The EU Cyber Resilience Act : A Product Security Perspective

The EU Cyber Resilience Act: A Product Security Perspective

Scheduled for adoption in 2024, the Cyber Resilience Act (CRA) aims to safeguard consumers from insecure digital products. It introduces mandatory cybersecurity measures for products like operating systems and baby monitors. Companies affected by the Act have three years to comply, facing penalties if they don’t.

As we await its full implementation in 2024, businesses across various industries such as medical, automotive, and critical infrastructure need to rethink how they handle data. To make things even more challenging, today’s connected products include many open source software components that may independently collect, store, and share data- creating potential legal obstacles to products in production and in the field.

Complying with the Cyber Resilience Act

Much of what is expected in the Cyber Resilience Act is starting to be implemented partially by some manufacturers. For example: 

  • SBOMs– Software Bills of Materials allow teams through an organization to rapidly identify all embedded software products within a device. Even as early as ideation, creating an SBOM allows teams to identify each component’s cyber risk for the environment in which it will operate..
    “For the purposes of complying with the obligation laid down in paragraph 1, manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimizing cybersecurity risks, preventing security incidents and minimizing the impacts of such incidents, including in relation to the health and safety of users.” – EU CRA

 

  • Vulnerability management– Companies must share newly discovered vulnerabilities within their products with relevant stakeholders. In addition, they must also inform the European Union Agency for Cybersecurity (ENISA) along with those who maintain the piece of open source software. This can be conveyed  via VEX.
    “The manufacturer shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the product with digital elements, including vulnerabilities they become aware of and any relevant information provided by third parties, and, where applicable, update the risk assessment of the product.” – EU CRA

 

  • Continuous support– similar to what’s required by the FDA in the US for medical devices, companies must consider the lifespan of a component, how it is maintained, and provide information on how products will be kept up to date after that support period.
    “A manufacturer that ceases its operations and, as a result, is not able to comply with the obligations laid down in this Regulation shall inform, before the cease of operation takes effect, the relevant market surveillance authorities about this situation, as well as, by any means available and to the extent possible, the users of the concerned products with digital elements placed on the market.” – EU CRA

Compliance with the Cyber Resilience Act involves providing security  updates for a certain period, promptly disclosing and patching vulnerabilities, and submitting a detailed SBOM. Failure to comply can result in fines or other corrective actions.

The CRA introduces CE Marking for Cybersecurity Compliance

To clarify security for consumers, the CRA introduces the CE marking, indicating compliance with its cybersecurity standards. This marking is necessary for placing products on the EU market. The regulation applies to a wide range of products with digital elements, but some are categorized as “critical products” with higher risks.

Critical products are divided into Class I and Class II, with Class II products facing more stringent requirements. Exemptions are in place for open-source software (OSS) without commercial intent, and products already regulated by specific laws. However, once third-party products, such as OSS, enter a connected product, it is the responsibility of the vendor or manufacturer to ensure that privacy standards meet compliance requirements.

“Critical products with digital elements shall be subject to specific conformity assessment procedures and shall be divided into class I and class II as set out in Annex III, reflecting their cybersecurity risk level, with class II representing a greater risk. A product with digital elements is considered critical and therefore included in Annex III taking into account the impact of potential cybersecurity vulnerabilities included in the product with digital elements. The cybersecurity-related functionality of the product with digital elements and the intended use in sensitive environments such as an industrial setting, amongst others, is taken into account in the determination of cybersecurity risk.” – EU CRA

What's exempt from the EU Cyber resilience Act

Products which are regulated by other European standards and are accepted replacements for the Cyber Resilience Act include:

  • Medical devices that fall under EU 2017/745 and EU 2017/746 
  • Aviation products under regulation 2018/1139
  • Motor vehicle products that fall under EU 2019/2144

It is important to note that today’s connected products are unique in that the software and data held within when it leaves the production site varies greatly as users have opportunities to input data and share information that is not necessarily critical for operation. This can include convenience features, such as GPS, or personal health tracking data. 

Looking to the future

While the EU Cyber Resilience Act is seen as a positive step toward strengthening digital security, concerns exist. The impact on innovation, especially in the open-source community, and potential challenges for businesses, especially small and medium-sized enterprises (SMEs), are among the uncertainties. The true effects on cybersecurity and the digital landscape will become clearer once the Act is fully implemented.

In conclusion, the EU Cyber Resilience Act aims to enhance digital security in the EU, setting clear standards for cybersecurity. The balance between security and innovation, the influence on open-source software, and the potential challenges for businesses will only be fully understood as the Act takes effect.

While this act creates a blanket regulation for the EU, there are still detailed regulations that are relevant to specific industries. To read more about product security regulations specific to your industry, have a look at our breakdown of the latest FDA PMA Guidelines or WP.29 for automotive.