EU Cyber Resilience Act

EU Cyber Resilience Act

A Comprehensive Overview

The CRA is a draft by the European Union aimed at strengthening resilience against cyberattacks and creating a uniform level of security for digital products. The need for such legislation is evident when considering the increasing number of cyberattacks and the growing dependence on digital technologies.

Prien am Chiemsee - 2023-12-20

The Fundamentals of the Cyber Resilience Act

Objectives and Scope

The primary goal of the CRA is to ensure a high standard of security for products with digital components. These products include a wide range of devices and software, from IoT devices to smartphones and beyond. The CRA requires manufacturers, importers, and distributors to ensure that their products meet basic security requirements before they can be offered on the EU market.

Security Measures and Reporting Obligations

Companies must proactively close security gaps and provide security updates for a duration of up to five years. Additionally, they are obliged to report resolved vulnerabilities and cybersecurity incidents, especially actively exploited vulnerabilities within 24 hours to the European Union Agency for Cybersecurity (ENISA).

Conformity Assessment and Sanctions

For products that are classified as critical, a special conformity assessment procedure is required. Non-compliance with the CRA regulations can result in severe penalties, which can amount to up to 15 million euros or 2.5 percent of a company's global turnover.

Special Challenges for Companies

Companies face the challenge of adapting their products and services to the strict requirements of the CRA. This requires a revision of development and security processes to integrate "Security by Design" principles. The CRA's transition periods are short, necessitating rapid adaptation.

Impact on Software Service Providers

Software service providers must also meet the requirements of the CRA, which includes conformity assessments and ensuring product safety. However, the situation around open-source software remains unclear, as it is not intended to fall under the CRA if it is not developed or provided commercially. The lack of explicit anchoring of this exception in the legislative text creates uncertainty.

Assessment of the Cyber Resilience Act

The CRA is seen as an important step in strengthening cybersecurity within the EU. It creates a harmonized level of security and builds on established processes in companies. This promotes a level playing field and thus supports the integrity of the European single market.

Critics of the CRA criticize the broad definition of critical products and the short transition periods. These could complicate market access and affect international competitiveness. There are also concerns about the impact on the open-source community and the European software industry.

Checklist for Companies

General Requirements

  1. Compliance with cybersecurity requirements: Manufacturers must ensure that their products with digital elements comply with cybersecurity requirements from planning and design through development and production to distribution.
  2. Lifecycle responsibility: Manufacturers are responsible for the cybersecurity of their products throughout their entire lifecycle, including providing free updates in the event of security vulnerabilities for up to five years.
  3. Duty to inform: Users must be informed about resolved vulnerabilities and cybersecurity incidents. Manufacturers are required to report security incidents and actively exploited vulnerabilities within 24 hours to the European Union Agency for Cybersecurity (ENISA).
  4. Conformity assessment for critical products: Products are classified into different criticality classes. Critical products are subject to higher requirements, which must be demonstrated through a special conformity assessment procedure.
Specific Requirements by Product Lifecycle Phases

CONCEPT PHASE

  • Consider CRA requirements: From the initial product idea to the final release for pre- or series development, CRA requirements must be considered.
  • Conduct security risk assessment: A security risk assessment should be conducted to identify potential vulnerabilities and derive necessary measures or security features.
  • Establish a contact point for user reports: Organizations must set up a contact point for user reports on vulnerabilities, ideally organized company-wide.

DEVELOPMENT PHASE

  • Plan security features: Necessary security functions should be planned early on.
  • Implement secure update mechanisms: Manufacturers must implement secure update mechanisms and maintain a toolchain to be able to restore and patch any release for five years.
  • Provide technical and user documentation: Adequate technical documentation (e.g., system and software architecture, Software Bill of Materials) or user documentation, including a description of the security-conscious commissioning and decommissioning of the product, is required.
  • Ensure conformity with the CRA: At the end of development, conformity with the CRA is required, usually through a manufacturer's self-declaration, although certain product classes (especially in the IIoT area) may require additional steps such as certification.
Legal Consequences of Non-Compliance

Companies that do not meet the requirements of the CRA can face high penalties, which can amount to up to 15 million euros or up to 2.5% of the global turnover of the affected company. In addition, products that do not meet the requirements can be removed from the market.

Conclusion

The EU Cyber Resilience Act is an ambitious legislative project that aims to raise cybersecurity in the EU to a new level. Companies and software service providers must adjust to the new regulations and adapt their practices accordingly. Despite some concerns, the intention of the law to make the digital world safer is positively evaluated. It remains to be seen how implementation will take shape in practice and whether the concerns of the open-source community will be taken into account.

In the complex world of cybersecurity, the CRA offers an opportunity to increase resilience against cyber threats and strengthen trust in digital products. For a world where digital technologies play an increasingly important role, this is a necessary step in the right direction.


94

More articles

The Power of Branding

The Power of Branding

A Deep Dive into Germany's Most Valuable Brands

Brands are more than just names or logos. They represent a promise, an identity, and often play a crucial role in a company's success. In Germany, renowned for its high-quality ...

Read more 255
The Purple Llama Initiative by Meta

The Purple Llama Initiative by Meta

A New Standard for AI Systems Cybersecurity

Meta's Purple Llama Initiative represents an innovative approach to assess and minimize the cybersecurity risks of large language models. Through tools like CYBERSECEVAL and Lla...

Read more 138