As hardware and software products become increasingly interconnected and more vulnerable to cyber-attacks with an estimated global annual cost of cybercrime of €5.5 trillion by 2021, the EU continuous to improve its cybersecurity posture.
The proposal for a regulation on cybersecurity requirements for products with digital elements, also known as the Cyber Resilience Act (CRA) [1], is a European legal framework that lays down harmonized rules that promise to significantly improve the cybersecurity of hardware and software products. First announced in the EU’s 2020 cybersecurity strategy [2], CRA represents a central piece of EU’s ever evolving cybersecurity landscape that will enhance the existing regulatory framework, by complementing the directive on measures for a high level of cybersecurity across the Union (NIS 2 directive), and the EU Cybersecurity Act.
As the regulation progresses through the final stages of the legislative procedure, it is crucial for all stakeholders -from manufacturers and retailers to end-users- to stay informed and prepare for its implementation.
Scope and Main objectives
CRA outlines four key objectives: to ensure that manufacturers improve and maintain the security of products with digital elements by design and throughout their life cycle; to increase the transparency of the cybersecurity properties of the products; to enable their secure use; and to establish a coherent and easy-to-comply-with cybersecurity framework. Overall, CRA is intended to protect consumers and businesses by establishing mandatory cybersecurity requirements for products with digital elements and allow users to take cybersecurity considerations into account when selecting and using them [3].
Given that any product with digital components integrated into or connected to a larger electronic information system can be targeted by malicious actors, even hardware and software considered less critical can be used to initially breach a device or network, enabling attackers to gain access to a system or move across systems. Apart from a few exceptions (like being already covered by existing EU legislation such as on aviation and medical devices), CRA applies to all products with digital elements, including hardware, software, and software as a service. Covering roughly anything that can be connected to a network or device along with its components -from laptops, smartphones, and smart devices to firmware, operating systems, mobile apps, and processing units- CRA bridges an important and much exploited by malicious actors regulatory gap. Furthermore, by adopting a horizontal and homogeneous approach via harmonized rules, it also promises to unify the diversified legal framework governing the cybersecurity of inter-connected products, thus increasing legal certainty and facilitating compliance.
Essential cybersecurity requirements
Under CRA, primary obligations are imposed on manufacturers, requiring adherence to essential cybersecurity requirements, conducting conformity assessments, and promptly notifying competent authorities of identified vulnerabilities and serious cybersecurity incidents.
More specifically, CRA establishes two sets of essential requirements that products with digital elements should meet that may apply to different stages of the products life-cycle. The first set (Annex I, Section1) relates to the properties of products, including amongst others
- Ensuring an appropriate level of cybersecurity based on the risks which must be analyzed and monitored throughout the lifecycle of the product;
- Ensuring that products are delivered without any known exploitable vulnerabilities, eg by preforming vulnerability assessments and fixes before release;
- Ensuring that products will be delivered with a secure by default configuration;
- Ensuring protection from unauthorized access by appropriate control mechanisms, including authentication, identity or access management systems;
- Ensuring protection of the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms;
- Minimization of the products’ own negative impact on the availability of services provided by other devices or networks;
- The provision of security related information by recording and monitoring relevant internal activity, which should be accessible to the privileged user.
The second set of essential requirements (Annex I, Section 2) covers the vulnerability handing. Manufacturers of products with digital elements are mandated, amongst others, to
- Identify and document vulnerabilities and components contained in the product, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the product;
- Address and remediate vulnerabilities without delay, including by providing security updates;
- Apply effective and regular tests and reviews of the security of the product publicly disclose information about fixed vulnerabilities, once a security update has been made available;
- Put in place and enforce a policy on coordinated vulnerability disclosure;
- Take measures to facilitate the sharing of information about potential vulnerabilities in their product as well as in third party components, including by providing a contact address for the reporting of the vulnerabilities and for getting reached by relevant authorities.
In line with the New Legislative Framework, the above vaguely stated essential requirements will be concretized via the development of harmonized standards by the European Standardization Organizations, that will serve as reference specifications with which manufactures can comply.
According to an analysis conducted by the European Agency for Cybersecurity (ENISA) [4] in support of the ongoing standardization activities, identifying already existing cybersecurity standards and mapping them to the different requirements, “a good international cybersecurity standardization base is already in place for serving the scope of the Cyber Resilience Act requirements, but harmonization is needed to ensure a homogeneous horizontal coverage” and address identified gaps.
Enforcement
EU Member States shall appoint market surveillance authorities to oversee and enforce the regulation, while a dedicated cooperation group has also been established to ensure consistent application of the CRA across the EU. Furthermore, manufacturers are required to actively report exploited vulnerabilities and severe incidents to their Computer Security Incident Response Team (CSIRT) and the EU Agency for Cybersecurity (ENISA) to facilitate cross-border incident mitigation and collaboration. With fines potentially reaching up to €15 million or 2.5% of the total worldwide annual turnover, ensuring compliance with CRA’s essential cybersecurity requirements is an absolute “must-have”.
Current state play and way forward
CRA was first proposed by the European Commission in September 2022. Notably, the proposal faced significant criticism from the open-source community, leading to amendments being released in December 2023 as part of a political agreement between the EU’s co-legislators. The European Parliament approved CRA in March 2024. Awating formal adoption by the Council, the final version of the CRA is expected to be published in the EU’s Official Journal by late 2024. Most provisions of the CRA will become fully effective three years after publication, with reporting obligations for vulnerabilities taking effect 21 months later.
Concluding remarks
In an increasingly interconnected world, the Cyber Resilience Act aims to elevate the minimum level of cybersecurity for products with digital components and build consumer trust. Similar to the impact of other landmark EU legislations such as the GDPR and the AI Act, CRA is expected to have significant global implications. By setting a benchmark for international cybersecurity regulations, it has the potential to shape global standards for the security of digital products. As non-EU countries adopt similar regulations, a more unified global cybersecurity posture is likely to emerge. Additionally, companies outside the EU will need to comply with the CRA’s requirements to access the EU market. Ultimately, CRA is expected to drive an emphasis on cybersecurity in product development, thereby strengthening overall cyber resilience on a global scale.
Author
Nikolaos Koulierakis – Eunomia Limited (EUNL)
References
[1] Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020, COM/2022/454. https://eur-lex.europa.eu/legal- content/EN/TXT/?uri=CELEX%3A52022PC0454
[2] https://digital-strategy.ec.europa.eu/en/library/eus-cybersecurity-strategy-digital-decade-0
[3] https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act
[4] Hernandez Ramos, J.L., Karopoulos, G., Nai Fovino, I., Spigolon, R., Sportiello, L., Steri, G., Gorniak, S., Magnabosco, P., Atoui, R. and Crippa Martinez, C., Cyber Resilience Act Requirements Standards Mapping, Publications Office of the European Union, Luxembourg, 2024, doi:10.2760/905934, JRC137340.