The Cyber Resilience Act (CRA) is a disruptive legislation at the EU-level, which establishes a set of uniform cybersecurity regulations applicable to the makers and creators of products that feature digital components, encompassing both software and hardware.
As the number of IoT devices continues to soar, it has become crucial to address the issue of low-level cybersecurity and device vulnerability by offering regular updates and continuous support.
The legislation aims to guarantee higher levels of security for all wired and wireless items that are connected to the internet, as well as software that is available on the European single market, while mandating that manufacturers bear the responsibility for cybersecurity throughout a product’s lifespan. It will also enable customers to receive accurate and comprehensive information about the cybersecurity features of their products.
Within the next few years, the CRA will require all IoT device manufacturers operating in the European Union to comply with the regulation, ensuring that their devices are equipped with state-of-the-art cybersecurity features.
By harmonizing the regulatory landscape, overlapping requirements will be avoided, making it easier for device manufacturers to comply with the regulation.
Benefits for both businesses and consumers
The regulation will ensure an harmonized approach to IoT device security within the EU, making it easier for manufacturers to comply with the requirements and avoid overlapping regulations.
The risk of cyber-attacks will significantly lower, protecting businesses and consumers, from potential data breaches, financial losses, and reputational damage.
The implementation of cybersecurity features enables to avoid the significant costs of handling data breaches, which can run into millions of dollars.
With the increased security provided by the CRA, there will be an increase in customer's trust, leading to increased demand for products with digital elements.
This increase in demand can translate to higher profitability for manufacturers.
The regulation will improve transparency by making it easier to access clear information on the device, leading to better-informed purchasing decisions and customer satisfaction.
A better protection of fundamental rights such as data and privacy protection by ensuring that data collected with IoT devices are secure and protected from potential breaches.
The Cyber Resilience Act imposes specific requirements and obligations on manufacturers of digital products.
First is the obligation to take into account cybersecurity features during the design and development phase of their products. This means that cybersecurity considerations must be integrated into the product development process.
Manufacturers must ensure that products meet the security requirements specified in the CRA including provisions related to security by design and default, risk management, incident management, and the protection of personal data.
Products must be updateable and patchable to address vulnerabilities that might appear. Information about products’ cybersecurity features to users must also be provided in a clear and comprehensive way.
If a manufacturer becomes aware of a cybersecurity risk, they must take immediate action to address it, including notifying users and the European Union Agency for cyber-security (ENISA) within 24 hours. They must also cooperate with national authorities in investigating and resolving cybersecurity incidents related to their products.
Failure to comply with the Cyber Resilience Act can result in penalties and sanctions, such as 15 millions euros or 2.5% of annual turnover.