What is it about?

The Cyber Resilience Act (CRA) is expected to come into force at the end of 2024 and will apply from 2027. The CRA seeks to enhance the cybersecurity of products that can connect to each other or to the internet. These are manufactured by businesses and sold to end consumers, used in production, or purchased as components to be further processed or refined—thus forming part of supply chains.

Who is affected?

The new regulations apply to all companies manufacturing products with digital elements. Obligations also extend to retailers and importers, with no exceptions based on company size.

What does the regulation stipulate?

The Cyber Resilience Act mandates the establishment of risk-appropriate cybersecurity measures during the design, development, production, distribution, and usage phases of the mentioned products. The European Commission distinguishes products according to their criticality:

• Non-critical products with digital elements (e.g., hard drives, PC games),
• Critical products with digital elements Class I (e.g., browsers, password managers) and Class II (e.g., industrial firewalls, routers, smart cards, and smart card readers),
• Highly critical products with digital elements (currently, no products fall under this category).

According to the EU Commission, about 90% of products are expected to fall into the non-critical category. Manufacturers and vendors of critical products must comply with stricter requirements, such as conformity assessment based on harmonised EU standards. The conformity is documented on the product with the "CE mark." Compliance will be monitored by national market surveillance authorities.

Furthermore, the CRA requires manufacturers to fix vulnerabilities throughout the entire lifecycle of a product, but for no more than five years. Users must be informed about fixed vulnerabilities and cybersecurity incidents. Manufacturers must also report cybersecurity incidents and all actively exploited vulnerabilities within 24 hours to the European Union Agency for Cybersecurity (ENISA).

Example

An industrial company incorporates chips as components of its product. The company must rely on the chips being securely designed and requires security updates from the manufacturer for a defined period to ensure security along the supply chain.

According to the CRA, the manufacturer must prove compliance with harmonised EU cybersecurity standards during development and production. This would be documented in a so-called software bill of materials. They must also document any known vulnerabilities. Before the chip is marketed, a conformity assessment procedure must be carried out, after which the CE marking may be applied. The industrial company must also comply with these requirements for its part of the supply chain. Both companies must provide updates as well as fulfil reporting and information obligations after the chip and industrial product are marketed.

What now matters for businesses?

The German Chamber of Commerce and Industry (DIHK) advocates for all companies to ensure "security by design" for products with digital elements and to guarantee secure use through security updates for a defined period. The DIHK expressly supports the intention of the CRA in this regard.

However, the CRA can only achieve its potential if its requirements are not only purposeful but also practical and appropriate. Companies need to review internal measures for CRA compliance, establish new processes, and deploy a mechanism for handling vulnerabilities. They must orient themselves to European standards, most of which are yet to be developed.

Businesses also frequently report challenges in recruiting the necessary specialists to implement these changes. This similarly applies to building organisational structures and personnel for market surveillance. Therefore, an extension of the transition period would be advisable to avoid aggravating the existing skills shortages.

The Federal Office for Information Security also provides information on the Cyber Resilience Act in a free publication (as of October 2024).