The Cyber Resilience Act: A New Era of Digital Product Security
The rise of the Internet of Things (IoT) is set to revolutionise daily life, expanding beyond smartphones into smart homes, smart cities and ushering in a new smart era. However, along with these vast possibilities, comes an equally vast cybersecurity challenge. Billions of connected devices, ranging from industrial machinery to home appliances, now create numerous entry points for cyberattacks. Even seemingly innocuous devices, like smart kettles, could serve as gateways for hackers to breach networks and access critical or sensitive systems such as security cameras and digital door locks, enabling spying, manipulation, or even physical intrusion that could disrupt entire operations. This reality underscores just how high the stakes are set to become in the digital landscape of our time.
What is the CRA?
The Cyber Resilience Act (CRA) is a direct response to these rising cybersecurity risks. The CRA came into force on the 10th December 2024 and is a cornerstone of the EUs Digital Strategy, alongside other key regulations such as NIS2, DORA and the AI Act.
However, the CRA stands out as the EU’s first regulation specifically targeting cybersecurity at the product level. Unlike earlier regulations such as Nis 2, which focuses on organisational cybersecurity practices, the CRA directly targets the security of digital products themselves, marking a shift in focus which prioritises making software and devices secure from the outset. The scope of the CRA is notably broad, it covers both software and hardware and applies to all products with digital elements. If your product connects to the internet or processes data, and is available on the EU market, it likely will fall under the CRA’s jurisdiction.
The CRA spans all sectors and industries, with very few exceptions and applies to manufacturers as well as importers and distributors. By extending accountability across the entire supply chain the CRA aims to ensure that all digital products on the EU market fully comply with its cybersecurity standards.
This broad scope, pertaining to both product and market actors, means that many companies, previously unaffected by earlier regulations, such as NIS2, will now need to comply with the CRA.
Key Requirements
The CRA mandates the integration of cybersecurity into every stage of the product life cycle, from design, through manufacture, usage and eventual decommissioning. This requires prioritising security at every stage. To ensure the Security and Design and Default principles, are upheld, the CRA introduces security assessments, with critical products to undergo third party conformity assessments to verify compliance with security standards.
Manufacturers will be required to implement robust Product Lifecycle Management including the provision of regular security updates and patches, as well as CRA-specified technical documentation. The CRA also mandates a detailed vulnerability management process, which includes a vulnerability disclosure process to notify ENISA of any actively exploited vulnerability within 24 hours of detection and, notably, also notifying the customers of the affected products. This proactive approach promotes a secure digital ecosystem by promoting timely communication and remediation.
Additionally, companies must implement incident management procedures to handle security breaches, conduct post-market surveillance to monitor products after release, and implement processes for third-party risk management, record-keeping and secure decommissioning. As the cherry on top, the CRA introduces rigorous market surveillance to amplify enforcement.
The Stakes
Critically, the CRA sets forth steep penalties for non-compliance, with fines reaching up to €15 million or 2.5% of global turnover, whichever is higher. The CRA also makes CE certification dependent on compliance, meaning non-compliant products risk recalls or exclusion from the EU market all together.
The EU has opted against grandfathering provisions, meaning that even existing products must comply after the implementation date in order to remain on the EU market. Businesses that fail to comply with the CRA thus risk severe financial losses and reputational damage, on top of the pivotal risk of losing access to one of the world’s most lucrative markets all together. This makes compliance with the CRA imperative for market participants operating in the EU.
The CRA represents a transformative milestone in the EUs digital strategy. It aims to ensure that all products with digital elements are designed with cybersecurity at their core, and that this focus is extended throughout the products lifecycle. While the consequences of non-compliance are substantial, businesses should view the CRA as an opportunity to enhance their products and their brand. By embedding cybersecurity from the design stage and beyond, companies have an opportunity to protect their customers, establish – or maintain – a strong reputation for reliability and security, and thereby position themselves to thrive in the increasingly competitive and dynamic market of the new Smart World.
What You Need to Know
- Focus on Product Cybersecurity: The CRA specifically addresses gaps in previous regulations by focusing on product cybersecurity, a critical area in today’s interconnected world.
- Who is affected: Any manufacturer, importer or distributor of products with digital elements intended for use in the EU market.
- Wide Business Impact: The CRA covers the entire product lifecycle, thereby impacting multiple business areas.
- No Grandfathering: There will be no grandfathering provisions – even existing products must comply with the CRA once in force.
- Don’t wait! – If you expect to fall under the CRA, it’s essential to align with the requirements as soon as possible. Early preparation will position your business for success.
At Advisense we have the expertise and experience to offer our clients a superior integrated approach to cybersecurity risk management
We assist a range of companies to navigate the complex and ever-evolving cybersecurity regulatory landscape, providing guidance under key frameworks such as NIS2, DORA, the AI Act and the Cyber Resilience Act. We have solutions tailored to all our clients affected by the CRA.
We are also experts in the manufacturing sectors unique challenges, including operational technology (OT) security, product integrity and AI-driven processes. Leveraging our broad expertise, we are well positioned to integrate cybersecurity into related regulatory frameworks central to the manufacturing industries.
With a deep understanding of EU digital strategies, we help future-proof your business against emerging cyber-risks and regulatory demands. From comprehensive gap analysis and system audits to implementing practical, cost-effective risk management frameworks, our in-house cybersecurity and legal tech experts work together to ensure compliance and transform regulatory challenges into opportunities for growth and a sustained competitive advantage.
Curious about the CRA and how we can assist? Get in touch:
