The Price of Security: Understanding the Cost of Compliance to the Cyber Resilience Act
The Cyber Resilience Act (CRA) has ignited a flurry of debate, particularly around its potential impact on companies bringing products and software to market. While anxieties about stifling innovation are valid, we can’t overlook the Act’s potential long-term benefits for user safety and company security.
However, one critical question remains: how much will compliance actually cost?
To answer this question, our starting point is the EU’s impact assessment report. The report, published in September 2022, sheds some light on this issue, but falls short of defining clear ranges of anticipated costs.
Nonetheless, let’s delve into the report’s main findings and their potential implications.
Compliance costs are expected to vary significantly whether you are an SME or a larger company.
“In terms of costs, SMEs as manufacturers would in principle be more affected than large companies”
SMEs face a steeper climb towards compliance due to three main factors: one-time compliance costs weigh heavily on their smaller budgets, economies of scale shield larger companies but may not shield them, and limited financial bandwidth makes fixed costs harder to absorb. As for larger companies, the report acknowledges that they can more easily distribute the one-off costs of familiarising themselves with new regulation and can distribute the cost of compliance on a larger number of customers.
Achieving compliance may be even more costly for non-EU companies
The Impact Assessment Report notes that, for non-European companies, “a significant cost could stem from the obligation to have an economic operator established in the Union”.
Indeed, Regulation 2019/1020, which came into force in 2021, makes it mandatory for non-EU manufacturers to appoint an EU Authorised Representative (i.e: a legal entity residing in the EU) to be able to sell CE-marked products in the Union market. Consequently, non-EU companies distributing their CRA-compliant IoT devices and software in the EU must either establish a legal presence in the EU or hire professional Authorised Representative services.
In a nutshell, the 2022 EU impact assessment report attempts to provide some guidance on cost, but its usefulness is limited. Further, several revisions to the Cyber Resilience Act have made their way through the legislative process, rendering its findings partly inaccurate. Therefore, a more nuanced approach is needed to understand the true cost of compliance.
Beyond the Numbers:
Factors like existing supply chain practices, internal security expertise, and product development methodologies will significantly influence the actual cost that manufacturers and software developers will bear:
- The Act incentivizes manufacturers to prioritise security upfront, potentially reducing post-launch vulnerability fixes and their associated costs. However, feature development can be expensive, and the more cybersecurity features a company will have to integrate in their products, the more costly compliance will become.
- To address limited cybersecurity expertise in companies and ensure compliance with regulations, business owners might consider collaborating with cybersecurity consultants, legal advisors or hire additional personnel. There, business owners will face a trade-off between cost, knowledge acquisition with internal hiring and risks.
- The Cyber Resilience Act is not a one-time certification. Instead, the act mandates a continuous monitoring of devices and software to ensure that its requirements are continuously being met. For instance, the Act mandates penetration detection mechanisms (i.e: “ensure protection from unauthorised access [via] report on possible unauthorised access”), protection of stored, transmitted and processed data, etc. Implementing an infrastructure capable of continuously monitoring devices and software usage will also be a challenge for many.
The Cyber Resilience Act’s compliance costs are undeniable, but their magnitude will vary considerably from one company to the next. While challenges for SMEs should be addressed, the potential long-term benefits for user safety, company security, and overall digital resilience shouldn’t be underestimated.
To help you come up with an estimate cost of compliance for your business, i46 has created the CRA compliance cost calculator.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Please refer to the official CRA documents and consult with legal counsel for specific guidance.
Join the Discussion:
Chat with i46’s CEO: Erel Rosenberg
Find out more information on the Cyber Resilience Act here