The EU Cyber Resilience Act (CRA), officially published on November 20, 2024, in the Official Journal of the European Union, sets the stage for a harmonized cybersecurity framework across the EU. The legislation, designated as Regulation (EU) 2024/2847, outlines comprehensive cybersecurity requirements for digital products and initiates a two-year countdown for member states and businesses to comply.
With the exponential growth of connected devices, cybersecurity threats have become a pressing concern for individuals, businesses, and governments. The CRA aims to address these challenges by introducing mandatory cybersecurity standards for products with digital elements, ensuring their security throughout their lifecycle. The Act targets two primary issues: widespread vulnerabilities in digital products and the lack of consistent security updates.
The CRA also seeks to empower consumers and organizations by improving transparency. Manufacturers will now be required to disclose product support periods, enabling better-informed purchasing decisions.
The Act establishes horizontal requirements for a wide array of digital products, covering everything from software to smart home devices, wearable health technology, and connected toys. It provides a unified framework to replace the fragmented regulatory landscape currently in place, reducing legal uncertainty and compliance burdens for businesses operating across borders.
The CRA mandates that manufacturers integrate cybersecurity into the design and development phases of their products. Additionally, manufacturers must ensure products remain secure through regular updates and robust vulnerability management practices.
Critical and important products, such as firewalls and intrusion prevention systems, are subject to stricter conformity assessment procedures due to their potential impact on security. These assessments will involve third-party evaluations to ensure compliance with the CRA’s stringent standards.
To ensure proportionality, the Act considers the unique challenges faced by small and medium-sized enterprises (SMEs) and developers of open-source software. SMEs will benefit from tailored guidance to navigate compliance, while open-source projects intended for commercial use are provided with a light-touch regulatory framework.
The CRA emphasizes the importance of due diligence, requiring manufacturers to verify the cybersecurity of third-party components integrated into their products. This includes tracking vulnerabilities and ensuring that security updates are promptly implemented.
To enhance threat response capabilities, the CRA introduces requirements for coordinated vulnerability disclosure. Manufacturers must report exploited vulnerabilities and severe incidents to designated authorities, including the European Union Agency for Cybersecurity (ENISA). These measures aim to strengthen cybersecurity situational awareness across the EU.
In a move to improve transparency, manufacturers will be required to provide Software Bills of Materials (SBOMs), enabling better supply chain security. However, SBOMs will not be made publicly available to protect sensitive information.
As the clock starts ticking on the implementation period, stakeholders across the EU—including manufacturers, regulators, and consumers—must prepare for a new era of digital security.
Need Help?
If you have questions or concerns about any global guidelines, regulations and laws, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.
