Blog

How to comply with the EU Cyber Resilience Act

Dec 8 2023/4 min read
How to comply with the EU Cyber Resilience Act
Picture of Ciara Carey
by Ciara Carey

This week, the European Union (EU) reached an agreement on the EU Cyber Resilience Act (CRA) akin to GDPR for cybersecurity. 

Set for adoption in 2024, the CRA aims to protect consumers from insecure digital products, introducing mandatory cybersecurity measures such as vulnerability disclosure, Software Bill of Materials (SBOMs), and security updates throughout the product life cycle.

The CRA covers a wide range of digital products, from operating systems to baby monitors. Companies affected by this Act have 36 months to comply, facing penalties of up to €15 million or 2.5% of global turnover for non-compliance.

While most digital products may self-regulate, some, like Firewalls, Operating Systems, or Smart Meters, face more stringent cybersecurity requirements.

Despite the welcome, the CRA sparked concerns, especially in the Open Source Software (OSS) community, fearing inadequate exemptions and burdensome vulnerability reporting. The final version addressed some worries by extending exemptions to non-profit OSS organizations. Additional criticisms focus on potential disadvantages for EU businesses and uncertainties regarding auditing and funding.

How to Comply

The CRA introduces the following requirements for digital products sold in the EU:

  • Security Updates and Support PeriodManufacturers must provide consumers with timely security updates for several years after purchase. The support period is designed to align with the expected lifespan of the products.
  • Vulnerability DisclosureManufacturers must disclose and patch vulnerabilities promptly and without charge. Manufacturers that discover a vulnerability in an OSS dependency will be required to notify the maintainer.
  • Actively exploited vulnerabilitiesManufacturers must report actively exploited vulnerabilities within 24 hours to both the competent Computer Security Incident Response Team (CSIRT) and The European Union Agency for Cybersecurity (ENISA) through a unified reporting platform. There are some narrow conditions where ENISA does not need to be informed, but they must receive adequate information to monitor systemic risks.
  • Software Bill of Materials (SBOM) Manufacturers must include a SBOM in a common format, detailing at least top-level dependencies. Manufacturers must provide the SBOM to both ENISA and market surveillance authorities.

Penalties for non-compliance

Member States will designate market surveillance authorities to enforce the EU Cyber Resilience Act. If a product is non-compliant, these authorities can: 

  • demand corrective actions;
  • restrict market availability; or 
  • order product withdrawal. 

Manufacturers can face fines of up to €15 million or 2.5% of their total worldwide annual turnover for non-compliance with essential cybersecurity requirements under the Cyber Resilience Act. For other obligations, fines can reach €10 million or 2% of the total annual turnover.

CE Marking

Products meeting the CRA’s essential requirements will receive the CE marking, signifying compliance with the Act's cybersecurity standards. 

This marking is necessary to place your product on the market within the European Union. 

Affected Products

The Regulation applies “all products with digital elements whose intended and reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.”
That’s a lot of products!

Most products are likely to self-regulate and apply the CE mark. However, the CRA specifies two categories of ‘critical products’ that are subject to more stringent requirements due to their higher perceived risk. These are divided into class I and class II, with class II products representing a greater risk. Manufacturers of class II products must involve a third party in their compliance assessment process.

Class I Products

These products are vital to the functioning of critical services and entities. Examples of Class I products include:

  • identity management systems software;
  • privileged access management software;
  • firewalls, intrusion detection/prevention systems;
  • microprocessors, microcontrollers;
  • industrial automation and control systems (IACS);
  • network management systems;
  • security information and event management (SIEM) systems; and
  • network traffic monitoring systems.

Class II Products

Class II are considered by the CRA to have a somewhat higher level of criticality compared to Class I. Examples of Class II products include:

  • operating systems for servers, desktops, and mobile devices;
  • hypervisors and container runtime systems;
  • public key infrastructure and digital certificate issuers;
  • secure elements, hardware security modules (HSMs);
  • smartcards, smartcard readers, and tokens;
  • robot sensing and actuator components; and
  • smart meters.

Exempted products 

Not every digital product must comply with the new Regulation. Here are the exceptions.

SaaS 

The EU Cyber Resilience Act does not apply to Software-as-a-Service (SaaS) products. 

Open Source 

Earlier drafts of the Act had an exemption for OSS individuals, but there was a gray area. It was unclear whether OSS organizations and contributions that could be deemed commercial would be exempt.

The final draft of the CRA now exempts free and open-source software developed or supplied without commercial intent. Notably, non-profit organizations selling OSS but reinvesting revenues in non-profit activities are also excluded. This exclusion protects the open-source community from unnecessary regulatory burdens. 

Products already regulated

The proposed Regulation won't cover products with digital elements already regulated by specific laws, such as:

  • medical devices (Regulation EU 2017/745 and EU 2017/746) 
  • products certified under aviation safety (Regulation 2018/1139)
  • motor vehicle products (Regulation EU 2019/2144). 

National security 

Products developed or modified exclusively for national security or defense purposes are excluded from the scope of the regulation.

Conclusion

The EU Cyber Resilience Act represents a significant stride in strengthening digital security across the EU. 

By setting clear standards for cybersecurity, the EU aims to empower consumers, build trust in digital products, and establish itself as a global leader in cyber resilience. 

Will the CRA get the balance right between security and innovation? Will it suppress the use of OSS? Will it be overly burdensome for businesses, especially SMEs? Only when the Act is being implemented will we see the true impact on cybersecurity, innovation, and the broader digital landscape.

Simplify CRA compliance with the help of modern tooling like Cloudsmith.

Get our next blog straight to your inbox