Cyber Resilience Act (CRA)

The Cyber Resilience Act (CRA) is a regulation of the European Union aimed at enhancing the cybersecurity of products with digital elements. The CRA seeks to improve the security and resilience of connected products and software by establishing clear requirements and obligations for manufacturers, distributors, and other stakeholders along the supply chain.

 

Requirements for Companies

Companies that manufacture or distribute products with digital elements must fulfill the following requirements:

  • Security and Risk Analysis: Companies are required to analyze security risks throughout the entire lifecycle of their products. This analysis must be conducted during the design phase and with each change or update to the product.
  • Security by Design: Companies must ensure that their products are developed with a security architecture from the outset. This includes implementing security measures that minimize potential threats and vulnerabilities.
  • Ongoing Monitoring and Maintenance: Companies must establish systems for continuous monitoring of the cybersecurity of their products. They are also required to provide regular security updates and promptly address security vulnerabilities.
  • Information Obligations: Companies must inform users about potential security risks and precautions. This also includes providing clear instructions on the safe use of the product.
  • Emergency Measures: In the event of a security incident, companies must promptly take appropriate measures to minimize the impact. They must also notify the relevant authorities and affected users.
  • Documentation and Reporting: Companies must create and maintain comprehensive technical documentation that records all security measures and tests. This documentation must be made available to authorities upon request.

 

Necessary Steps for Implementation

Companies subject to the CRA must take a series of steps to comply with the requirements:

  1. Assessment of Current Security Practices: Companies need to conduct a thorough analysis of their existing security measures to identify vulnerabilities and ensure they meet the CRA’s requirements.
  2. Implementation of Security by Design: Development processes must be adjusted so that security measures are integrated from the beginning. This may require additional training for development teams.
  3. Establishment of Monitoring and Update Systems: Companies must implement systems that enable continuous security monitoring and ensure that security updates are rolled out quickly and efficiently.
  4. Involvement of stakeholders: Identification of employees in key positions of responsibility.
  5. Creation of Documentation Processes: Companies should introduce robust processes for creating and maintaining the required documentation. This is crucial for demonstrating compliance with CRA regulations.
  6. Employee Training: Companies must ensure that all relevant employees are informed about the new requirements and are adequately trained.
  7. Continuous improvement: Establishing iterative adjustment control and adaptation of systems to counter cyber threats resiliently.

 

Which Companies Must Implement the Requirements and When?

The CRA applies to all companies that develop, manufacture, import, or distribute products with digital elements within the European Union. This includes:

  • Manufacturers of software and hardware with digital functions that are to be sold or used in the EU.
  • Importers and distributors that market products with digital elements within the EU.
  • Service providers that supply digital products, systems, or software within the EU.

The regulation is designed to apply to all products with digital elements, regardless of the company’s location, as long as the products are offered in the EU market.

Implementation Deadline: The regulation came into force after its publication in the EU Official Journal, with companies having a transition period of 24 months from that point to fully comply with the CRA requirements. The exact date depends on the final adoption of the act, but companies should prepare for the requirements to be fully applicable by 2026 at the latest.

Companies should begin preparations now to implement the requirements in time and avoid penalties.