The Cyber Resilience Act (CRA) has ignited a flurry of debate, particularly around its potential impact on companies bringing products and software to market. While anxieties about stifling innovation are valid, we can’t overlook the Act’s potential long-term benefits for user safety and company security.
To answer this question, our starting point is the EU’s impact assessment report. The report, published in September 2022, sheds some light on this issue, but falls short of defining clear ranges of anticipated costs.
Nonetheless, let’s delve into the report’s main findings and their potential implications.
“In terms of costs, SMEs as manufacturers would in principle be more affected than large companies”
SMEs face a steeper climb towards compliance due to three main factors: one-time compliance costs weigh heavily on their smaller budgets, economies of scale shield larger companies but may not shield them, and limited financial bandwidth makes fixed costs harder to absorb. As for larger companies, the report acknowledges that they can more easily distribute the one-off costs of familiarising themselves with new regulation and can distribute the cost of compliance on a larger number of customers.
The Impact Assessment Report notes that, for non-European companies, “a significant cost could stem from the obligation to have an economic operator established in the Union”.
Indeed, Regulation 2019/1020, which came into force in 2021, makes it mandatory for non-EU manufacturers to appoint an EU Authorised Representative (i.e: a legal entity residing in the EU) to be able to sell CE-marked products in the Union market. Consequently, non-EU companies distributing their CRA-compliant IoT devices and software in the EU must either establish a legal presence in the EU or hire professional Authorised Representative services.
—
In a nutshell, the 2022 EU impact assessment report attempts to provide some guidance on cost, but its usefulness is limited. Further, several revisions to the Cyber Resilience Act have made their way through the legislative process, rendering its findings partly inaccurate. Therefore, a more nuanced approach is needed to understand the true cost of compliance.
Factors like existing supply chain practices, internal security expertise, and product development methodologies will significantly influence the actual cost that manufacturers and software developers will bear:
The Cyber Resilience Act’s compliance costs are undeniable, but their magnitude will vary considerably from one company to the next. While challenges for SMEs should be addressed, the potential long-term benefits for user safety, company security, and overall digital resilience shouldn’t be underestimated.
To help you come up with an estimate cost of compliance for your business, i46 has created the CRA compliance cost calculator.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Please refer to the official CRA documents and consult with legal counsel for specific guidance.
Chat with i46’s CEO: Erel Rosenberg
Find out more information on the Cyber Resilience Act here