[Translate to English:]

Cyber Resilience Act

The Cyber Resilience Act (CRA) or the “Regulation (eu) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements” is a comprehensive set of rules that defines minimum requirements for the cybersecurity of products with digital elements. As a regulation, it is binding for the member states and applicable to the entire European market.

 

When does the Cyber Resilience Act apply?

At the end of 2023, the European Commission, the European Parliament and the Council of the European Union agreed on the final text of the Cyber Resilience Act. It was published in the Official Journal of the EU on November 20, 2024 and came into force on December 10, 2024. However, in order to give companies time to make the transition, the requirements do not have to be implemented with immediate effect.

The timetable for implementation provides for the following important steps:

  • From June 11, 2026, conformity assessment bodies will be authorized to assess the conformity of products with the requirements of the regulation.
  • From September 11, 2026, manufacturers will be subject to the obligation to report vulnerabilities and incidents (see below under “What does the CRA require from affected companies?”)
  • From November 11, 2027, all requirements will apply in full.

Which companies are affected by the Cyber Resilience Act?

The requirements of the CRA apply to manufacturers, importers and distributors who develop or manufacture products with digital elements for the EU market or place them on the EU market. They apply regardless of whether the company in question is based inside or outside the EU - for example, they also apply to Korean smartphone manufacturers that sell their products on the European market.

Which products are covered by the regulation?

All hardware and software products and components that are sold in the EU and contain “digital elements” are subject to the Cyber Resilience Act. In addition to everyday consumer products, this also includes B2B software as well as systems and machines for industry. The regulation defines “products with digital elements” as all products whose "intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network" (Article 2 (1)).

Exceptions

However, there are exceptions: Products that are already regulated by certain other EU regulations and directives do not fall within the scope of the CRA according to Article 2, para. 2. These include medical devices and in-vitro diagnostics, motor vehicles, civil aviation products and marine equipment. There are also exemptions for spare parts intended to replace identical components, for defense equipment and for products for which the Commission has granted an exemption.

Risk classes

In Annexes III and IV the Regulation divides the products concerned into different risk categories:

  • Standard (non-critical products), for example PC games, smart speakers, hard disks, software for text and image processing, multimedia devices. The majority of all products with digital elements fall into this category. Self-certification by the manufacturer is possible for such products.
  • Class I (important products), for example browsers, firewalls, routers, password managers, products and systems for industrial or building automation. Certification by a notified body is required for products in this risk class.
  • Class II (critical products), for example hardware security modules, chip cards, operating systems, smart meters and critical infrastructure systems. Certification by notified bodies is also required for these products.

The same product requirements apply to all risk classes. The main difference is the conformity assessment. As the risk class increases, the criteria become stricter and the assessment process becomes more extensive and stricter. In classes I and II, assessments by independent bodies are also mandatory, and certification in accordance with a European certification scheme may also be required (i.e. for the corresponding product categories listed in Annex IV).

 

Open source software

Open source software (OSS) is also fully subject to the requirements of the Cyber Resilience Act. Only non-commercial open source software products are exempt from the CRA and do not have to meet the requirements. Ambiguities in the first draft of the law regarding the question of when an OSS is considered “commercial” or “non-commercial” had initially led to great uncertainty. In Annex II, the final legal text now addresses the topic of commercial open source software in more detail and creates more legal certainty by introducing the concept of the intention to make a profit, among other things. However, some formulations of the current legal text also leave room for interpretation.

What obligations do manufacturers have?

Manufacturers must carry out a cybersecurity risk assessment for every product “with digital elements” - including those in the standard low-risk category - and take the result into account when planning and designing, developing and manufacturing, supplying and maintaining the product. In principle, technical documentation, conformity assessment and product labeling must be provided for every product with digital elements and regularly updated throughout the entire support period (Article 31). For software products, manufacturers must create a software bill of materials (SBOM). This SBOM is intended to ensure greater transparency in the supply chain and be used as a source for vulnerability management; it does not have to be published.

In addition, manufacturers (and to a certain extent importers and retailers) must implement risk management and effective vulnerability management. Reporting obligations with tight deadlines apply to actively exploited vulnerabilities and serious security incidents: an initial warning must be issued within 24 hours, followed by a detailed vulnerability report no later than 72 hours after the vulnerability becomes known, including information on the vulnerability and the countermeasures taken as well as possible countermeasures for users. A detailed final report must be submitted to the responsible CSIRT and ENISA no later than 14 days after a countermeasure is available (Article 14 (2a-c)).They must also provide updates and patches to fix the vulnerabilities (Annex I, Part I, para. 2c).

What needs to be considered during product development?

With regard to the development and manufacture of products with digital elements, the CRA requires a risk-based approach (security by design). Among other things, Annex I requires

  • An appropriate level of cybersecurity based on the risks (Part I para. 1).
  • Addressability for security updates (Part I para. 2c)
  • The prevention of unauthorized access through access controls (Part I para. 2d)
  • Ensuring the confidentiality of data through encryption (Part I Para. 2e)
  • Protecting the integrity of data, commands and configurations (Part I Para. 2f)
  • The elimination of all known vulnerabilities (according to the risk assessment) before the introduction of the product (part I paragraph 2a)
  • Minimizing negative influences on other devices and networks (Part I Para. 2i)
  • Minimizing the attack surface (Part I, Para. 2j)
  • The elimination of all known vulnerabilities before placing on the market (Part I, para. 2a)

CRA and IEC 62443

Products that meet the security requirements of IEC 62443-4-2 and have been developed in accordance with IEC 62443-4-1 should already largely meet the requirements of the EU draft legislation. IEC 62443 is therefore also seen as the most likely candidate for harmonization. However, manufacturers of software products should note that the CRA requires mandatory safeguarding of the software supply chain and documentation of vulnerabilities in components (including third-party components) of the product, whereas IEC 62443-4-1 only recommends this.

What are the penalties for non-compliance?

Violations of the requirements of the Cyber Resilience Act can be penalized with high fines. Failure to comply with the product cybersecurity requirements set out in Annex I and the assessment and reporting obligations can be punished with fines of up to EUR 15 million or up to 2.5 percent of the global turnover of the previous financial year (whichever is higher). Violations of procedural and labeling obligations can result in fines of up to 10 million euros or up to 2 percent of the global turnover of the previous financial year. Fines of up to 5 million euros or 1 percent of the worldwide annual turnover can be imposed for false or misleading statements to notified bodies and market surveillance authorities.

Reference sources

The legal text of the Cyber Resilience Act (incl. annexes) is available online in all 24 official EU languages: https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=OJ:L_202402847

 

Support for CRA-compliant product development

NewTec supports manufacturers in the development of products with digital elements - for example with a threat and risk analysis in accordance with the Cyber Resilience Act, the integration of security measures or the implementation of secure update processes as well as comprehensive security testing.

Questions? Get in touch with us: Contact.

Or give us a call on +49 7302 9611-0.

 
Download
Your contact person
Stephan Strohmeier
Head of Safety & Security Solutions

NewTec GmbH
Buchenweg 3
89284 Pfaffenhofen a. d. Roth
Phone +49 7302 9611-0
Contact


DEUTSCHENGLISH中国