What You'll Learn
- Overview of the EU Cyber Resilience Act (CRA): Understanding the purpose, scope, and significance of the CRA in safeguarding consumers from insecure digital products and enhancing cybersecurity across the EU.
- Compliance Requirements: Detailed insights into the key requirements for compliance with the CRA, including Software Bills of Materials (SBOMs), vulnerability management, continuous support, and CE marking.
- Impact on Different Industries: How the CRA affects various sectors such as medical, automotive, and critical infrastructure, and the specific exemptions for certain regulated products.
- Challenges and Future Implications: Potential challenges for businesses, especially SMEs, and the broader implications for innovation and the digital landscape in the EU.
Scheduled for adoption in 2024, the Cyber Resilience Act (CRA) aims to safeguard consumers from insecure digital products. It introduces mandatory cybersecurity measures for products like operating systems and baby monitors. Companies affected by the Act have three years to comply, facing penalties if they don’t.
As we await its full implementation in 2024, businesses across various industries such as medical, automotive, and critical infrastructure need to rethink how they handle data. To make things even more challenging, today’s connected products include many open source software components that may independently collect, store, and share data- creating potential legal obstacles to products in production and in the field.
Complying with the Cyber Resilience Act
Much of what is expected in the Cyber Resilience Act is starting to be implemented partially by some manufacturers. For example:
- SBOMs– Software Bills of Materials allow teams through an organization to rapidly identify all embedded software products within a device. Even as early as ideation, creating an SBOM allows teams to identify each component’s cyber risk for the environment in which it will operate..
“For the purposes of complying with the obligation laid down in paragraph 1, manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimizing cybersecurity risks, preventing security incidents and minimizing the impacts of such incidents, including in relation to the health and safety of users.” – EU CRA
- Vulnerability management– Companies must share newly discovered vulnerabilities within their products with relevant stakeholders. In addition, they must also inform the European Union Agency for Cybersecurity (ENISA) along with those who maintain the piece of open source software. This can be conveyed via VEX.
“The manufacturer shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the product with digital elements, including vulnerabilities they become aware of and any relevant information provided by third parties, and, where applicable, update the risk assessment of the product.” – EU CRA
- Continuous support– similar to what’s required by the FDA in the US for medical devices, companies must consider the lifespan of a component, how it is maintained, and provide information on how products will be kept up to date after that support period.
“A manufacturer that ceases its operations and, as a result, is not able to comply with the obligations laid down in this Regulation shall inform, before the cease of operation takes effect, the relevant market surveillance authorities about this situation, as well as, by any means available and to the extent possible, the users of the concerned products with digital elements placed on the market.” – EU CRA
Compliance with the Cyber Resilience Act involves providing security updates for a certain period, promptly disclosing and patching vulnerabilities, and submitting a detailed SBOM. Failure to comply can result in fines or other corrective actions.
To effectively navigate the CRA’s compliance requirements, consider leveraging compliance management software that integrates with your product development lifecycle. This can help streamline the creation and maintenance of SBOMs, automate vulnerability tracking and reporting, and ensure timely updates, reducing the risk of non-compliance and improving overall efficiency.
The CRA introduces CE Marking for Cybersecurity Compliance
To clarify security for consumers, the CRA introduces the CE marking, indicating compliance with its cybersecurity standards. This marking is necessary for placing products on the EU market. The regulation applies to a wide range of products with digital elements, but some are categorized as “critical products” with higher risks.
Critical products are divided into Class I and Class II, with Class II products facing more stringent requirements. Exemptions are in place for open-source software (OSS) without commercial intent, and products already regulated by specific laws. However, once third-party products, such as OSS, enter a connected product, it is the responsibility of the vendor or manufacturer to ensure that privacy standards meet compliance requirements.
“Critical products with digital elements shall be subject to specific conformity assessment procedures and shall be divided into class I and class II as set out in Annex III, reflecting their cybersecurity risk level, with class II representing a greater risk. A product with digital elements is considered critical and therefore included in Annex III taking into account the impact of potential cybersecurity vulnerabilities included in the product with digital elements. The cybersecurity-related functionality of the product with digital elements and the intended use in sensitive environments such as an industrial setting, amongst others, is taken into account in the determination of cybersecurity risk.” – EU CRA
What's exempt from the EU Cyber resilience Act
Products which are regulated by other European standards and are accepted replacements for the Cyber Resilience Act include:
- Medical devices that fall under EU 2017/745 and EU 2017/746
- Aviation products under regulation 2018/1139
- Motor vehicle products that fall under EU 2019/2144
It is important to note that today’s connected products are unique in that the software and data held within when it leaves the production site varies greatly as users have opportunities to input data and share information that is not necessarily critical for operation. This can include convenience features, such as GPS, or personal health tracking data.
Looking to the future
While the EU Cyber Resilience Act is seen as a positive step toward strengthening digital security, concerns exist. The impact on innovation, especially in the open-source community, and potential challenges for businesses, especially small and medium-sized enterprises (SMEs), are among the uncertainties. The true effects on cybersecurity and the digital landscape will become clearer once the Act is fully implemented.
In conclusion, the EU Cyber Resilience Act aims to enhance digital security in the EU, setting clear standards for cybersecurity. The balance between security and innovation, the influence on open-source software, and the potential challenges for businesses will only be fully understood as the Act takes effect.
While this act creates a blanket regulation for the EU, there are still detailed regulations that are relevant to specific industries. To read more about product security regulations specific to your industry, have a look at our breakdown of the latest FDA PMA Guidelines or WP.29 for automotive.
Key Takeaways
- Mandatory Cybersecurity Measures: The CRA introduces mandatory cybersecurity measures for a wide range of digital products, requiring manufacturers to ensure security throughout the product lifecycle.
- SBOMs and Vulnerability Management: Companies must create and maintain SBOMs, share newly discovered vulnerabilities with relevant stakeholders, and continuously support and update their products.
- CE Marking for Cybersecurity Compliance: The introduction of CE marking for cybersecurity compliance indicates that a product meets the CRA’s security standards, helping consumers identify secure products.
- Exemptions and Industry-Specific Regulations: Certain products, such as medical devices and automotive products, are exempt from the CRA if they are already regulated by other European standards.
- Balancing Security and Innovation: While the CRA aims to enhance digital security, it also raises concerns about its impact on innovation, particularly within the open-source community and for SMEs.