What is the Cyber Resilience Act? The act is an EU regulation that aims to tackle low cyber security levels and make it easier for consumers to identify and choose secure digital products. First announced in the 2020 EU Cybersecurity Strategy, it’s the cyber security equivalent of GDPR and complements other cyber security legislation, like the NIS2 Directive.
The Act (also referred to as the CRA) applies to the vast majority of digital products sold in the EU—from operating systems to baby monitors—and when it comes into force in 2024, affected companies will have 36 months to adapt to the new requirements and become compliant.
At the minute, many digital products lack robust security measures and it’s often impossible for ordinary consumers to assess the security of those products. The CRA addresses this by introducing:
- mandatory cyber security requirements for hardware and software products; and
- a CE marking on products to signify they’re compliant.
Requirements include vulnerability handling, security updates, software bill of materials (SBOMs), and reporting actively exploited vulnerabilities within 24 hours of becoming aware of them. By mandating these measures throughout the product lifecycle, the Act aims to:
- Minimize Vulnerabilities: Products entering the EU market must not have significant vulnerabilities that can be hacked.
- Enhance Transparency: Manufacturers must provide clear and transparent information to consumers on the cyber security of their products. This includes secure default configurations, protection mechanisms against unauthorized access, and encryption of sensitive data.
- Ensure Timely Security Updates: A key aspect of the CRA is the legal requirement for manufacturers to provide security updates for a defined period after purchase, reflecting the expected product lifespan.
The majority of digital products are likely to be self-regulated, but some products—like firewalls, SIEMs, operating systems, and smart meters—are held to more stringent cyber security requirements, including a third-party audit.
The open-source community has raised concerns about the Act, fearing its vulnerability reporting burdens. However, its final version does extend exemptions to non-profit OSS organizations. Other criticisms include potential disadvantages for EU businesses and uncertainties surrounding auditing and funding.
Will your product be affected by the CRA? If so, find out how to comply with the EU Cyber Resilience Act.
Need to get a jump on CRA? Find out how to simplify CRA compliance with the help of modern tooling.
