Cyber Resilience Act

The Cyber Resilience Act (CRA) is a first of its kind EU legislation that provides a baseline standard for the cybersecurity of connected products with digital elements. Products with digital elements are defined as products with software and/or hardware components and any associated remote data processing solutions.

The CRA aims to address two clearly identified problems commonly found in digital products, these are:

• Products with digital elements are being manufactured with low levels of cybersecurity. This causes widespread vulnerabilities and security updates to address these vulnerabilities are lacking. This makes digital products attractive targets to cybercriminals as a vehicle to attack larger networks.
• Users of products with digital elements have insufficient understanding of product security and lack information that would allow them to make informed decisions on choosing products with proper cybersecurity features. The CRA is a horizontal legislation, this means it will cover a broad range of products across many sectors. Any product made available on the EU market that is in scope for the CRA will need to affix the CE mark for cybersecurity. Manufacturers, distributors, and importers from outside the EU will also have to comply. The CRA is an important consideration for many businesses developing new products.

Products with Digital Elements (PDEs) Definition

• any software or hardware product and its remote data processing solutions
• including software and hardware components to be placed on the market separately
• with a data connection to device or network
• that are made available on the EU single market

Open Source

Open-source software will be subject to light touch regulatory regime, this means the CE mark cannot be affixed to it. For-profit manufacturers using open-source software as part of their product with digital elements are responsible for making sure the open-source software components are compliant with the CRA. Free and Open-Source software requirements will include:

• Creating and documenting a cybersecurity policy to foster the development of a secure product with digital elements
• Vulnerability handling process
• Co-operation with market surveillance authorities

Products Out of Scope

The CRA will not apply to the following products as some are already covered by other specific regulations such as:

• Software as a Service – except for remote data processing solutions relating to a product with digital elements
• Medical devices and in vitro diagnostic medical devices
• Civil aviation safety
• Motor vehicles and their trailers
• Products with digital elements developed or modified exclusively for national security or defence purposes
• or to products specifically designed to process classified information

The European Union (EU) Council has adopted the Cyber Resilience Act on 10th October 2024, following the final text being adopted by the EU Parliament in September 2024. This latest step means the legislation will come into effect shortly.

The next step will be the signing of the legislative act by the presidents of the EU Council and Parliament, followed by publication in the Official Journal within a few weeks. Once published in the Official journal, the Cyber Resilience Act will enter into force 20 days later.

A 36-month transition period will follow, by the end of which all products with digital elements brought to market after the enforcement date must be fully compliant. Obligations around vulnerability reporting will be enforced after 21 months.

Manufacturers including software developers, importers and distributors of software and hardware products with digital elements who make their products available on the EU market will need to comply with the Cyber Resilience Act. Entities outside of the EU who make products available on the EU single market will also need to comply.

The EU Commission conducted an impact assessment on the CRA. This outlined that small and medium sized businesses including micro-SMEs in scope for the Cyber Resilience Act would struggle to comply, mainly due to associated costs and lack of cybersecurity expertise. While this may cause some obstacles to overcome, the CRA seeks to strengthen product security which will benefit manufacturers overall. Customers will be more confident in the security of products they buy and manufacturers and society are strengthened against cyberattacks.

Default (lowest risk level)

90% of products are estimated to fall into the default category. These products are deemed to have lower risk profiles than products in the other categories. Examples of products that fall into this category include:

• Smart home devices
• Printers
• Bluetooth speakers
• Media player software applications

Manufacturers of products that fall into the default category can self-assess to show compliance with the CRA essential requirements as outlined in Annex I of the CRA. The self-assessment protocol is laid out in CRA Annex VIII.

Important Class I

The complete list of products that fall into Important Class I can be found in Annex III of the CRA, this includes;

• Identity management systems, privileged access management software & hardware, and access control readers
• Standalone & embedded browsers
• Password managers
• Software that searches for, removes or quarantines malicious software
• Products with virtual private network function
• Network management systems
• Boot managers
• Operating systems
• Routers and modems intended to connect to the internet and switches

Manufacturers with products that fall into Important Class I can use the self-assess method to demonstrate compliance with the CRA essential requirements as long as they can apply one of the following:

• Harmonised Standard – a European standard developed by a recognised European Standards Organisation, following a request from the European Commission. Manufacturers can use harmonised standards to demonstrate that products comply with an EU legislation. Harmonised standards are currently being created specifically for the CRA.
• Common Specification – a detailed practical set of rules setting out how a product should comply with specific requirements adopted by the European Commission when no harmonised standards exist.
• European Cybersecurity Certification – a scheme ENISA is developing on behalf of the European Commission to create a framework to certify products with digital elements meet the essential requirements of the CRA.

If the manufacturer cannot use one of these schemes for their product, they must apply to have their product assessed by a third-party conformity assessment body.

Important Class II

Product types that fall into Important Class II category are:

• Hypervisors and container runtime systems supporting virtualised execution of operating systems
• Firewalls, intrusion detection & prevention systems
• Tamper resistant microprocessors & microcontrollers

Products that fall into Important Class II must complete a third-party conformity assessment even if the product complies with harmonised standards, common specifications or a European cybersecurity certification scheme.

Critical Class

Products that fall into the Critical Class are:

• Hardware devices with security boxes
• Smart meter gateways
• Smart cards or similar devices including secure elements
• Other devices for advanced security purposes including secure crypto processing

Products in the Critical Class are of the highest risk and therefore have the strictest compliance process. Critical Class products must complete a European Common Criteria (EUCC) cybersecurity certification assessment conducted by a conformity assessment body.

Failure to comply with CRA essential requirements, vulnerability or incident reporting could incur penalties of:
Administrative fines up to €15 Million or 2.5% of global turnover whichever is higher.

Failure to comply with other obligations could incur penalties of:
Administrative fines up to €10 Million or 2% of global turnover whichever is higher.

Supplying misleading information to enforcement bodies or national CSIRT teams could incur penalties of:
Administrative fines up to €5 Million or 1% of global turnover whichever is higher.

Under certain circumstances EU authorities can require the recall or withdrawal of non-compliant products.

Important for SMEs

Administrative fines do not apply to micro or SMEs for failures to meet the 24-hour deadline for early warning notification and subject to the principle that penalties should be effective, proportionate and dissuasive, Member States should not impose other kinds of penalties with pecuniary character on these entities.