The EU Cyber Resilience Act (CRA) and the UK’s Cyber Security and Resilience Bill both aim to improve cybersecurity. The CRA applies to the EU, while the UK bill will improve cyber defences and protect essential public services.
The CRA will affect manufacturers, importers, and distributors of hardware and software products. To better comply with the CRA’s requirements, they all need to understand whether their product falls within the scope of its legal framework. It is therefore vital that end-users of connected machinery understand both their obligations and those of their equipment suppliers.
WHAT DOES THE CRA COVER?
The CRA applies to products with “digital elements”, which includes both hardware and software. It introduces new, binding and comprehensive cybersecurity requirements for connected hardware and software products in many aspects of digital industry.
The aim is that ‘products with digital elements’ are designed with cybersecurity in mind from the onset and are therefore considered more secure. Manufacturers remain responsible for cybersecurity throughout a product’s life cycle. Companies therefore need to consider not only the operational phase of the digital product but its design, development, and production.
The CRA has a proposed classification scheme that categorises products as non-critical or critical based on their perceived risk levels:
Non-critical products include approximately 90% of products with digital elements, such as hard drives and other connected devices. Manufacturers in this category may perform self-assessments to check if their products meet the CRA’s requirements. Critical products are categorised further into class I and class II products under CRA:- Class I products include identity management; standalone and embedded browsers; password managers; software that searches for, removes, or quarantines malicious software; products with digital elements and with the function of a virtual private network (VPN); network management systems; etc.
- Class II products include hypervisors and container runtime systems that support virtualised execution of operating systems and similar environments; firewalls, intrusion detection and/or prevention systems; tamper-resistant microprocessors; and tamper-resistant microcontrollers.
The CRA does not apply to the following:
Non-commercial projects, including open-source software, as long as it is not part of a commercial activity. Services, such as cloud computing services and Software-as-a-Service (SaaS) business models. Highly regulated products and industries, especially those that are sufficiently regulated on cybersecurity, such as automotives, medical devices, in vitro diagnostic medical devices, certified aeronautical equipment, and products developed exclusively for national security or military purposes.Compliance with the CRA is demonstrated by satisfying the Essential Requirements as set out in Annex I. The particular route to conformity required depends on the risk class of a product. For digital products that are not classified as either ‘important’ or ‘critical’, as defined in the CRA, manufacturers can self-declare using harmonised standards. Standards which may be used in support of this self-declaration are presently being developed by European standards writing organisations. For other higher risk products, manufacturers and distributors may have to go through assessment by a notified body depending on the features of the high-risk product. Annex III and Annex IV of the CRA provide a list of the types of products that are considered “important” and “critical” respectively. “Important” products are also split into two classes.
SECURE BY DESIGN
A major essential requirement in the CRA is that products with digital elements shall be designed with an appropriate level of cybersecurity. Thus, the CRA will require manufacturers of connected products to essentially adopt the Secure by Design (Default) principles.
Simply proving a product’s cybersecurity when placing it on the market will no longer be enough. Instead, manufacturers need to assess the cybersecurity risks throughout the life cycle of their products, for example ensuring that any vulnerabilities discovered can be addressed via security updates.
Vulnerability handling is a central obligation for manufacturers. To respond adequately, manufacturers need to discover and assess vulnerabilities at an early stage. They must ensure security updates throughout the expected lifetime of their products. If a security issue is identified in this period, manufacturers must publish security advisory messages and release security patches and updates free of charge.
Manufacturers also have the obligation to report security incidents to the EU Agency for Cybersecurity (ENISA), the product user and, where applicable, any parties commissioned with the maintenance and repair of the product.
Digital product users need to respond particularly quickly in the case of a vulnerable product by patching when an update is available or isolating the product while waiting for the patch.
Manufacturers must therefore implement the processes needed for reporting these incidents and ensuring compliance with the CRA requirements for technical documentation.
TRANSPARENCY
The CRA also requires comprehensive product documentation that lists all important characteristics and security functions. The documentation must state which cybersecurity risks may occur under which circumstances and give details of a contact point in case of a cybersecurity vulnerability.
It must also point out where the CE marking and the software bills of material can be found. The latter provides a detailed list of all software elements and facilitates security management.
A primary goal is to ensure products with digital elements have fewer security vulnerabilities, and manufacturers, importers, and distributors effectively manage cybersecurity throughout a product’s life cycle.
The CRA aims to enhance user trust and protection by improving transparency on the security and reliability of hardware and software products. Mandatory security requirements throughout the life cycle of hardware and software products strengthens the cybersecurity of connected devices. At its core, the CRA represents a comprehensive approach to strengthening the cybersecurity of nations, businesses, and critical infrastructure. By introducing mandatory security requirements throughout the life cycle of hardware and software products, the CRA strengthens the cybersecurity of connected devices.
All the CRA requirements will apply from 11 December 2027. Nevertheless, manufacturers, distributors and importers should start to address the CRA at an early stage, to ensure their end-users’ security. Comprehensive training and cyber resilience testing programmes cannot be done overnight.