The Complete Guide to the EU Cyber Resilience Act
As a framework introduced by the EU aimed to regulate the cybersecurity of software and hardware products containing digital elements in the market, the Cyber Resilience Act (CRA) marks the first rule of its kind. Learn more about the details of the CRA and what it means for the EU.
Written by a human
What is the European Cyber Resilience Act, and what does it mean for the EU?
The European Cyber Resilience Act (CRA) is a cybersecurity regulation proposed by the European Commission (EC) in September 2022 aimed to tighten up rules and regulations to reduce exposure to cyber risks.
From robot-vacuums to public service infrastructures, the prevalence of internet of things (IoT) connected devices is skyrocketing and projected to reach 34.7 billion worldwide by 2028.
With new technology comes new risks. This is evidenced by almost daily reports of distributed denial-of-service (DDoS) and ransomware attacks, thrusting big name companies under the spotlight for cybersecurity failings.
Bearing this in mind, it comes as little surprise that the European Union (EU) plans to implement more robust measures to stem the flux of cybersecurity risks and create stronger walls of protection.
In this comprehensive article, we’ll cover the fundamentals of the CRA, including:
- What is the Cyber Resilience Act, and what does it aim to achieve?
- What does the Cyber Resilience Act mean for companies?
- When does the Cyber Resilience Act come into force?
- What are the consequences of violating the Cyber Resilience Act?
What is the EU Cyber Resilience Act?
Originally announced in the 2020 EU Cybersecurity Strategy, the EU Cyber Resilience Act is a pioneering piece of regulation that will implement a new regulatory framework introducing previously unseen cybersecurity protection measures to the EU.
As the first legislation of its kind worldwide, the EU Cyber Resilience Act will unify cybersecurity policy and requirements across the single market.
It will achieve this by comprehensively enhancing preparedness and cooperation against cyber threats by implementing regulatory requirements to make software and hardware safer for users.
The CRA’s underlying goal is to safeguard EU citizens and organizations against cybersecurity issues when using network-connected devices and infrastructure.
Why is the Cyber Resilience Act being implemented?
When products with a digital component have inconsistent internet security standards, it opens them up to widespread vulnerabilities, such as when product like baby monitors and hospital databases come under attack.
Without regulatory requirements to prioritize cybersecurity, rising numbers of EU-operating manufacturers will continue to introduce software and devices to market that have inadequate internet security standards.
It’s this lack of common cybersecurity rules and standards for digital infrastructure that prompted the creation of the CRA, forming a crucial pillar for a digital Europe.
In a press release the EC published that announced the CRA, Margaritis Schinas, Vice-President for Promoting our European Way of Life, conveyed the sentiment behind its creation:
“The Cyber Resilience Act is our answer to modern security threats that are now omnipresent through our digital society.”
Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age, echoed this by saying:
“We deserve to feel safe with the products we buy in the single market.”
The Cyber Resilience Act will reinforce the newly ratified NIS2 Directive, which imposes cybersecurity stipulations intended to bolster supply chain defenses and mandatory incident reporting for operators of vital services and critical infrastructures.
What are the objectives of the EU Cyber Resilience Act?
Up until now, the EU has no consistent cybersecurity requirements for information and communications technologies (ICT). This exposes digital systems to vulnerabilities that cyberattacks can exploit, compromising consumer and organizational sensitive data.
There are two large-scale problems that the CRA will address:
- Inadequate cybersecurity measures are built into many devices and software, compounded by poor security updates that expose users to unreasonable levels of cybersecurity threats.
- A lack of understanding about cyber risks among the general population means that consumers cannot determine the cybersecurity properties of software and devices, or set them up in a way that minimizes exposure to risk.
The CRA has four specific objectives designed to solve the systemic problems outlined above:
- End-to-end security: Once in force, the CRA will impose security improvements for products with digital elements at every stage of their life cycle, including design, development, and maintenance.
- Compliance: Using a coherent cybersecurity framework, the CRA will facilitate compliance for hardware and software manufacturers with consequences for violations.
- Improved transparency: New rules and standards that improve the communication around cybersecurity properties of products with digital elements will make information more accessible to users, helping them make more informed decisions.
- Safer use of products: Comprehensive measures outlined by the CRA will make it easier for organizations and consumers to use products with digital elements securely, therefore, minimizing exposure to risk.
What does the EU Cyber Resilience Act cover?
Encompassing a broad scope, the CRA applies to a range of devices and software, including:
- Computer hardware and software
- Devices that use IoT (e.g. smartwatches and smart home devices)
- Network-connected critical infrastructure (e.g. financial services, healthcare and public transportation)
The EU’s CRA fact sheet usefully summaries manufacturers’ obligations and outlines an EU Cyber Resilience Act timeline.
Who does the EU Cyber Resilience Act apply to?
The CRA’s scope encompasses both public and private sector entities in the EU, affecting manufacturers, importers, and distributors of products that contain a digital component.
Consequently, this far-reaching regulation will impact huge parts of the EU’s common market and apply to all EU countries once it comes into force.
Importantly, the regulation will positively impact consumers and organizations using such products, creating a more resilient cybersecurity ecosystem in Europe.
The European Cyber Resilience Act applies to:
- Suppliers and manufacturers selling network-connected digital products or services in the EU.
- Public institutions including those providing critical services in sectors such as energy, transportation, healthcare, and finance.
- Companies across all industries that operate in the EU and use IoT connected devices and infrastructure.
When will the EU Cyber Resilience Act come into force?
The CRA was agreed upon by the EC on December 1, 2023, marking a fundamental step forward towards its implementation.
Following formal approval by both the European Parliament and the Council, the CRA is expected to come into force in early 2024.
In a press release from Brussels, the EC stated that manufacturers, importers, and distributors of hardware and software products will have 36 months to adapt to the new requirements. The exception to this is the reporting obligations of manufacturers to record and communicate incidents and vulnerabilities, for which an adaptation period of 21 months has been stated.
What are the consequences of violating the Cyber Resilience Act?
A European Parliament briefing outlines some indicative fines for noncompliance with the CRA.
Manufacturers could be fined €15 million or 2.5 % of their total annual turnover worldwide (whichever is higher) for noncompliance with CRA-imposed security requirements.
Meanwhile, fines of €10 million or 2 % of their total annual worldwide turnover (whichever is higher) could be imposed on manufacturers, importers, or distributors if they fail to meet with any other obligation outlined in the draft regulation.
Summary
The European Cyber Resilience Act heralds a new era in consumer cyber protection, elevating standards for manufacturers to prioritize robust cybersecurity measures in their products.
As Europe charts its course towards a digitally resilient future, compliance professionals play a pivotal role in navigating the evolving regulatory landscape and ensuring adherence to stringent cybersecurity requirements.
Together, we can forge a safer digital environment for all.