A new era in product cybersecurity
A new era in product cybersecurity
The European Cyber Resilience Act (CRA) was voted on in March 2024 by the EU parliament, and will have a transition period of three years once adopted by the EU Council and promulgated in the EU OJ.This legal framework will set the cybersecurity requirements for hardware and software products with digital elements in the European Union (EU).
Once the CRA is enforced, manufacturers, importers, and distributors of hardware and software products in the EU market will have 36 months to adapt and comply with its requirements. Here’s what you need to know to better prepare for the CRA.
EU Cyber Resilience Act |
The Cyber Resilience Act (CRA) is a legal framework that introduces mandatory EU cybersecurity requirements for hardware and software products throughout their life cycle. It applies to Product Digital Elements (PDEs) or hardware and software products manufactured, imported, and distributed in the European Union (EU), such as laptops, mobile devices, sensors and cameras, routers, firmware, apps, video games, video cards, and computer processing units.
Ultimately, it aims to guarantee integrated cybersecurity guidelines when bringing products or software with a digital component to the EU market. The CRA regulation enforces CE marking for digital products to indicate compliance with the new standards.
The primary goal of the CRA is to ensure that products with digital elements have fewer security vulnerabilities, and that manufacturers, importers, and distributors properly manage cybersecurity throughout a product's life cycle. The CRA aims to enhance user trust and protection by improving transparency on the security and reliability of hardware and software products.
At its core, the CRA represents a comprehensive approach to strengthening the cybersecurity posture of nations, businesses, and critical infrastructure in the EU. By introducing mandatory security requirements throughout the life cycle of hardware and software products, the CRA strengthens the cybersecurity of connected devices, making the EU a safer and more resilient continent.
The CRA will affect manufacturers, importers, and distributors of hardware and software products in the EU market. To better comply with the CRA’s requirements, you need to understand whether your product falls within the scope of its legal framework.
The CRA applies to any software or hardware product and its remote data processing solutions, including software or hardware products with a digital component. It has a proposed classification scheme that categorises products as non-critical or critical based on their perceived risk levels:
|
While the CRA is large in scope, it does not apply to the following:
What happens if your products fail to comply with the CRA?
Non-compliance for class I and class II products under CRA could lead to the imposition of fines, with the most severe penalty being up to EUR 15,000,000 or 2.5% of the offender’s worldwide annual turnover.
Furthermore, authorities may order the withdrawal of a non-compliant product from the market or restrict its distribution. The market surveillance authorities will also conduct "sweeps" to detect any infringements to CRA regulations.
Adherence to the CRA's essential cybersecurity and vulnerability handling requirements is of the utmost importance for all digital products, including those in the lower-risk class I category. This is to avoid severe penalties and maintain cybersecurity compliance for manufacturers, importers, and distributors with the EU cybersecurity legislation.
HOW CAN YOU START PREPARING?With the CRA, manufacturers, importers, and distributors of digital products in the EU are urged to consider and embed cybersecurity throughout a product’s life cycle. As early as now, you can take action to stay compliant. Here’s what you can do to start preparing for the CRA once it comes into force:
Navigating complex requirements can be challenging, with potential pitfalls at every turn. For a successful approval process, a seasoned specialist on board is indispensable. |
As a leader in product cybersecurity testing, TÜV SÜD has developed sufficient expertise to assess the security and reliability of products, thereby reducing vulnerabilities and incidents and improving user trust. We have a range of cybersecurity services that can help you prepare for the CRA, adhere to the EU cybersecurity legislation, and obtain CE marking for digital products for your Product Digital Elements (PDEs):
TÜV SÜD is a leader in product cybersecurity testing. From cyber risk assessments to security certification projects, our industry experts have successfully helped companies improve their cybersecurity. With our experts’ first-hand knowledge of global cybersecurity standards, we can help you prepare and meet CRA requirements every step of the way.
With a structured approach to cybersecurity honed from decades of experience, domain-specific know-how, and regulatory expertise, TÜV SÜD supports companies across various sectors. By helping organisations comply with global cybersecurity standards, TÜV SÜD ensures our clients can access markets worldwide.
Prepare for the CRA with TÜV SÜD today. Contact us to learn more about our cybersecurity services.
Site Selector
Global
Americas
Asia
Europe
Middle East and Africa