In an era where digital technologies permeate every facet of our lives, the European Union has taken a bold step towards ensuring the cybersecurity of products with digital elements (both hardware and software) through the proposed Cyber Resilience Act (CRA). This legislation, set to become one of the EU's cornerstone cyber security laws, underscores a comprehensive approach to enhancing the security landscape of digital products ranging from consumer electronics to critical infrastructure components.

The CRA's broad scope ensures it covers all products with digital elements (PDEs) that can connect to a device or network, either directly or indirectly. This includes both hardware and software products intended for the EU market, regardless of the manufacturer's origin. However, the Act carves out exclusions for products exclusively developed for national security or military purposes, and sectors where existing regulations offer comparable protection, such as medical devices and aviation.

Categorisation of the PDEs

A critical feature of the CRA is its risk-based classification of products with digital elements into categories reflecting their cybersecurity risk:

• Default Category: This encompasses products without critical cybersecurity vulnerabilities (probably the majority of PDEs). These products are subject to a self-assessment by the manufacturer to ensure compliance with cybersecurity standards.
• Critical Category: Further divided into two sub-categories based on the level of cybersecurity risk and potential impact on other products, networks, or the safety of individuals:
  • Class I: Compliance for these products may require third-party assessments or adherence to the application of a standard form.
  • Class II: These types of PDEs require mandatory third-party conformity assessments.

Essential Security Requirements for the PDEs

At the core of the requirements for the PDEs is the principle that products must be designed, developed, and produced to embody an appropriate level of cybersecurity, reflective of the potential risks. This foundational layer ensures that from the beginning, products are devoid of known exploitable vulnerabilities, establishing a secure baseline for digital integrity.

• Design and Development: Products must be designed, developed, and produced to ensure an appropriate level of cybersecurity, free from known vulnerabilities, and based on risk assessments.
• Access and Data Protection: Products should have secure default configurations, protect against unauthorised access, ensure data confidentiality and integrity, and only process necessary data.
• Functionality and Incident Management: Essential functions must be protected, including resilience against denial of service attacks. Products should limit attack surfaces, minimise incident impact, provide security-related information, and support vulnerability management through updates.
• Identification and Documentation: Identify and document vulnerabilities, including a software bill of materials for top-level dependencies.
• Vulnerability Management: Address vulnerabilities promptly with security updates, conduct regular security tests and reviews, and disclose information about fixed vulnerabilities publicly.
• Coordination and Communication: Enforce a coordinated vulnerability disclosure policy, facilitate vulnerability information sharing, and ensure secure distribution of updates.
• Update Dissemination: Provide security patches or updates promptly and free of charge, with advisory messages for users on remediation actions.

Obligations and Compliance

The CRA mandates that the economic operators (manufacturers, importers, and distributors) ensure their products meet essential cybersecurity requirements. Key obligations include:

• Risk Assessment and Design: Ensuring products are designed and developed in line with essential cybersecurity standards, including being free from known vulnerabilities at the time of market launch.
• Continuous Monitoring and Updates: Manufacturers are required to monitor their products throughout their lifecycle, offering free updates to address vulnerabilities.
• Reporting: The CRA mandates timely reporting of any exploited vulnerabilities or incidents to ENISA and, by extension, users and authorities, to foster transparency and rapid response to emerging threats.
• Technical Documentation and User Instructions: Manufacturers must provide comprehensive documentation and clear user instructions in accessible language to ensure safe product utilisation.

Next Steps

The CRA was initially proposed by the European Commission in September 2022, the Act saw a political consensus reached between the European Parliament and the Council on 30 November 2023. This journey toward legislative solidification took a decisive turn on Tuesday, 12 March 2024, when the EU Parliament officially approved the CRA, marking a critical step in its journey to becoming law.

It will now have to be formally adopted by Council, too, in order to come into law.

Once adopted, the regulation will be implemented in two phases. Within the first twelve months, manufacturers and developers of connected devices will be obligated to report exploited cybersecurity vulnerabilities and breaches. Within twenty-four months, member states and affected businesses will have two years to adapt to the new requirements proposed by the Cyber Resilience Act as it enters into force.