Through the Cyber Resilience Act, the European Union aims to institute new cybersecurity requirements for products with digital elements. This imperative stems from the increasing significance of networked devices and services in everyday live, for both economical operators as well as private users.
The draft is expected to be ratified in 2024, with iterative implementation over a transitional period of 36 months. Given that product development cycles usually span several years, companies affected by these regulations must now enact proactive measures to stay ahead of the regulatory pressure, and be able to offer their products on the European single market.
When launched, many products currently in development will already need to demonstrate compliance with the Cyber Resilience Act. Early categorisation and review of your portfolio will afford crucial time for necessary actions.
Our white paper provides an in-depth examination of the affected product types, necessary considerations, and proactive steps companies can take now.
Obligations of Manufacturers and Distributors
The Cyber Resilience Act (CRA) specifically targets products featuring digital components designed to establish direct or indirect data connections with other devices or networks. This encompasses both software and hardware. The key criterion for CRA applicability is a product's ability to communicate with other products or components. Companies face distinct obligations depending on how legislators categorise their products. Those falling into the default standard category as ‘normal’ products with digital elements generally possess limited security relevance.
Higher-security-relevance products, such as antivirus software or smart home products, are classified as important products with digital elements of class 1, requiring an external conformity check by an examination body or adherence to a harmonised standard. Products in important class 2, often used industrially (e.g., hypervisors and tamper-resistant microcontrollers), require mandatory external examination. If a product falls under Annex IV and includes safety-relevant components, e.g. for critical infrastructure, companies must adhere to a EU cybersecurity certification scheme if available; otherwise, Class 2 requirements apply.
Download the whitepaper now
The EU Cyber Resilience Act – Product security in the digital age
In the future, companies whose products fall into these categories must ensure a high level of cybersecurity throughout the entire product lifecycle. Integrating the security aspect into the development process of new products from the outset is crucial, emphasising security by design and obligatory risk assessments. Additionally, products must remain secure during delivery, maintenance, and disposal. Comprehensive documentation of regularly conducted risk assessments is mandatory and reporting of exploited vulnerabilities must occur within a 24-hour timeframe. Manufacturers are responsible for identifying and rectifying security vulnerabilities during the expected product lifetime, ensuring the provision of appropriate security updates free of charge. This requires an organisation to establish necessary resources and processes well in advance.
Given this extensive list of obligations, it is imperative that affected companies proactively address regulatory pressure and meticulously review their product portfolio. Those who do not leverage the time buffer until the CRA comes into effect risk facing fines, product recalls, or costly rework. There is also the possibility of new products being denied CE labelling, effectively banning it from the EU market. Therefore, it is advisable to conduct a review of the own product portfolio in accordance with the regulation, perform risk assessments, and prepare the required documentation to demonstrate conformity.
