In March 2024, the European Parliament approved the EU Cyber Resilience Act, also known as “CRA”. These cyber resilience standards were passed with the goal to protect all digital products in the EU from cyber threats, since security flaws linked to digital products such as baby monitors, robot-vacuum cleaners, Wi-Fi routers, and alarm systems have put customers and their livelihoods at risk.
Consumers and businesses have traditionally been responsible for determining the security of products. But with cyber breaches continuing to increase for consumer digital products, added security measures need to be taken. It's now clear that ensuring the security of digital products in the supply chain is now non-negotiable. And with 60% of vendors losing money due to product security gaps, the need has only been underscored.
The CRA emphasizes the renewed focus on cyber resilience that we’re seeing across industries. While the concept of resilience in cybersecurity isn’t new, cyber threats are more prevalent than ever — and taking proactive steps to bolster your team’s ability to operate under duress is a must. With organizations like the World Economic Forum and Gartner emphasizing the global importance of cyber resilience — the latter focusing on building resilience in relation to third-party risk management — it’s no wonder that we’re now seeing this written into legislation.
What's the goal of the CRA?
The CRA, which details highly specific cybersecurity requirements for both manufacturers and retailers, is intended to regulate cybersecurity internationally and provide better protections for consumers.
Covering all products with digital elements, or PDEs — hardware and software products, IoT, smart devices, remote data processing solutions, and more — this legislation aims to protect consumers and businesses from cyber threats like breaches and ransomware attacks. This specifically includes those buying or using products and software with a digital component, excluding open source software, and products like medical devices, aircraft, and cars that are protected by other rules.
The CRA will also:
- Regulate the entire lifecycle of products
- Standardize cybersecurity requirements that govern the planning, design, development, and maintenance of these products
- Enhance trust and safety for customers
With a goal of establishing and enforcing a unified cybersecurity framework for the EU, the CRA is just one of the latest frameworks aimed at regulating cybersecurity. The newly updated NIS2 directive focuses on critical infrastructure as a whole and the Digital Operations Resilience Act (DORA) zeroes in on the financial services sector. A key difference between these acts is that the CRA is the first legislation to regulate cybersecurity on a global scale and is focused on increasing harmony across regulatory landscapes.
“The Cyber Resilience Act will harmonise the EU regulatory landscape by introducing cybersecurity requirements for products with digital elements and avoid overlapping requirements stemming from different pieces of legislation. This will create greater legal certainty for operators and users across the Union, as well as a better harmonisation of the European single market, creating more viable conditions for operators aiming to enter the EU market.” – European Commision
What happens next?
According to the European Parliament, important and critical products will be categorized based on criticality and level of risk. These two lists will be proposed and updated by the European Commission. Products predicted to pose a higher cybersecurity risk will be examined more stringently by a notified body, while others may go through a lighter conformity assessment process.
To avoid non-compliance related fines and/or sanctions, manufacturers must:
- Declare conformity with security mandates and provide technical documentation
- Affix a conformity mark to the product
- Disclose any actively exploited vulnerabilities within 24 hours
“The Cyber Resilience Act will strengthen the cybersecurity of connected products, tackling vulnerabilities in hardware and software alike, making the EU a safer and more resilient continent.” – Nicola Danti, Lead MEP
Once the CRA is formally adopted, manufacturers, importers, and distributors will have exactly 36 months to properly comply with the new regulations. One way to do this is by using a CAASM solution to gain context, establish a cybersecurity foundation, and control asset complexity. Read our new eBook, The State of Cyber Resilience: Why IT and Security Leaders are Bolstering Cyber Resilience as Complexity Increases, to learn more.
