the vulnerability handling processes to be put in place (see Annex II) to ensure cybersecurity is considered for the whole life cycle of a product. This includes drawing up a software bill of materials (SBOM).
Products deemed "important" under the Act will be required to apply a relevant standard or undergo a third-party assessment to demonstrate their compliance.
Once the Act enters into force, the Commission will be able to direct standardisation organisations to draft harmonised standards for the essential requirements. This will build on work by the European agency ENISA, which has already been working on three cyber security certification schemes as part of the Cyber Security Act, including the EU's Common Criteria (EUCC) for ICT products, the Cloud Certification Scheme (EUCS), and the EU5G Certification Scheme.
For a small number of products considered "highly critical," manufacturers and vendors will have to gain mandatory EU certification before they can sell the product into the EU.
When will products have to be compliant?
Once the CRA is enacted, vendors, manufacturers, and developers will have 21 months to comply with the incident and vulnerability requirements and 36 months to comply with the remaining requirements.
Are other countries adopting similar laws?
Outside of the EU, governments are pursuing a mix of mandatory and voluntary measures to enhance hardware and software security standards. For example:
United Kingdom
- Manufacturers of consumer IoT devices must comply with the requirements set out in the UK Product Security and Telecoms Infrastructure (PSTI) Act 2021.
- The UK Government is also crafting and driving the uptake of Codes of Practices for Apps and App Stores and software security. While these Codes are voluntary at this stage, they could be mandated in the long term.
Australia
- The Australian Government has announced that it will legislate a mandatory cyber security standard for IoT devices, supported by a voluntary smart device labelling scheme for consumer devices.
- Like the UK, it plans to develop a voluntary Code of Practice for Apps and App Stores and work to harmonise software standards on the international stage.
United States
- The Federal Government is using its procurement levers to drive up standards, implementing new procurement rules on IoT cyber security alongside a Government IoT security labelling program (the "Cyber Trust Mark").
- It has also secured pledges of over 100 software manufacturers to build secure-by-design enterprise software products and services.
What do vendors, developers, and manufacturers need to do now?
While the compliance deadlines for vulnerability reporting and cyber security requirements are still at least 21 months and 36 months away, respectively, affected organisations must begin building security considerations into their product development cycles now. Failure to do so could mean that new products in development today will not meet the standards required to be sold into the EU market in a few years' time.
Breaking these regulations will not only make new products less secure but also come with a hefty cost. Non-compliance could result in fines of up to €15 million or up to 2.5 % of the organisation's total worldwide annual turnover for the preceding financial year—whichever is higher.
While the Act's coming into effect may seem some time away, manufacturers are advised to begin preparing for these legislative changes sooner rather than later.
Specifically, we recommend prioritising the following steps:
1. Determine which products within your portfolio will be introduced once the CRA comes into force. This includes any new products, as well as those which are due to have a substantial modification regarding (security) functionality.
2. For each product, determine which category they fall under and whether self-assessment, an independent conformity assessment, or certification is required.
3. Start creating a Software Bill of Materials (SBOM) for all software components in the product portfolio. Note that there is yet to be a consensus on the required depth of SBOM.
4. Create a process to monitor, fix and report vulnerabilities, aligning with existing standards such as ISO/IEC 29147:2018.
Now is an excellent time to ensure you are following best practices, adhering to the existing certifications introduced through the EU Cybersecurity Act, and making security a priority throughout the production process.
UK Government Affairs & Global Institutions Engagement Lead, NCC Group
Verona is an experienced government affairs and policy professional currently leading UK public affairs for global cyber security firm NCC Group. In this role, she oversees NCC Group’s engagement with UK government and regulatory decision-makers and the wider policymaking community against a backdrop of the increasing regulation of cyber resilience.
Prior to joining NCC Group, she has overseen in-house and consultancy public affairs programmes for a range of organisations – from FTSE100 and public sector institutions to start-ups and disruptors across many sectors of the economy, including aviation, logistics, and utilities.
Call us before you need us.
We have a global network of cyber security compliance experts ready to help you tackle your toughest challenges.