WEBINAR
GigaOm Radar Report for PTaaS: How to Make a Smarter Investment in Pentesting
WEBINAR
GigaOm Radar Report for PTaaS: How to Make a Smarter Investment in Pentesting

European Cyber Resilience Act Overview: What Companies Need to Know

The European Council adopted the European Cyber Resilience Act (CRA) on October 10, 2024, initiating the countdown to implementation. The CRA provides a legal framework requiring manufacturers and sellers of most connected devices who sell to the European market to meet specified security standards. Affected organizations now must take mandatory steps to manage product vulnerabilities and document compliance. These obligations apply to the entire product lifecycle and supply chain, including manufacturers, importers, and distributors.

In this blog, we'll provide an overview of what you need to know about the European Cyber Resilience Act if your company does business in the EU. We'll cover:

  • What the European Cyber Resilience Act is 
  • What the themes and key provisions of the CRA prescribe
  • Who's affected by the CRA
  • How to achieve Cyber Resilience Act Compliance

What Is the Cyber Resilience Act?

The European Cyber Resilience Act provides a regulatory framework to promote the security of covered products with digital elements (PDE) such as smartphones, laptops, and connected TVs and appliances. Manufacturers, distributors, and importers of covered products must meet certain essential cybersecurity requirements during design, development, and production.

What Are CRA Requirements?

Manufacturers must conduct ongoing risk assessments, release products without exploitable vulnerabilities, and mitigate emerging vulnerabilities for five years of support. They must include a software bill of materials (SBOM) listing components and vulnerabilities in technical documentation and make it available to regulatory authorities upon request. Products must display a CE mark (European conformity mark) to ensure buyers’ compliance with CRA regulations.

Importers and distributors also have obligations. They must conduct due diligence to ensure that products conform to CRA requirements. They must inform manufacturers and authorities of detected vulnerabilities. They must retain records for 10 years after product release. They must keep authorities and consumers updated on product support discontinuations.

What Are CRA Goals?

CRA reflects growing concern about how connected products open the potential for security vulnerabilities to spread throughout supply chains. For example, the Kaseya VSA supply chain ransomware attack exploited network administration software to target over 1,000 companies. Previous legislation had addressed this issue partially in a piecemeal fashion and handled it inconsistently throughout EU member states. The new legislation aims to establish universal standards throughout the EU that close vulnerabilities and help consumers select safe products and securely use them.

What is the CRA Rollout Schedule?

CRA implementation will follow a gradual schedule. Now that the European Council has approved the legislation, it will be signed by the presidents of the Council and the European Parliament and published in the EU’s official journal. It will enter into force 20 days after publication, and implementation will roll out in stages over 36 months. Reporting obligations will go into effect 12 months after the act enters into force. Most of the regulations will apply 24 months after entering into force.

Cyber Resilience Act Themes and Key Provisions

The Cyber Resilience Act emphasizes a few main themes:

  • Establishing cybersecurity rules to ensure the safety of connected hardware and software products on the EU market
  • Using the established guidelines of the New Legislative Framework (NLF) to address cybersecurity issues
  • Clarifying cybersecurity obligations for manufacturers, distributors, and importers
  • Applying cybersecurity essentials throughout the product lifecycle from design and development through production for five years
  • Harmonizing standards between EU member states
  • Establishing conformity assessment standards distinguished by risk level
  • Authorizing market surveillance and regulatory enforcement mechanisms

These principles inform the provisions of the Cyber Resilience Act. The CRA's provisions specify elements such as covered and excluded devices, software bills of materials, CE marking displays, regulatory enforcement authority, non-compliance penalties, and implementation schedules.

Covered and Excluded Devices

Devices covered by the Cyber Resilience Act include hardware devices, software devices, and component devices combining hardware and software elements.

To avoid redundancy and confusion, the Cyber Resilience Act does not cover certain excluded items governed by other legislation. For instance, it does not encompass connected cars, medical equipment, and aeronautical equipment.

Software Bill of Materials

As part of its vulnerability management requirements, the Cyber Resilience Act obligates manufacturers of covered products to identify and document vulnerabilities and components contained, including drawing up a software bill of materials in a commonly used and machine-readable format covering at a minimum the top-level dependencies of the product. SBOMs and technical documentation must be created before products go to market and must be updated continuously throughout product support periods.

Conformity Assessment

Under the Cyber Resilience Act, before products can be placed on the EU market, they must undergo conformity assessment testing to ensure compliance. Products require different types of assessments based on the risk category they fall into, measured in terms of cybersecurity functionality, use, impact, and other criteria. PDEs fall into default, important, and critical categories:

  • Most PDEs fall into a "Default" category which does not require third-party assessment but can be tested in-house. This category includes products such as word processors, smart speakers, and games.
  • Class I and Class II PDEs are classified as "Important" applications that can seriously impact systems when disrupted or that represent cybersecurity functions. These categories require independent third-party assessment. Class I PDEs include products such as operating systems, virtual private networks, ID management systems, wearable health monitors, and smart home security products. Class II products include items such as firewalls, intrusion detection systems, and hypervisors.
  • Some PDEs fall into the "Critical" category because essential services depend on them. This category includes products with advanced security functions, such as smartcards and smart metering systems. Critical PDEs must either conform to product-specific certification schemes or, if no scheme applies, they must follow the same testing criteria as Important PDE products.

When third-party assessments are required, they will be conducted by officially EU-designated bodies.

After successful conformity assessments, manufacturers must draw up a declaration of conformity to add to their SBOM. These records must be kept for more than 10 years or the life of the product lifecycle.

CE Marking Display

Following successful conformity assessment, products must feature a CE European conformity marking display when they go to market. This lets buyers know the product complies with CRA regulations. The CRA intends to help buyers select products based on cybersecurity risk.

CE markings must be displayed on products with digital elements visibly, legibly, and indelibly when possible. When this is not possible, CE markings must be affixed to packaging and to EU declarations of conformity. Markings must adhere to size and placement standards prescribed in the CRA. When products are subject to other legislation besides the CRA, CE markings should reflect this.

Regulatory Enforcement Authority

The Cyber Resilience Act prescribes that member states shall set up market surveillance authorities to enforce the act's provisions. Authorities will be empowered to compel companies to end non-compliance, restrict product availability, pull products from the market, and levy fines.

Non-compliance Penalties

Market surveillance authorities can find a manufacturer in formal non-compliance if CE markings are not affixed or are affixed incorrectly if declarations of conforming have not been drawn up or have been drawn up incorrectly, if conformity assessment information is lacking, or if technical documentation is lacking.

Under the CRA, proposal, non-compliance can incur administrative fines of the greater of up to €15 million or 2.5% of an organization’s global annual turnover. Organizations that mislead authorities with fines of €5 million or 1% of global annual turnover. When a company remains in persistent non-compliance, member state authorities can require the recall or withdrawal of non-compliant products from the EU market.

Implementation Schedule

The Cyber Resilience Act specifies that the regulation enters force 20 days after publication in the Official Journal of the European Union. Reporting requirements apply 12 months after the act goes into force. The general act applies after 24 months.
Who’s Impacted by the Cyber Resilience Act?

The Cyber Resilience Act applies to the entire product lifecycle and supply chain, including manufacturers, importers, and distributors. Manufacturers must meet security requirements and provide documentation of compliance, including SBOMs and CE marks.

Importers and distributors must check products for conformity with CRA requirements. They must notify manufacturers and authorities of detected vulnerabilities, maintain records for 10 years after product release, and update authorities and consumers updated on product support withdrawals.

How to Meet Cyber Resilience Act Compliance

Companies that do business in the EU can begin taking several proactive steps to achieve Cyber Resilience Act compliance before the act takes full effect:

  • Take an inventory of products you manufacture, distribute, or import, including products in development, to identify ones that fall under the scope of the Cyber Resilience Act
  • Review internal team communications processes to ensure all relevant team members are aware of CRA compliance obligations
  • Review security policies and identify any gaps that need to be filled to meet CRA compliance
  • Create a software bill of materials
  • Gather other information required for technical documentation
  • Conduct a vulnerability assessment
  • Take steps to mitigate any vulnerabilities you identity
  • Establish ongoing monitoring and reporting procedures to identify any emerging vulnerabilities so they can be documented and mitigated

Following these guidelines will help set you on a path toward achieving CRA compliance before non-compliance issues disrupt your business.

Achieve Cyber Resilience Act Compliance with Cobalt

With Cyber Resilience Act reporting requirements coming up fast, the sooner you begin preparing for compliance, the better. Taking an inventory of your products and assessing your vulnerability forms a foundation for compliance. Offensive security testing can assist with this process by helping you systematically map your attack surface and identify vulnerabilities you may have overlooked. This enables you to develop effective mitigation strategies so you can release a product free of vulnerabilities while positioning you to monitor and intercept emerging vulnerabilities.

Compliance pentesting can help you keep up with the Cyber Resilience Act and other ongoing regulatory changes with expert-led offensive security services. Our global team of vetted security experts can deliver audit-quality attestation reports based on any specs you require, including parameters geared toward Cyber Resilience Act compliance. Our collaborative platform and network of experienced testers can get you up and testing faster than anyone on the market. Our team of industry-leading pentesters works transparently with your team to achieve your compliance needs.

Don't wait until the deadline to start implementing Cyber Resilience Act compliance. Talk to our team about how you can start getting ready for CRA compliance today. 

New call-to-action

Back to Blog
About Andrew Obadiaru
Andrew Obadiaru is the Chief Information Security Officer at Cobalt. In this role Andrew is responsible for maintaining the confidentiality, integrity, and availability of Cobalt's systems and data. Prior to joining Cobalt, Andrew was the Head of Information Security for BBVA USA Corporate Investment banking, where he oversaw the creation and execution of Cyber Security Strategy. Andrew has 20+ years in the security and technology space, with a history of managing and mitigating risk across changing technologies, software, and diverse platforms. More By Andrew Obadiaru