Cyber Resilience Act

Adopted on March 12, 2024, Cyber Resilience Act , or Cyber Resilience Act (CRA), represents a step change in the cybersecurity landscape in Europe.

0

Adopted on March 12, 2024, Cyber Resilience Act , or Cyber Resilience Act (CRA), represents a step change in the cybersecurity landscape in Europe.

This ambitious legislation aims to significantly strengthen protection against cyber threats by establishing binding requirements for manufacturers, distributors and users of digital products within the EU.

What is Cyber Resilience Act ?

The operation of the CRA can be summarized in three points:

  • Extensive coverage : The CRA applies to a wide range of everyday connected products, from smartphones and computers to connected objects and software.
  • Shared Responsibility : The law divides cybersecurity responsibilities between manufacturers, distributors and even end users. Everyone plays a role in maintaining product safety.
  • Lifecycle Safety : CRA is not limited to the initial design of the product. It requires manufacturers to integrate security from the development phase, to offer regular security updates to counter new threats, and to provide a clear reporting procedure in the event of an incident.

The timeline of the CRA law

The timeline of the CRA law
The timeline of the CRA law

September 2021

In September 2021, the President of the European Commission, Ursula von der Leyen , delivers a State of the Union address.

In this speech, she addresses cyber-resilience: “ If everything is connected, everything can be hacked. Since resources are scarce, we must regroup our forces. […] This is why we need a European cyber defense policy, including legislation setting common standards under a new European Cyber Resilience Law. »

March 16, 2022

On March 16, 2022, the European Commission opened a major public consultation to bring together the opinions and experiences of all stakeholders affected by cybersecurity.

This initiative aimed to feed into the development of the European regulation on cyber-resilience.

May 2022

As part of its work program for 2022, the European Commission announced the publication of a proposed law on cybersecurity resilience during the third quarter of 2022.

This legislative proposal aims to establish common cybersecurity standards for all digital products marketed within the European Union.

September 2022

In September 2022, several articles of law were proposed for the development of the future European law on Cyber-Resilience.

How the Cyber Resilience Act will work in practice
How the Cyber Resilience Act will work in practice

July 2023

On July 21, 2023, European Union member states reached agreement on the proposed European Cybersecurity Resilience Act.

This agreement marks an important step in strengthening cybersecurity in Europe.

European Union member states reached agreement on the proposed European Cybersecurity Resilience Act
European Union member states reached agreement on the proposed European Cybersecurity Resilience Act

December 1st, 2023

A big step towards a more cyber-resilient Europe: The European Commission welcomes the political agreement on the Cyber Resilience Act, which aims to strengthen the security of digital products.

The law still needs to be formally approved by Parliament and the Council, but is scheduled to come into force in 2024. Companies will then have 36 months (or 21 months for incident reporting) to comply with the new requirements.

March 12, 2024

The European Parliament approves the law on cyber resilience with 517 votes in favor, 12 against and 78 abstentions.

The text must still be formally validated by the European Council.

April 4, 2024

Publication of the “Cyber ​​Resilience ” document Act (CRA) Requirements Standards Mapping” – from ENISA and the Joint Research Center of the European Commission .

Scope of application of the CRA: The proposed Cybersecurity Law (CRA) targets all digital products with digital elements placed on the European market and capable of connecting to a device or network. This includes hardware, software, and even Software as a Service (SaaS) solutions that process data remotely.

CRA Requirements: The CRA proposal defines two sets of essential requirements:

  1. Cybersecurity requirements for products : These requirements, detailed in Annex I, Section 1 of the proposal, aim to ensure that digital products are designed and developed securely.
  2. Vulnerability Management Requirements : These requirements, detailed in Annex I, Section 2 of the proposal, require manufacturers to have processes in place to identify, report, and remediate vulnerabilities in their products.

Find the document here.

What are the objectives of Cyber Resilience Act ?

The main objectives of Cyber Resilience Act are:

  1. Strengthening security from the design stage of digital products.
  2. Improved transparency of security information.
  3. Strengthening incident notification obligations.
  4. Establishment of a more robust market supervision system.
  5. Improved cooperation between EU member states.
Objectives of Cyber Resilience Act
Objectives of Cyber Resilience Act

Strengthening security by design for digital products

Manufacturers will need to integrate security measures from the design phase of their products, following a secure life cycle.

This includes managing risks, securing hardware and software components, and establishing secure update and maintenance processes.

Improved transparency of security information

Manufacturers will need to provide clear and accessible information about the security properties of their products, allowing users to make informed choices regarding cybersecurity.

This includes information about security features, known vulnerabilities and remediation measures in place.

Strengthening incident notification obligations

Manufacturers and distributors will be required to promptly report major cybersecurity incidents affecting their products to the relevant authorities.

This will allow authorities to take rapid action to limit damage and inform potentially affected users.

Establishing a more robust market supervision system

European authorities will have new tools and strengthened powers to monitor the market and ensure compliance with CRA requirements.

This includes carrying out audits, inspections and investigations, as well as the possibility of imposing sanctions in the event of non-compliance.

Improved cooperation between EU Member States

The CRA encourages increased collaboration between national cybersecurity authorities.

This will enable more effective information sharing, coordination of incident responses and a harmonized approach to law enforcement.

Who is affected by the Cyber Resilience law Act ?

The main players targeted by the CRA are manufacturers as well as importers, distributors are, for their part, indirectly impacted.

Manufacturers

The CRA imposes the responsibility on manufacturers of connected products to integrate security by design and throughout the life cycle of their products. Here are the concrete obligations:

  • Conducting a cybersecurity risk analysis to identify potential product vulnerabilities.
  • Design the product with these risks in mind, implementing appropriate security measures to mitigate them.
  • Providing regular security updates to fix vulnerabilities discovered after release.
  • Notification to competent authorities and users in the event of serious security breaches.
  • Retention of detailed technical documentation on product safety for a given period.

Importers

The CRA also makes importers who place connected products manufactured outside the EU on the European market responsible. They will have to ensure that these products meet the same cybersecurity requirements as those designed by European manufacturers. This involves in particular:

  • Require technical documentation from foreign manufacturers demonstrating product compliance with CRA requirements.
  • Carry out random checks to ensure the veracity of this documentation.
  • Alert the competent authorities in the event of non-compliance detected.

Distributors

If distributors (resellers) are not directly affected by the strictest obligations of the CRA, they will still have to take into account the cybersecurity of the products they sell.

Which products are affected by the CRA?

The definition provided by the CRA is quite broad and aims to include any product that integrates software or connects to the internet, with the exception of a few specific cases.

Here are some concrete examples of impacted products:

Consumer products

  • Smartphones, laptops, tablets.
  • Smart speakers, connected watches.
  • Connected toys, intelligent robot vacuum cleaners.
  • Connected thermostats, IP surveillance cameras.
  • Smart TVs, connected refrigerators.

Professional products

  • Remotely controlled industrial equipment (robots, machine tools).
  • Surgical robots and other connected medical devices.
  • Building management systems (BMS) and industrial automation.
  • Business management (ERP), accounting and customer relationship management (CRM) software.
  • Online collaborative tools and videoconferencing platforms.

Digital Services

  • Online commerce platforms (marketplaces).
  • Online banking services and payment platforms.
  • Social networks and content sharing platforms.
  • Cloud computing and online data storage services.
  • Websites and mobile applications offering digital services.

Products excluded from the scope

  • Unconnected products: Kitchen utensils, furniture, etc.
  • Pure software: Downloadable antiviruses, operating systems, etc. (unless they are integrated into a physical product).
  • Products manufactured before the entry into force of the CRA.

What are the sanctions incurred in the event of non-compliance?

The sanctions provided for by the CRA are multiple and can be very heavy for failing companies. They understand :

  • Administrative fines of up to 2.5% of the company’s total global annual turnover or an amount of €15 million, whichever is greater.
  • The obligation to put an end to the non-compliance observed, under penalty of daily financial penalties.
  • Restriction or prohibition of the making available on the market of the non-compliant product.
  • The recall or withdrawal of the non-compliant product already placed on the market.

What are the impacts of Cyber Resilience Act ?

Positive impacts of the CRA

Improving security of digital products

Enhanced security requirements
  • Manufacturers will need to implement security measures throughout the product lifecycle, from design to end-of-life update.
  • This includes measures to protect against common attacks, such as code injections, memory overflows, and denial of service attacks.
  • The products must also comply with recognized safety standards.
More secure products from the start
  • A focus on security from the design phase should lead to a reduction in the number of vulnerabilities in digital products.
  • This should make it more difficult for hackers to target these products.
Lifetime security updates
  • Manufacturers will be required to provide regular security updates for their products, even after commercial support ends.
  • This will help fix vulnerabilities discovered after the products are released to the market.

Strengthening transparency for consumers

Better information on security capabilities
  • Manufacturers will need to provide consumers with clear and accessible information about the safety features of their products.
  • This will enable consumers to make informed choices when purchasing digital products.
Safety labeling
  • The European Commission is responsible for developing a security labeling system for digital products.
  • This labeling will allow consumers to easily compare the safety level of different products.

Increased cooperation between authorities

Creation of a European cybersecurity center
  • This center will be responsible for coordinating Member States’ cybersecurity efforts.
  • It will also facilitate the sharing of information on threats and vulnerabilities.
Improved collaboration between Member States
  • The CRA provides for a number of measures to improve collaboration between Member States on cybersecurity.
  • This includes sharing resources and expertise, as well as coordinating cyberattack investigations.

Negative impacts of the CRA

Administrative and financial burden for businesses

Compliance costs
  • The new CRA requirements could prove costly for businesses, particularly SMEs.
  • These costs could include implementing new security measures, training staff and conducting security audits.
Administrative complexity
  • Businesses may find it difficult to comply with the complex requirements of the CRA.
  • This could lead to increased legal and advisory costs.

Complexity of implementation

Definition of security requirements
  • It might be difficult to define specific security requirements for each category of digital products.
  • This could lead to inconsistencies in implementation between Member States.
Burden of proof
  • It may be difficult for businesses to demonstrate compliance with CRA requirements.
  • This could lead to disputes between companies and national authorities.

Risk of stifling innovation

Strict requirements
  • Too strict security requirements could hinder the development of new digital products and services.
  • Businesses may be less likely to innovate if they have to comply with costly and complex requirements.
Lack of flexibility
  • The ARC may not be flexible enough to adapt to ever-changing threats and technologies.
  • This could make European products less competitive on the global market.
More

Comment

Your email address will not be published.