Cyber resilience act

Cyber Resilience Act

A new era in product cybersecurity

A new era in product cybersecurity

The European Cyber Resilience Act (CRA) was voted on in March 2024 by the EU parliament, and will have a transition period of three years once adopted by the EU Council and promulgated in the EU OJ.This legal framework will set the cybersecurity requirements for hardware and software products with digital elements in the European Union (EU).

Once the CRA is enforced, manufacturers, importers, and distributors of hardware and software products in the EU market will have 36 months to adapt and comply with its requirements. Here’s what you need to know to better prepare for the CRA.

EU Cyber Resilience Act

  1. What is the Cyber Resilience Act?
  2. Why is it important?
  3. Who and what will be affected?
  4. What happens if your products fail to comply with the CRA?
  5. How can you start preparing?
  6. How can TÜV SÜD help you?
  7. Why choose TÜV SÜD?

WHAT IS THE CYBER RESILIENCE ACT?

What is Cyber Resilience ActThe Cyber Resilience Act (CRA) is a legal framework that introduces mandatory EU cybersecurity requirements for hardware and software products throughout their life cycle. It applies to Product Digital Elements (PDEs) or hardware and software products manufactured, imported, and distributed in the European Union (EU), such as laptops, mobile devices, sensors and cameras, routers, firmware, apps, video games, video cards, and computer processing units.

Ultimately, it aims to guarantee integrated cybersecurity guidelines when bringing products or software with a digital component to the EU market. The CRA regulation enforces CE marking for digital products to indicate compliance with the new standards.

The primary goal of the CRA is to ensure that products with digital elements have fewer security vulnerabilities, and that manufacturers, importers, and distributors properly manage cybersecurity throughout a product's life cycle. The CRA aims to enhance user trust and protection by improving transparency on the security and reliability of hardware and software products.


WHY IS IT IMPORTANT?

At its core, the CRA represents a comprehensive approach to strengthening the cybersecurity posture of nations, businesses, and critical infrastructure in the EU. By introducing mandatory security requirements throughout the life cycle of hardware and software products, the CRA strengthens the cybersecurity of connected devices, making the EU a safer and more resilient continent.  

Who and what will be affected?

The CRA will affect manufacturers, importers, and distributors of hardware and software products in the EU market. To better comply with the CRA’s requirements, you need to understand whether your product falls within the scope of its legal framework.

 

The CRA applies to any software or hardware product and its remote data processing solutions, including software or hardware products with a digital component. It has a proposed classification scheme that categorises products as non-critical or critical based on their perceived risk levels:

  • Non-critical products include approximately 90% of products with digital elements, including hard drives, smart home assistants, and other connected devices. Manufacturers in this category must conduct self-assessments to check if their products meet the CRA’s requirements.
  • Critical products are categorised further into class I and class II products under CRA:
    • Class I products include identity management; standalone and embedded browsers; password managers; software that searches for, removes, or quarantines malicious software; products with digital elements and with the function of a virtual private network (VPN); network management systems; etc.
    • Class II products include hypervisors and container runtime systems that support virtualised execution of operating systems and similar environments; firewalls, intrusion detection and/or prevention systems; tamper-resistant microprocessors; and tamper-resistant microcontrollers.

While the CRA is large in scope, it does not apply to the following:

  • Non-commercial projects, including open-source software, as long as it is not part of a commercial activity
  • Services, such as cloud computing services and Software-as-a-Service (SaaS) business models
  • Highly regulated products and industries, especially those that are sufficiently regulated on cybersecurity, such as automotives, medical devices, in vitro diagnostic medical devices, certified aeronautical equipment, and products developed exclusively for national security or military purposes

What happens if your products fail to comply with the CRA?

Non-compliance for class I and class II products under CRA could lead to the imposition of fines, with the most severe penalty being up to EUR 15,000,000 or 2.5% of the offender’s worldwide annual turnover.

Furthermore, authorities may order the withdrawal of a non-compliant product from the market or restrict its distribution. The market surveillance authorities will also conduct "sweeps" to detect any infringements to CRA regulations.

Adherence to the CRA's essential cybersecurity and vulnerability handling requirements is of the utmost importance for all digital products, including those in the lower-risk class I category. This is to avoid severe penalties and maintain cybersecurity compliance for manufacturers, importers, and distributors with the EU cybersecurity legislation.

 

 

HOW CAN YOU START PREPARING?

With the CRA, manufacturers, importers, and distributors of digital products in the EU are urged to consider and embed cybersecurity throughout a product’s life cycle. As early as now, you can take action to stay compliant. Here’s what you can do to start preparing for the CRA once it comes into force:

  • Conduct a thorough review of your products
  • Identify any potential security vulnerabilities
  • Create a security development lifecycle (SDL), which includes security requirements, design, implementation, testing and maintenance
  • Implement a vulnerability handling process, which also provides necessary information to users
  • Comply to incident reporting obligations and institute a process, which reports any actively exploited vulnerabilities or any significant security incidents to the relevant authorities
  • Learn more about the interplay between the CRA and other regulatory frameworks in the EU, such as the General Data Protection Regulation (GDPR), the Radio Equipment Directive (RED), and the proposed New Product Liability Directive

Navigating complex requirements can be challenging, with potential pitfalls at every turn. For a successful approval process, a seasoned specialist on board is indispensable.

 

TÜV SÜD can help you

As a leader in product cybersecurity testing, TÜV SÜD has developed sufficient expertise to assess the security and reliability of products, thereby reducing vulnerabilities and incidents and improving user trust. We have a range of cybersecurity services that can help you prepare for the CRA, adhere to the EU cybersecurity legislation, and obtain CE marking for digital products for your Product Digital Elements (PDEs):

cybersecurity training consultation

  • Training and consultation
    We provide training and consultation to help manufacturers improve and align their cybersecurity policies and practices with the CRA.
  • Compliance assessments
    We conduct assessments to help manufacturers understand the CRA's requirements and evaluate their products for compliance.
  • Vulnerability management
    We help manufacturers identify and manage product vulnerabilities, which the CRA requires.
  • Third-party assessments
    We offer third-party assessment services, which are mandatory for higher-risk products, to verify compliance with the CRA.
  • Incident reporting support
    We help manufacturers establish processes for incident reporting, which the CRA requires.

Why choose TÜV SÜD?

TÜV SÜD is a leader in product cybersecurity testing. From cyber risk assessments to security certification projects, our industry experts have successfully helped companies improve their cybersecurity. With our experts’ first-hand knowledge of global cybersecurity standards, we can help you prepare and meet CRA requirements every step of the way.

With a structured approach to cybersecurity honed from decades of experience, domain-specific know-how, and regulatory expertise, TÜV SÜD supports companies across various sectors. By helping organisations comply with global cybersecurity standards, TÜV SÜD ensures our clients can access markets worldwide.

Prepare for the CRA with TÜV SÜD today. Contact us to learn more about our cybersecurity services.

Next Steps

Site Selector