Understanding the EU Cyber Resilience Act

The Cyber Resilience Act (CRA) is a legislative initiative by the European Union aimed at enhancing the cybersecurity of products with digital elements. The CRA establishes a uniform legal framework to ensure that hardware and software products are designed, developed and maintained with robust cybersecurity measures in place throughout their lifecycle. This regulation is intended to mitigate the risks posed by cyberattacks, which can have significant impacts on the economy, democracy, consumer safety and health. The CRA mandates that manufacturers adhere to essential cybersecurity requirements, conduct risk assessments and provide security updates, thereby fostering a more secure digital environment across the EU. 

The CRA was approved on 17 September 2024 by the European Parliament. The Council will now formally adopt the final act. The CRA will then be published in the Official Journal of the EU, probably around late November/early December 2024.

The CRA covers a wide range of products that include digital elements, which are defined as any software or hardware product and its remote data processing solutions that involve a direct or indirect logical or physical data connection to a device or network.  Here are some examples of such products (list is not exhaustive)

Mobile devices

Smartphones and tablets are quintessential examples of products with digital elements. These devices connect to networks and other devices, making them susceptible to cybersecurity threats.

IoT devices

•  Smart home devices like smart thermostats, smart door locks and smart lighting systems.
• Wearable health monitors and fitness trackers.
• Industrial IoT devices used in manufacturing and logistics.

Network infrastructure products

• Routers and modems for internet connectivity.
• Network switches and hubs.
• Firewalls and intrusion detection/prevention systems. 

Industry 4.0 applications

• Remotely accessible machinery and equipment.
• Industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems.
• Smart factory solutions that integrate various digital technologies.

Software products

• Standalone and embedded browsers.
• Password managers.
• Software that searches for, removes or quarantines malicious software.
• Virtual private network (VPN) software. 

Smart home products

• Smart door locks
• Security cameras and baby monitoring systems.
• Alarm systems and connected toys with social interactive features or location tracking. 

Personal wearable products 

• Fitness trackers and smartwatches.
• Wearable health monitors that do not fall under specific medical device regulations.

The CRA categorises products with digital elements into different classes based on their cybersecurity risk and functionality. These classifications help determine the level of scrutiny as well as the type of conformity assessment required for each product.

Critical Annex IV products

Critical products are products that have a significant cybersecurity-related functionality and pose a high risk if compromised. These products are essential for the security of other systems and services, and their failure could lead to severe disruptions. Examples of Critical Annex IV products include:

• Hardware devices with security boxes: these are specialised hardware designed to provide secure environments for sensitive operations.
• Smart meter gateways: used within smart metering systems, these devices ensure secure data transmission and processing.
• Smartcards and similar devices, including secure elements: these are used for secure transactions and data storage.

Conformity assessment: Critical products must undergo a rigorous conformity assessment. If a European cybersecurity certification scheme is available, these products must obtain a European cybersecurity certificate. If no such scheme is available they must follow the same procedures as Important Class II products, which involve third-party assessments.

Important Class II products

Important Class II products are products that perform critical cybersecurity functions or have a high potential for adverse effects if compromised. These products are crucial for maintaining the security of other systems and services. Examples of Important Class II products include:

• Hypervisors and container runtime systems: these support the virtualised execution of operating systems and similar environments.
• Firewalls and intrusion detection/prevention systems: these are essential for protecting networks from unauthorised access and cyber threats.
• Tamper-resistant microprocessors and microcontrollers: these are designed to resist physical and logical tampering, ensuring the integrity of the systems they are part of.

Conformity assessment: Important Class II products require a third-party conformity assessment. This can be done through an EU-type examination procedure (Module B), followed by conformity to EU-type based on internal production control (Module C) or a conformity assessment based on full quality assurance (Module H).

Important Class I products

Important Class I products also perform essential cybersecurity functions, but are considered to have a lower risk compared to Class II products. These products are still vital for the security of systems and services, but do not pose as high a risk if compromised. Examples of Important Class I products include:

• Identity management systems: These include privileged access management software and hardware, such as authentication and access control readers.
• Standalone and embedded browsers: These are used for accessing the internet and other network services.
• Password managers: These help users securely store and manage their passwords.
• VPNs and Network Management Systems: These ensure secure communication and management of network resources.
• Software that searches for, removes or quarantines malicious software
• Security information and event management (SIEM) systems
• Boot managers
• Public key infrastructure and digital certificate issuance software
• Physical and virtual network interfaces
• Microprocessors and microcontrollers with security-related functionalities
• Operating systems

Conformity assessment: If a harmonised standard is available, Important Class I need to comply with it. If these standards are not fully available then a third-party assessment is required, similar to Important Class II products.

Default products with digital elements

Default products are those that do not fall into the Critical or Important categories. These products are still subject to the CRA, but may have different compliance requirements. They typically undergo an internal assessment by the manufacturer to ensure they meet the essential cybersecurity requirements. 

The requirements affect various parties involved in the lifecycle of these products, from design and development through to distribution and market surveillance. 

The most stringent requirements exist for manufacturers, which include for example:

• Design, develop and produce products with digital elements in accordance with the essential cybersecurity requirements
• Undertake an assessment of the cybersecurity risks associated with a product with digital elements, and take the outcome into account during the planning, design, development, production, delivery and maintenance phases
• Provide security updates for the support period free of charge and, where applicable, in an automatic manner
• Draw up the technical documentation and the EU declaration of conformity

For distributors and importers, the following applies:

• Only place on the market products with digital elements that comply with the essential cybersecurity requirements
• Verify that the manufacturer has carried out the appropriate conformity assessment procedures, drawn up the technical documentation, affixed the CE marking and provided the EU declaration of conformity and the information and instructions to the user
• Take corrective measures, withdraw or recall the product as appropriate if the product or the processes put in place by the manufacturer are not in conformity with the essential requirements, and inform the manufacturer and the relevant market surveillance authorities

A manufacturer is a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured and markets them under its name or trademark, whether for payment, monetisation or free of charge.

An importer is a natural or legal person established in the European Union who places a product with digital elements on the market that bears the name or trademark of a natural or legal person established outside the Union.

A distributor is a natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the European Union market without affecting its properties.

In summary,

• Manufacturers are responsible for the design, development, production and marketing of products with digital elements under their name or trademark.
• Importers ensure that products from outside the EU comply with the CRA before placing them on the EU market.
• Distributors make products available on the EU market and ensure that these products comply with the CRA without altering their properties. 

The CRA establishes stringent requirements for the cybersecurity of products with digital elements. Non-compliance with these requirements can lead to significant consequences for manufacturers, importers, distributors and other economic operators. This includes:

• Financial penalties: They can be up to €15 million or 2.5% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
• Market restrictions and product recalls: Authorities can prohibit or restrict the product from being made available on the market. Non-compliant products can be withdrawn from the market or recalled.

The CRA leverages existing standards, particularly those from ISO, to establish a robust cybersecurity framework for products with digital elements. While no single standard comprehensively covers all CRA requirements, the combination of various standards provides a strong foundation for compliance. Therefore, even if certain products are complying with standards such as for example ISO, it is still relevant to check for potential gaps in relation to the CRA.

To comply with the CRA, manufacturers must undertake several key actions:

1. Design and development: Ensure products are designed, developed and produced in accordance with the essential cybersecurity requirements. 
2. Risk assessment: Conduct a thorough cybersecurity risk assessment during the planning, design, development, production, delivery and maintenance phases. 
3. Vulnerability handling: Implement effective vulnerability handling processes, including coordinated vulnerability disclosure policies and timely security updates. 
4. Technical documentation: Prepare and maintain comprehensive technical documentation and an EU declaration of conformity. 
5. CE marking: Affix the CE marking to products that meet the CRA requirements. 
6. Reporting obligations: Notify the relevant authorities of any actively exploited vulnerabilities and severe incidents within 24 hours. 
7. Support period: Provide free security updates for at least five years or the expected service life of the product.