EU Cyber Resilience Act: Key Points

EU Cyber Resilience Act: Key Points

Navigating new regulations can often be complex, particularly when they impact your development and manufacturing processes. To aid in this, we have distilled the EU Cyber Resilience Act into its key points, providing you with an overview of the forthcoming landscape.

If you prefer to learn by watching, here is our CTO's talk on CRA hosted at Embedded World 2024.

Watch our CTO's Embedded World 2024 presentation on key elements of the act

What is the CRA?

The CRA is one of the first legislative proposals of its kind in the world that aims to improve the cybersecurity of products or software with a digital component which are ubiquitous in our daily lives (ranging from baby monitors, smartwatches, and video games to firewalls and routers) as well as to allow consumers to make more informed choices when they select and use IoT devices.

Once the CRA is applied, all products within the scope of this regulation put on the EU market, whether supplied by an EU company or an external one, will have to be secure from a cybersecurity standpoint.

Who is impacted by the CRA?

The Cyber Resilience Act (CRA) is a game-changer for cybersecurity in the EU market, with significant implications for businesses operating within the region. This legislation primarily targets Original Equipment Manufacturers (OEMs) who design and manufacture devices with digital components. The aim is to establish a comprehensive set of requirements, ensuring these devices are built with security at the forefront from the very beginning.

But the impact of the CRA extends beyond EU-based OEMs. Because the Act applies to products sold within the EU market, regardless of the manufacturer's location, OEMs and their partners from other countries will also be affected. This includes authorized representatives, resellers, and distributors. These entities will need to implement processes to verify that the products they handle comply with the CRA's regulations. This collaborative approach across the entire supply chain strengthens the overall security posture of the digital landscape within the EU.

Product Classification under the CRA

The provisional agreement maintains the European Commission's risk-based approach and classifies product with digital elements (PDEs) into the categories below, depending on the level of risk associated with the product, and introduces differentiated levels of security assessments:

Default category – i.e., products without critical cybersecurity purpose (probably most products). These products will be subject to a “self-assessment” by the manufacturer.

Critical category – with two sub-categories:

(i) Class I – products that either: (i) primarily perform functions critical to the cybersecurity of other products, networks or services, or (ii) perform a function which carries a significant risk of adverse effects in terms of its intensity and ability to disrupt, control or cause damage to a large number of other products or to the health and safety of a large number of individuals through direct manipulation, such as a central system function, including network management, configuration control, virtualisation, processing of personal data. These products require the application of a standard form or third party-assessment to show conformity with regulatory obligations.

Examples: software that searches for, removes, or quarantines malicious software; public key infrastructure and digital certificate issuance software; general purpose operating systems; physical and virtual network interfaces; routers, modems intended for connections to the internet, and switches; microprocessors and microcontrollers.

(ii) Class II – products that meet (i) and (ii) criteria listed above. These products must complete a third-party conformity assessment.

Examples: products with digital elements that support virtual private network (VPN) functions such as VPN server and clients.

The CRA specifically targets economic operators involved with products that include digital elements (PDEs). This encompasses manufacturers, authorized representatives, importers, and distributors, with a pronounced focus on manufacturers. Here are the key obligations:

  • Risk Assessment: Manufacturers are mandated to continuously assess and mitigate risks associated with their PDEs throughout the product's lifecycle.
  • Monitoring and Updates: Post-market, manufacturers must vigilantly monitor products for cybersecurity risks and promptly roll out updates, free of charge, for at least five years. If vulnerabilities are detected, immediate action is required.
  • Reporting: There is a stringent requirement to report any exploited vulnerabilities and incidents to national authorities via ENISA within 24 hours for early warnings and 72 hours for complete notifications.
  • Transparency: Comprehensive technical documentation and user-friendly instructions must be provided, ensuring that end-users are well informed about the security features of the products.

How Exein Supports Compliance with the CRA

Understanding and adhering to these new regulations can be daunting for manufacturers. This is where Exein comes in. Specializing in IoT security solutions, Exein offers a robust suite of tools designed to help manufacturers not only comply with the CRA but also enhance their product security posture:

  • Security Posture Assessment: Before IoT devices hit the market, Exein’s assessment tools scrutinize them to ensure they are devoid of vulnerabilities.
  • Runtime Threat Detection and Response: Exein’s capabilities extend to real-time, providing dynamic protection against external threats across various platforms, from Docker to RTOS.
  • Threat Intelligence: Leveraging the power of generative AI, Exein makes all relevant security information and documentation about devices readily accessible through an intuitive platform.

Why IoT Security Matters More Than Ever

The imperative for stringent IoT security is underscored by the escalating scale and sophistication of IoT threats. IoT protection is not just about securing a single device but safeguarding an entire ecosystem that includes everything from personal smart devices to critical infrastructure components. Secure IoT devices are the cornerstone of not only consumer trust but also the foundational integrity of modern smart infrastructures.

The Cyber Resilience Act (CRA) marks a significant step towards a more secure digital landscape. In an era where IoT devices are becoming ubiquitous, manufacturers must prioritize security from the outset. By leveraging Exein's comprehensive IoT security solutions, manufacturers can achieve CRA compliance and strengthen their defenses against the dynamic threat landscape. Therefore, the path to a smarter, safer world is charted by the synergy between innovative cybersecurity measures and regulatory compliance.

The CRA Roadmap: A Timeline for Manufacturers

First proposed in September 2022, the Cyber Resilience Act (CRA) gained initial approval from the Council in December 2023 and was officially endorsed by the European Parliament in March 2024. With final adoption by the Council expected in November 2024, manufacturers will have a 36-month grace period to comply with the new regulations, except for incident and vulnerability reporting which requires a shorter 21-month window. This means manufacturers must have systems in place to report these issues by August 2026, with all other CRA requirements coming into effect by November 2027.

For inquiries about compliance solutions, contact us.
Share this post


Welcome to Exein blog! Here you will discover the latest updates on our company, including exciting news on our new partnerships, products and all things cybersecurity.