The EU Cyber Resilience Act (CRA) has been in the works for several years, but has now been adopted by EU regulators. It enters into force 10 December 2024, though its provisions will be rolled out over the next several years. We look at what the CRA is, who it affects, and what it means for businesses in EU markets.
What is the Cyber Resilience Act (CRA)?
The EU Cyber Resilience Act aims to bring greater security to software and hardware that includes digital elements, as well as the networks to which these products connect. Focused around cybersecurity and reducing vulnerabilities, the law covers products that can connect to the internet, whether wired or wireless, like laptops, mobile phones, routers, mobile apps, video games, desktop applications, and more.
The CRA enters into force 10 December 2024, though requirements are being rolled out gradually. Organizations have 21 months from the law coming into effect to start meeting reporting obligations, and by late 2027 all remaining provisions will be in effect (36 months from December 2024).
Broader scope of EU cybersecurity initiatives
The CRA is part of the larger EU Cybersecurity Strategy, particularly the Directive on measures for a high common level of cybersecurity across the European Union, known as the NIS2 Directive. The Strategy aims to “build resilience to cyber threats and ensure citizens and businesses benefit from trustworthy digital technologies.” It also aims to address the cross-border nature of cybersecurity threats to help ensure products sold across the EU meet adequate and consistent standards.
With the ever-growing number of connected products in consumers’ lives and used for business operations, the need for security and vigilance in manufacturing and consumer goods is only likely to grow. The law also intends to ensure consumers receive adequate information about the security and vulnerabilities of products they purchase so they can make informed decisions at home and at work.
Who and what does the Cyber Resilience Act apply to?
The CRA applies to manufacturers, retailers, and importers of products — both hardware and software — if they have digital components. This does include consent management platforms.
Under the law, included products will have to comply with specific requirements throughout the full product lifecycle, from the design phase to when they’re in consumers’ hands. Design, development, and production will need to ensure adequate levels of cybersecurity based on risk levels and factors. It’s a bit like the concept of privacy by design, but even more security-focused and codified into law.
How can companies comply with the Cyber Resilience Act?
Companies required to comply will have responsibilities for bringing products to market that do not have any known vulnerabilities that can be exploited, and that are configured in a way that is “secure by default”. Products will also need to bear the CE mark to show compliance.
Additionally, companies will need to implement various other security measures, including:
- control mechanisms like authentication and identity/access management
- high level encryption (both in transit and at rest)
- mechanisms to enable resilience against denial-of-service (DOS) attacks
Handling vulnerabilities under the CRA
There are specific requirements for manufacturers for handling vulnerabilities, including identifying and documenting components the products contain and any vulnerabilities, also creating a software bill of materials that lists top-level dependencies that’s in a common, machine-readable format (where relevant).
Any discovered vulnerabilities will have to be addressed through subsequent security updates that will have to meet a number of requirements:
- delivered without delay
- provided free of charge
- including advisory messages for users, with information like necessary actions
- implementation of a vulnerability disclosure policy
- public disclosure of repaired vulnerabilities, with:
- description of the vulnerabilities
- information to identify the product affected
- severity and impact of the vulnerabilities
- information to help users remediate the vulnerabilities
Reporting requirements under the CRA
In the event of a severe cybersecurity incident or exploited vulnerability, the manufacturer will have to report the issue by electronic notification to the European Union Agency for Cybersecurity and the competent computer security incident response team within 24 hours (a number of factors will be used to determine who makes up this team). Followup notices are also usually required within 72 hours and 14 days. Timely notification of product end users is also required.
Consent requirements under the CRA
The CRA is focused on cybersecurity, so does not focus on the end user or on consent or its management like the GDPR does, for example. However, like data privacy laws, it requires transparency and notification of important information, including reporting to authorities as required, and to end users in the event of a security incident.
Manufacturers’ provision of clear information on cybersecurity measures and potential vulnerabilities in their products will enable informed decision-making by consumers. This is also a goal of data privacy laws like the GDPR.
Additionally, the regulation is quite clear on products’ need for security to prevent unauthorized access and to protect potentially sensitive personal data, also goals of privacy regulations.
Critical products and special requirements under the CRA
Hardware and software products with digital elements face different requirements under the CRA depending on factors like use. For example, some products are considered critical because under the NIS2 Directive essential entities critically rely on them.
Cybersecurity incidents or vulnerability exploitation with these products could seriously disrupt crucial supply chains or networks; pose a risk to safety, security, or health of users; and/or are critical to the cybersecurity of other networks, products, or services. The European Commission will maintain the list of critical products. Examples include “Hardware Devices with Security Boxes” and smartcards.
Products considered critical will have to obtain a European cybersecurity certificate at the required level, e.g. assurance, substantial, etc. in keeping with an accepted European cybersecurity certification scheme where possible. There is also a list of “important” products that will need to meet conformity assessment requirements, though these are not classed as critical. These include VPNs, operating systems, identity management systems, routers, interconnected wearables, and more. The European Commission will also maintain this list.
What are the exclusions to Cyber Resilience Act compliance?
Certain products that are already covered by other product safety regulations are excluded from the scope of the CRA. These include motor vehicles, civil aviation vehicles, medical devices, products for national security or defense, etc. Hardware without digital elements would not be included, nor would products that can’t be connected to the internet or other network, or that can’t be exploited through cyber attack (e.g. it holds no data).
What are the penalties for noncompliance under the Cyber Resilience Act?
Failure to maintain adequate security standards, fix vulnerabilities, notify relevant authorities and parties about security incidents, or otherwise violating the CRA can result in fines up to EUR 15 million or 2.5 percent of global annual turnover for the preceding year, whichever is higher. These penalties are even higher than the first tier of penalties for GDPR violations.
Usercentrics and the Cyber Resilience Act
The CRA will apply to our products by 2027. However, Usercentrics takes security and data protection as seriously as we do valid consent under international privacy laws — today and every day. We are always evaluating our practices, from design to development to implementation and maintenance, and will continue to upgrade our products and systems to keep them, our company, and our partners and customers as safe as possible.
