EU Cyber Resilience Act (CRA): A Complete Guide

The European Commission proposed the Cyber Resilience Act in September 2022. The European parliament and the council on the CRA finally reached an agreement on December 1, 2023. The Committee on Industry, Research, and Energy or the ITRE committee of the European Parliament approved the provisional agreement on January 23, 2024, and the text of the act will finally be voted on by the Parliament in March 2024. 

While it is yet to be passed as a law, the European Cyber Resilience Act is at an advanced stage. Once the legislation is in force, individuals and companies governed by the CRA will have three years to comply.

This is high time that we understood the ramifications of the Cyber Resilience Act – its effect on different sectors, how it will affect the open-source ecosystem, and what steps can be taken by small and midsize enterprises to comply with the regulations.

➡️Related Article: Comprehensive List of Cybersecurity Regulations in the EU

Understanding the EU Cyber Resilience Act (CRA)

The Cyber Resilience Act is an attempt by the European Commission to improve the cybersecurity of all software products and hardware products with a digital element sold in Europe. 

The CRA is the first piece of European legislation with a narrow focus on products as opposed to the CSA (Cybersecurity Act) which has a broader scope involving information sharing and cooperation between member states.  

The CRA aims to regulate security practices in the entire lifecycle of software and hardware products from design and development to post-sale maintenance. It creates new obligations for manufacturers in terms of securing the development lifecycle and the supply chain. The European Union Agency for Cybersecurity or ENISA works as a central hub for information and best practices related to CRA.  Notably, the CRA impacts the free and open-source ecosystem as well. 

Issues addressed by the CRA

The European Commission has devised the CRA with a vision of eradicating security vulnerabilities from all products with a digital component. Its goal is to safeguard the consumers and businesses using digital products by introducing “mandatory cybersecurity requirements for manufacturers and retailers of such products.” Here’s a closer look at the specific issues targeted by the CRA.

Inadequate level of cybersecurity  

Inadequate level of cybersecurity is a loaded term. It can refer to and be determined by many different factors such as

• Lack of preventive security measures like firewalls and antivirus
• Inadequate security testing and risk assessment at different stages of the software development lifecycle
• Lack of cybersecurity acumen and training among personnel leads to increased human error
• The existence of known vulnerabilities in hardware and software components
• Insecure cloud configurations
• Susceptibility to phishing attacks

The list could go on. The CRA complements other cybersecurity legislature and standards such as the NIS2 directive to redress these issues and alleviate cybersecurity risks across industries.

The inability of consumers and businesses to determine cyber-secure products

Currently, there are no statutory markers of cybersecurity for digital products in Europe that consumers and business users can use to determine the quality of security maintained by such products. While businesses can use certifications and markers provided by third-party security agents, those are not necessarily reliable.

According to the European Commission, digital products complying with the CRA will have a “CE” marking indicating their CRA-compliant status helping consumers make more informed product choices. 

The key promises

1. The Cyber Resilience Act aims to guarantee harmonised rules for all products with a digital component as they are released to the EU market.
2. It aims to create a framework of cybersecurity requirements for every stage of a product’s development lifecycle including planning, design, development, and maintenance
3. And create “an obligation to provide duty of care for the entire lifecycle of such products.”

Analysing the Security requirements mandated by the CRA

1. Digital products will be published only if they meet essential cybersecurity requirements.

It is to be noted that releasing a product with no vulnerabilities is not the established norm in any market, especially in the open-source ecosystem. A lot of vulnerabilities are found while a piece of software is in use and they are redressed according to contextual priority. The CRA aims to change it and companies must find a way to comply with it.   

2. The manufacturer will be liable to inform the consumer about all aspects related to the security of the products

While this is a noble initiative, the text regarding this mandate has created a level of confusion. The reporting obligation enforced on the manufacturers by the CRA seems to mandate the declaration of vulnerabilities to the public, as they are found. In that case, the vulnerable systems will become easy prey for hackers.     

3. The manufacturer has to define a support period for a product during which it will have the obligation to provide security updates

While this benefits the consumers greatly, this requirement will put small, independent developers functioning within the open-source ecosystem under pressure.

4. Conformity assessment at every stage of development

We’ve already mentioned that all security requirements apply to products before they are placed on the market. The market readiness of all products with a digital element will be judged through self-assessment or third-party assessment. 

5. The EU declaration of conformity

Once a manufacturer has demonstrated compliance with all the security requirements mandated by the CRA, it will be allowed to draw an ER Declaration of Conformity and will receive the right to use the CE marking to indicate that its product complies with the CRA. 

Who is governed by the CRA?

The CRA concerns itself with hardware and software products with digital elements sold within Europe. Hence, providers of software as a service are exempted.

Definition of products with digital elements (PDE)

A product with digital elements (PDE) is any software product or any physical good that relies on digital components to function properly. It covers a vast array of all products that connect to the internet.

Some examples are

• Software applications

Wi-Fi-enabled appliances

• Smart television
• Fitness tracker
• Connected toys

⚠️Note: Certain products like medical devices, and smart vehicles that are already covered by other security regulations are exempted from the CRA despite being categorised as PDE.

The Cyber Resilience Act applies to

• Manufacturers
  Companies that design and manufacture products with digital elements directly or under their name or trademark in the EU. The CRA also governs any authorised representative of the manufacturer in the EU if the manufacturer is not located in the EU. 
• Importers
  Companies that import PDEs into Europe will be governed by the CRA and be required to ensure that the imported products comply with all security requirements. 
• Distributors
  Adhering to its motto of regulating the cyber security of every stage of a product’s lifecycle, the CRA applies to distributors too. Distributors are liable to verify to a certain extent that the products they distribute meet all requirements for products with digital elements. 

Security Requirements for Open-Source Digital Products

Open-source software components form the core of thousands of commercial and noncommercial products around the world. Hence, the European Commission wanted to bring open-source software under its all-encompassing cybersecurity legislature. However, the very nature of the open-source ecosystem prevents it from adhering to the security requirements enforced by the proposed act.

Issues faced by the open-source ecosystem

• Creators of open-source products have little to no control over where and how their products are being used.
• Products are developed through the voluntary contributions of developers spread across the world making it impossible to assess every bit of code prior to publication.
• Self-assessment or third-party assessment of open-source products is a difficult proposition since the free and open-source products are mostly dependent on voluntary contributions.

Open-Source Exemption (With Caveats)

Owing to the concerns raised by large open-source communities such as the Apache Foundation, the Commission has changed the legislature to exempt non-commercial open-source products. However, there is still a lack of clarity as to the definition of commercial and non-commercial open-source products. For instance, independent developers who enjoy the patronage of users, or who are employed by a for-profit organization may be deemed commercial. This is surely an area businesses will have to tread upon carefully.

Non-Compliance Consequences

Exact penalties are still being determined, but likely include fines, product restrictions, and potential withdrawals. Businesses will likely have a 36-month compliance window once the CRA becomes law.

Each member state of the European Union will appoint market surveillance authorities who will be tasked with the enforcement of “cyber resilience obligation.” The market surveillance authorities will have the power to

• Compel operators (manufacturers, distributors, and importers) to eliminate the risk and restore compliance.
• Restrict the availability of the products under scrutiny in the market.
• Order the products to be withdrawn or recalled.  

Steps companies can take to ensure CRA compliance

EU has achieved political agreement on the CRA, and the new EU legislation will govern Europe’s digital future very soon. Manufacturers that fall under the new regulations must act now to ensure the fulfilment of CRA requirements. Here are the immediate steps to take.

1. Identify the category under which your products come and understand the specific requirements according to the CRA. Organizations can expect further documentation and assistance in this regard from the European Commission.
2. Create a risk assessment routine consisting of internal and external penetration testing and vulnerability assessment.
3. Integrate a vulnerability scanner with the CI/CD infrastructure. This will ensure that a scan precedes every release.
4. Mandate the use of password management and access management tools within the company to centralize access and neutralize the threat of phishing attacks.
5. Work on an incident response plan. 

The role of a strong identity and password management system in building CRA compliance

The connection between an identity management tool and the Cyber Resilience Act while not obvious is deep. The product-related regulations set by the EU legislation are dependent on the overall cybersecurity health and posture of a company. And identity management plays a significant role in that.

1. Password managers play a vital role in reducing the risk of phishing attacks by eliminating weak and repeated passwords.      

2. Centralized access management features offered by tools like Uniqkey help organisations manage access trails and maintain the zero-trust privilege structure around the company’s devices or network.

3. Shadow IT monitoring capabilities ensure organizational security strength despite employees using personal devices.

Collectively, the qualities afforded by the use of a well-rounded enterprise-grade password and identity management platform translate into a better possibility of meeting CRA regulations.

---

Frequently Asked Questions