In the ever-evolving digital landscape, cybersecurity has become a top priority for businesses worldwide. The European Union is taking a significant step forward with the introduction of the Cyber Resilience Act (CRA), a new regulation that sets stringent cybersecurity standards for products with digital elements (PDEs). This article aims to guide companies in understanding the CRA, its requirements, and how to prepare effectively for its implementation.
Understanding the Cyber Resilience Act
The Cyber Resilience Act is a groundbreaking regulation designed to ensure that all products with digital elements, from hardware to software, meet minimum cybersecurity requirements before being placed on the EU market. The CRA mandates that these products adopt a security-by-design approach, emphasizing the need for secure development practices from the outset. Products that comply with the CRA will receive a CE marking, signifying their adherence to these new standards. The primary goal of the CRA is to enhance the security of PDEs in response to the increasing number of cyberattacks across the EU, which have a staggering global annual cost estimated at €5.5 trillion. By enforcing these cybersecurity measures, the CRA aims to strengthen trust in the EU's digital infrastructure and boost the global competitiveness of European companies.
Security Requirements Under the CRA
The CRA outlines specific security requirements that manufacturers must integrate into their products. These include:
- Access Protection: Ensuring that only authorized individuals can access sensitive systems and data.
- Confidentiality: Protecting information from unauthorized disclosure.
- Integrity: Safeguarding data and systems from unauthorized alterations.
- Availability: Ensuring that systems and data are accessible when needed.
In addition, the CRA requires manufacturers to manage vulnerabilities and provide security updates for their products for a specified period. This proactive approach to cybersecurity aims to mitigate risks throughout the product's lifecycle.
See also the chapter Expert insight: Essential Security Requirements for PDEs.
The Scope of the Cyber Resilience Act
The CRA's scope is comprehensive, covering all products with digital elements that have communication capabilities, including embedded systems and standalone software. It applies to both hardware and software products under the New Legislative Framework, requiring compliance before these products can be marketed in the EU. Manufacturers, importers, and distributors of PDEs within the EU must ensure that their products meet these rigorous cybersecurity standards. The CRA also mandates that products carry the CE marking, indicating conformity with the new cybersecurity requirements. Importantly, the CRA covers the entire lifecycle of PDEs—from planning and design to production, delivery, and maintenance. This ensures that cybersecurity is maintained at every stage, preventing and managing cyber vulnerabilities effectively.
The Consequences of Non-Compliance
The CRA imposes severe penalties for non-compliance. Products that do not meet the CRA's standards cannot be placed on the market, and suppliers must withdraw any non-compliant products already available. Fines for failing to meet essential requirements can reach up to €15 million or 2.5% of global revenue, whichever is higher. Non-compliance with other obligations can result in fines of up to €10 million or 2% of global revenue. Furthermore, providing incorrect, incomplete, or misleading information to regulatory bodies can result in additional fines of up to €5 million or 1% of global revenue.
Meeting the CRA's Product Security Requirements
To comply with the CRA, manufacturers must integrate security requirements throughout the development process. This includes ensuring access protection, confidentiality, integrity, availability, and secure delivery. The CRA also mandates that manufacturers scrutinize their products for vulnerabilities and provide immediate rectification when issues are identified. Security updates must be provided free of charge for a period of at least five years, ensuring ongoing protection for users.
Conformity Assessment and CE Marking
Before launching products on the market, manufacturers must conduct thorough conformity assessments to ensure compliance with the CRA. These assessments are based on the product's criticality, with particular emphasis on critical infrastructures. Compliance requires adherence to European standards or testing by authorized institutions. Once a product meets the necessary requirements, the manufacturer can affix the CE marking, signaling its conformity with the CRA.
Market surveillance authorities (MSAs) in each EU Member State will enforce the CRA, with the power to conduct sweeps of Internet of Things (IoT) products and collaborate with the European Union Agency for Cybersecurity (ENISA) and the European Data Protection Board (EDPB).
Implementation Timeline and Next Steps
The European Commission published the draft regulation of the CRA on September 15, 2022. Following the European Parliament's acceptance on March 12, 2024, the CRA is expected to come into force in 2024, with full implementation anticipated over a 36-month period. The CRA's provisions will apply fully within two years of its entry into force, likely by late 2026.
Strategies for Complying with the CRA
To comply with the CRA, companies must adopt a proactive approach to cybersecurity. This includes developing secure-by-design products, conducting regular risk assessments, and maintaining transparency with users regarding security updates and known vulnerabilities. Companies should also consider leveraging automation to streamline compliance activities, such as vulnerability management, software bill of materials (SBOM) management, and automated reporting. A centralized platform can provide real-time monitoring, ensuring that the organization remains compliant with CRA requirements.
Challenges and Opportunities
While the CRA presents challenges in terms of ensuring continuous compliance with evolving cybersecurity standards, it also offers significant opportunities. By prioritizing cybersecurity, companies can gain a competitive edge in the market, offering products that meet the highest security standards.
Global Influence of the CRA
The CRA is poised to set a global precedent for cybersecurity standards, influencing policies and practices beyond the EU. This regulation encourages international manufacturers to adopt similar practices, contributing to a higher level of global cybersecurity. As companies prepare for increased compliance costs due to the CRA's stringent requirements, those that already follow good practices will find themselves better positioned to meet these new standards.
Conclusion
The Cyber Resilience Act is set to transform the cybersecurity landscape, demanding rigorous standards that companies must meet to remain compliant and competitive. Achieving these standards isn't just about ticking boxes - it's about safeguarding your business and building trust with your customers. This is where Rasotec GmbH steps in. We provide the expert insights and assessments needed to ensure your systems are resilient and ready for the CRA's demands. Don't wait for vulnerabilities to be exposed - partner with Rasotec today to secure your future and stay ahead in a rapidly evolving digital world.
