Understanding the Cyber Resilience Act: Strengthening Digital Security

This header image showcases the title: "Understanding the Cyber Resilience Act: Strengthening Digital Security" and the contact person Björn Engelhardt.

April 15, 2024 – Reading time: 8 minutes

The Cyber Resilience Act (CRA), recently approved by the European Parliament, represents a significant step forward in bolstering cybersecurity across the European market. As digitization continues to shape our lives, ensuring the security and resilience of digital products becomes paramount.

Since the first legislative publication of the proposal in 2022, the adoption on 12th March 2024 updates several key aspects of the CRA.  Let’s explore its implications for consumers, businesses, and the broader cybersecurity landscape.

1. Defining Product Categories

One significant update within the Cyber Resilience Act is the reclassification of products into “Important” and “Critical”.

“Important products” are those which fulfill essential functions. The focus on such products highlights their role in maintaining the integrity and reliability of operations, emphasizing the need for stringent checks to mitigate risks associated with digital vulnerabilities.

“Critical products” on the other hand, are deeply integrated with cybersecurity measures and are identified by their potential to pose a significant threat if compromised. These products are crucial for the safeguarding of key digital and physical infrastructures, demanding heightened security protocols to protect against cyber threats.

2. Strengthening Incident Response

To ensure a strong incident response Articles 14-17 of the CRA assign responsibilities:

Manufacturers must report to the product users and designated coordinators – the Computer Security Incident Response Team (CSIRT) – and the European Union Agency for Cybersecurity (ENISA) through a unified reporting platform about any actively exploited vulnerability in their products containing digital elements. Reports must be made within specified deadlines and include various information, for example the severity of the vulnerability and provided corrective measures.

ENISA may use reported information for coordinated management of cybersecurity incidents, whereas a CSIRT should inform the public about security incidents. ENISA produces technical reports on cybersecurity trends based on the received reports. CSIRTs can provide support for manufacturers in fulfilling their reporting obligations.

3. Streamlining Responsibilities

With Article 18 of the CRA, manufacturers have the option to appoint authorized representatives who can undertake a significant portion of the manufacturer’s tasks. This provision creates possibilities for commercial offerings and facilitates smoother operations within the supply chain.

4. Standardization and Certification

Article 27 lays the groundwork for ensuring product conformity with digital elements by relying on harmonized standards. It mandates European standardization organizations to develop these standards, aligning them with the fundamental requirements outlined in Annex I of the regulation. Additionally, the Commission is granted authority to enact implementing acts, which serve to define technical specifications in cases where harmonized standards are lacking or fail to meet requirements.

Article 32 states that manufacturers are tasked with assessing conformity with the essential requirements outlined in Annex I through specified procedures. These include internal control procedures, EU-type examination procedures followed by conformity assessments based on internal production control, comprehensive quality assurance assessments, or compliance with European cybersecurity certification schemes where applicable. The article further details the assessment procedures for different classes of products and specifies options for manufacturers of open-source software, Electronic Health Records (EHR) systems, and critical products with digital elements. Additionally, it highlights considerations for fee structures, particularly for small and medium-sized enterprises (SMEs), ensuring they are proportionate to their interests and needs.

5. Transitional Period and Support

One notable aspect of the CRA is the delineation of transition periods ranging from 6 to 36 months, depending on the product category. This extended timeframe aims to facilitate a smooth transition towards compliance, mitigating any potential disruptions to business operations.

Regarding the support of released products, the manufacturer must provide security updates, documentation of the product, and keep user manuals available for at least 10 years. If the product is used for less than 5 years, the manufacturer must provide support until the end of the product’s life cycle.

This graphic shows the regulatory process after the launch of a product. After the product launch manufacturers must provide support until the end of life cycle for products used for less than 5 years. After 10 years manufacturers must provide security updates, documentation and user manuals in paper and digital format.

6. Empowering Small Enterprises

In alignment with the diverse business ecosystem, the Cyber Resilience Act introduces a comprehensive suite of measures specifically designed to empower SMEs. These initiatives range from specialized training and awareness sessions, aimed at enhancing understanding and implementation of regulatory requirements, to the creation of dedicated communication channels.

Further bolstering this support framework, the CRA advocates for the establishment of cybersecurity laboratories. These real-life labs offer SMEs a unique opportunity to test and refine their digital products in controlled environments, ensuring compliance and enhancing their market readiness. The provision of technical support and guidance from the European Commission and ENISA underscores a commitment to fostering innovation while maintaining cyber resilience.

Conclusion

The Cyber Resilience Act represents a significant milestone in promoting digital security within the European market. The CRA’s recent adoption highlights a commitment to addressing evolving cyber threats and enhancing overall digital security.

The CRA introduces updates and provisions aimed at bolstering cyber resilience. This includes reclassifying product categories, streamlining responsibilities, and emphasizing standardization and certification. Furthermore, the act empowers SMEs by providing tailored support and transitional periods.

Moving forward, stakeholders must remain vigilant in implementing the CRA’s provisions. By prioritizing cybersecurity, we can build a more resilient digital ecosystem that protects consumers and businesses against emerging cyber threats.

Annex I – Basic Requirements for products with digital elements

  • Products with digital elements must ensure an adequate level of cybersecurity
  • Providing products without known vulnerabilities and with secure default configurations
  • Timely security updates must be offered, with the option for users to reset products to their original state
  • Protection against unauthorized access and data encryption
  • Measures to maintain data integrity and report unauthorized alterations
  • Products should limit data processing to what is necessary and minimize potential attack surfaces
  • Mitigation mechanisms should be in place to reduce the impact of security incidents
  • Manufacturers must promptly identify, document, and address vulnerabilities, sharing information about resolved issues
  • Coordinated vulnerability disclosure strategies and mechanisms for information exchange about vulnerabilities should be established
  • Secure distribution of updates and free dissemination of security patches with relevant guidance are imperative
  • Users should have the capability to permanently delete data and transfer it securely to other systems

If you need further support in adopting the new measures of the Cyber Resilience Act for your own business our Cybersecurity Department is happy to help.

Author

  • Aldo Kobs

    Associate Consultant

Contact Person

  • Björn Engelhardt

    Cybersecurity Manager
    Head of Process Consulting

How can we accelerate your development?
Let’s start

Resources

Learn more