The Cyber Resilience Act: A revolution in the world of IoT cybersecurity.

What is the CRA ?

The Cyber Resilience Act (CRA) is a disruptive legislation at the EU-level, which establishes a set of uniform cybersecurity regulations applicable to the makers and creators of products that feature digital components, encompassing both software and hardware.
As the number of IoT devices continues to soar, it has become crucial to address the issue of low-level cybersecurity and device vulnerability by offering regular updates and continuous support.

The legislation aims to guarantee higher levels of security for all wired and wireless items that are connected to the internet, as well as software that is available on the European single market, while mandating that manufacturers bear the responsibility for cybersecurity throughout a product’s lifespan. It will also enable customers to receive accurate and comprehensive information about the cybersecurity features of their products.
Within the next few years, the CRA will require all IoT device manufacturers operating in the European Union to comply with the regulation, ensuring that their devices are equipped with state-of-the-art cybersecurity features.
By harmonizing the regulatory landscape, overlapping requirements will be avoided, making it easier for device manufacturers to comply with the regulation.

Why cyber resilience matters?

Benefits for both businesses and consumers

To whom does the CRA apply ?

The Cyber Resilience Act applies to economic operators such as manufacturers, distributors, or importers who supply digital products within the European single market. The regulation requires that products with digital elements meet specific essential security requirements before they can be made available on the market. Manufacturers of digital products must take into account cybersecurity features during the design and development phase of their products to comply with the CRA. It is important to note that software provided as a service is not covered by the CRA. However, the Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) and other sectorial legislation ensure that systems provided as a service or developed in-house, such as electronic health record (EHR) systems, meet equivalent technical requirements for cybersecurity and provide the same level of protection against cyber threats.

The legislation aims to guarantee higher levels of security for all wired and wireless items that are connected to the internet, as well as software that is available on the European single market, while mandating that manufacturers bear the responsibility for cybersecurity throughout a product’s lifespan. It will also enable customers to receive accurate and comprehensive information about the cybersecurity features of their products. Within the next few years, the CRA will require all IoT device manufacturers operating in the European Union to comply with the regulation, ensuring that their devices are equipped with state-of-the-art cybersecurity features. By harmonizing the regulatory landscape, overlapping requirements will be avoided, making it easier for device manufacturers to comply with the regulation.

Requirements and obligations

The Cyber Resilience Act imposes specific requirements and obligations on manufacturers of digital products.

First is the obligation to take into account cybersecurity features during the design and development phase of their products. This means that cybersecurity considerations must be integrated into the product development process.

Manufacturers must ensure that products meet the security requirements specified in the CRA including provisions related to security by design and default, risk management, incident management, and the protection of personal data.

Products must be updateable and patchable to address vulnerabilities that might appear. Information about products’ cybersecurity features to users must also be provided in a clear and comprehensive way.

If a manufacturer becomes aware of a cybersecurity risk, they must take immediate action to address it, including notifying users and the European Union Agency for cyber-security (ENISA) within 24 hours. They must also cooperate with national authorities in investigating and resolving cybersecurity incidents related to their products.

Failure to comply with the Cyber Resilience Act can result in penalties and sanctions, such as 15 millions euros or 2.5% of annual turnover.

The legislation aims to guarantee higher levels of security for all wired and wireless items that are connected to the internet, as well as software that is available on the European single market, while mandating that manufacturers bear the responsibility for cybersecurity throughout a product’s lifespan. It will also enable customers to receive accurate and comprehensive information about the cybersecurity features of their products. Within the next few years, the CRA will require all IoT device manufacturers operating in the European Union to comply with the regulation, ensuring that their devices are equipped with state-of-the-art cybersecurity features. By harmonizing the regulatory landscape, overlapping requirements will be avoided, making it easier for device manufacturers to comply with the regulation.