Cyber Resilience Act (CRA) | Updates, Compliance,


What is the European Cyber Resilience Act (CRA)?

The Cyber Resilience Act is a legal framework that describes the cybersecurity requirements for hardware and software products with digital elements placed on the market of the European Union. Manufactures are now obliged to take security seriously throughout a product’s life cycle.

Digital hardware and software products constitute one of the main avenues for successful cyberattacks. In a connected environment, a cybersecurity incident in one product can affect an entire organisation or a whole supply chain, often propagating across the borders of the internal market within a matter of minutes.

Before the European Cyber Resilience Act, the various acts and initiatives taken at Union and national levels only partially addressed the identified cybersecurity related problems and risks, creating a legislative patchwork within the internal market.

It increased legal uncertainty for both manufacturers and users of those products, and added an unnecessary burden on companies to comply with a number of requirements for similar types of products.

The cybersecurity of these products has a particularly strong cross-border dimension, as products manufactured in one country are often used by organisations and consumers across the entire internal market.

Two major problems are addressed:

1. The low level of cybersecurity of products with digital elements, reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them.

2. The insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or using them in a secure manner.

Under certain conditions, all products with digital elements integrated in or connected to a larger electronic information system can serve as an attack vector for malicious actors.

As a result, even hardware and software considered as less critical can facilitate the initial compromise of a device or network, enabling malicious actors to gain privileged access to a system or move laterally across systems.

Examples of products with digital elements

End devices
- laptops
- smartphones
- sensors and cameras
- smart robots
- smart cards
- smart meters
- mobile devices
- smart speakers
- routers
- switches
- industrial control systems.

Software
- firmware
- operating systems
- mobile apps
- desktop applications
- video games

Components (both hardware as well as software)
- computer processing units
- video cards
- software libraries

Examples of cyberattacks, exploiting the security of products with digital elements

- The Pegasus spyware, which exploited vulnerabilities in mobile phones.

- The WannaCry ransomware, which exploited a Windows vulnerability that affected computers across 150 countries.

- The Kaseya VSA supply chain attack, which used network administration software to attack over 1000 companies.

10 October 2024 - The Council adopted the European Cyber Resilience Act (CRA)

The Council adopted the new law on cybersecurity requirements for products with digital elements with a view to ensuring that products, such as connected home cameras, fridges, TVs, and toys, are safe before they are placed on the market.

The new regulation aims to fill the gaps, clarify the links, and make the existing cybersecurity legislative framework more coherent, ensuring that products with digital components, for example ‘Internet of Things’ (IoT) products, are made secure throughout the supply chain and throughout their lifecycle.

Next step:

The act will be signed by the presidents of the Council and of the European Parliament, and will be published in the EU’s official journal in the coming weeks. The new regulation will enter into force twenty days after this publication and will apply 36 months after its entry into force with some provisions to apply at an earlier stage.

4 April 2024 - Paper: "Cyber Resilience Act (CRA) Requirements Standards Mapping" - from ENISA and the European Commission’s Joint Research Centre.

The Cyber Resilience Act (CRA) proposal covers all products with digital elements put on the market which can be connected to a device or a network, including their building blocks (i.e., hardware and software), and encompassing also solutions provided in a Software as a Service (SaaS) fashion if they qualify as remote data processing solutions, as defined by Article 3(2) of the CRA proposal.

The CRA proposal provides two sets of essential requirements:

— Product cybersecurity requirements in Annex I, Section 1 of the CRA proposal,

— Vulnerability handling process requirements in Annex I, Section 2 of the CRA proposal.

These requirements should be the subject of a standardisation process by the European Standardisation Organizations (ESOs) to express them in the form of specifications in harmonised standards.

This report details the available standardisation outputs on the cybersecurity of products (hardware and software products, including hardware and software components of more complex products) carried out mainly by ESOs and international Standards Development Organizations (SDOs). Specifically, the study aim at presenting a mapping of the existing cybersecurity standards against the essential requirements listed in Annex I of the CRA proposal, along with a gap analysis between the mapped standards and the requirements.

4 April 2024 - Paper: "Cyber Resilience Act (CRA) Requirements Standards Mapping" - from ENISA and the European Commission’s Joint Research Centre.

12 March 2024 - the European Parliament approved the Cyber Resilience Act.

The Cyber Resilience Act was approved with 517 votes in favour, 12 against and 78 abstentions.

Text adopted: "European Parliament legislative resolution of 12 March 2024 on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 (COM(2022)0454 – C9-0308/2022 – 2022/0272(COD))".

https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html


Next step: It must be formally adopted by the Council.

1 December 2023 - Political agreement on the Cyber Resilience Act.

The European Commission welcomes the political agreement reached between the European Parliament and the Council on the Cyber Resilience Act, proposed by the Commission in September 2022.

The agreement reached is now subject to formal approval by both the European Parliament and the Council. Once adopted, the Cyber Resilience Act will enter into force on the 20th day following its publication in the Official Journal.

Upon entry into force, manufacturers, importers and distributors of hardware and software products will have 36 months to adapt to the new requirements, with the exception of a more limited 21-month grace period in relation to the reporting obligation of manufacturers for incidents and vulnerabilities.

Update, July 2023 - Agreement reached in the European Council.


The Council’s common position maintains the general thrust of the Commission’s proposal, namely as regards:

- Rules to rebalance responsibility for compliance towards manufacturers, who must ensure conformity with security requirements of products with digital elements that are made available on the EU market, including obligations like cybersecurity risk assessment, declaration of conformity, and cooperation with competent authorities.

- Essential requirements for the vulnerability handling processes for manufacturers to ensure the cybersecurity of digital products, and obligations for economic operators, such as importers or distributors, in relation to these processes.

- Measures to improve transparency on security of hardware and software products for consumers and business users, and a market surveillance framework to enforce these rules.


What is next?

After the Council’s common position ('negotiating mandate'), we will have negotiations with the European Parliament ('trilogues') on the final version of the proposed legislation.

Update, September 2022 - Proposed Articles of the European Cyber Resilience Act (CRA)

The proposal for a regulation on cybersecurity requirements for products with digital elements, known as the Cyber Resilience Act, bolsters cybersecurity rules to ensure more secure hardware and software products.

Hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of €5.5 trillion by 2021.

Such products suffer from two major problems adding costs for users and the society:

- a low level of cybersecurity, reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them, and

- an insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or using them in a secure manner.

While existing internal market legislation applies to certain products with digital elements, most of the hardware and software products are currently not covered by any EU legislation tackling their cybersecurity. In particular, the current EU legal framework does not address the cybersecurity of non-embedded software, even if cybersecurity attacks increasingly target vulnerabilities in these products, causing significant societal and economic costs.

Two main objectives were identified aiming to ensure the proper functioning of the internal market:

- create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and ensure that manufacturers take security seriously throughout a product’s life cycle; and

- create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.

Four specific objectives were set out:

1. Ensure that manufacturers improve the security of products with digital elements since the design and development phase and throughout the whole life cycle;

2. Ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers;

3. Enhance the transparency of security properties of products with digital elements, and

4. Enable businesses and consumers to use products with digital elements securely.

Understanding the European Cyber Resilience Act (CRA)

The European Cyber Resilience Act (CRA) aims to set the boundary conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufactures take security seriously throughout a product’s life cycle. It also aims to create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.

The relevant Union legislation that is currently in force comprises several sets of horizontal rules that address certain aspects linked to cybersecurity from different angles, including measures to improve the security of the digital supply chain. However, the existing Union legislation related to cybersecurity, does not directly cover mandatory requirements for the security of products with digital elements.

The various acts and initiatives taken thus far at Union and national levels only partially address the identified cybersecurity-related problems and risks, creating a legislative patchwork within the internal market, increasing legal uncertainty for both manufacturers and users of those products and adding an unnecessary burden on companies to comply with a number of requirements for similar types of products.

The cybersecurity of these products has a particularly strong cross-border dimension, as products manufactured in one country are often used by organisations and consumers across the entire internal market. This makes it necessary to regulate the field at Union level. The Union regulatory landscape should be harmonised by introducing cybersecurity requirements for products with digital elements. In addition, certainty for operators and users should be ensured across the Union, as well as a better harmonisation of the single market, creating more viable conditions for operators aiming at entering the Union market.

At Union level, various programmatic and political documents, such as the EU’s Cybersecurity Strategy for the Digital Decade, the Council Conclusions of 2 December 2020 and of 23 May 2022 or the Resolution of the European Parliament of 10 June 2021, have called for specific Union cybersecurity requirements for digital or connected products, with several countries around the world introducing measures to address this issue on their own initiative. In the final report of the Conference on the Future of Europe, 18 citizens called for “a stronger role for the EU in countering cybersecurity threats”.

To increase the overall level of cybersecurity of all products with digital elements placed on the internal market, it is necessary to introduce objective-oriented and technology-neutral essential cybersecurity requirements for these products that apply horizontally.

Under certain conditions, all products with digital elements integrated in or connected to a larger electronic information system can serve as an attack vector for malicious actors. As a result, even hardware and software considered as less critical can facilitate the initial compromise of a device or network, enabling malicious actors to gain privileged access to a system or move laterally across systems. Manufacturers should therefore ensure that all connectable products with digital elements are designed and developed in accordance with essential requirements laid down in this Regulation.

This includes both products that can be connected physically via hardware interfaces and products that are connected logically, such as via network sockets, pipes, files, application programming interfaces or any other types of software interface. As cybersecurity threats can propagate through various products with digital elements before reaching a certain target, for example by chaining together multiple vulnerability exploits, manufacturers should also ensure the cybersecurity of those products that are only indirectly connected to other devices or networks.

By setting cybersecurity requirements for placing on the market products with digital elements, the cybersecurity of these products for consumers and for businesses alike will be enhanced. This also includes requirements for placing on the market consumer products with digital elements intended for vulnerable consumers, such as toys and baby monitors.


European Cyber Resilience Act (CRA) European Cyber Resilience Act (CRA)

Update, May 2022 - European Cyber Resilience Act

According to the European Commission work programme for 2022, a proposal on a European cybersecurity resilience act (legislative) will be published in Q3 2022. The aim is to establish common standards for cybersecurity products.

According to the European Commission:

"The pandemic has served as a catalyst for the accelerating digitalisation of Europe and the world. The Commission will follow up on its path to the digital decade to deliver on the EU’s digital transformation by 2030. We are determined to lead the way in the global race for trustworthy, secure and human-centric technology. And we will work to reach agreement on and implement our proposals for a safe and secure internet, a European digital identity and on trustworthy Artificial Intelligence.

The single market remains at the core of an innovative, prosperous and future-oriented European economy. Strong and effective competition policy and enforcement are needed to contribute to a resilient recovery and the twin transitions. Against this background, the Commission has launched a review of competition policy to ensure that the various instruments are fit for purpose. We will also come forward with a single market emergency instrument to help prevent future disruptions.

Despite many challenges and disruptions, Europe came through the crisis in large part due to its innovative skills, its strong industrial base and its diversified and competitive supply chains. However, in a few strategic sectors, it has been vulnerable due to high dependency on a very limited number of non-EU suppliers, especially in relation to raw materials. This is particularly apparent when it comes to semi-conductors.

Supplies of these chips which power Europe’s digital solutions have become a real concern for EU industry, with cases of production being slowed down. Against this background, we will adopt a European chips act to promote a state-of-the-art European chip ecosystem to boost our innovative capacity, security of supply and develop new markets for ground-breaking European tech.

With the economy and society relying more and more on digital solutions, we need to ensure that we can defend ourselves in a world increasingly prone to hacking of connected products and associated services. To this end, we will propose a European cyber resilience act to establish common cybersecurity standards for products. We will also begin building an EU space-based global secure communications system, offering EU-wide broadband connectivity where it currently does not exist and secure and independent communications to Member States.

As the energy sector will be the biggest contributor in meeting the EU’s climate target of reducing emissions by at least 55 percent by 2030, the Commission will propose an action plan for an accelerated digital transformation of the sector, which is needed to ensure the shift towards renewables, connected mobility, smart buildings, and a more integrated energy system with consumers at its core. The wide-scale energy disruptions in the US and the EU over the past year show the need for resilient and cyber-secure energy.

For European citizens to benefit to the full from digital technology, the provision of strong digital skills and education is key. This was highlighted as distance learning became the norm during the COVID-19 pandemic. And it is highlighted as a key target in the Digital Compass. To address the skills and knowledge gaps, we will propose measures to facilitate and promote digital skills in schools and higher education.

Research and innovation will play a key role in responding to the challenges facing us today. It will help deliver on Europe's recovery, based on economic growth that can drive the green and digital transitions. This will be essential for fair economic growth benefiting all regions and citizens, including rural areas. It is important to ensure that Europe remains at the frontier of science and at the forefront of new waves of innovation.

Digital solutions can also help support more integrated and sustainable mobility. We will propose an initiative on multimodal digital mobility services to address market gaps in the combined use of transport modes, including rail."


The European Commission invites citizens and organisations to share their views on the European Cyber Resilience Act

16 March 2022 - The European Commission has launched a public consultation to gather the views and experiences of all relevant parties on the forthcoming European Cyber Resilience Act.

First announced by President von der Leyen in her State of the Union Address in September 2021, the Act seeks to establish common cybersecurity rules for digital products and associated services that are placed on the market across the European Union. The results of the public consultation will feed into the Commission's proposal for legislation that is expected in the second half of this year.

Thierry Breton, Commissioner for Internal Market, said:

To face today's diverse and sophisticated cyber-attacks we need advanced technology, secure infrastructure, and increased operational cooperation, as well as a common approach on cybersecurity benchmarks for products and services. We are looking forward to receiving input from all interested citizens and organisations to help us shape the new Cyber Resilience Act that will become a key part of the European strategic, policy and legislative framework in cybersecurity.

The Cyber Resilience Act will complement the existing EU legislative framework, which includes the Directive on the security of Network and Information Systems (NIS Directive) and the Cybersecurity Act, as well as the future Directive on measures for high common level of cybersecurity across the Union (NIS 2) that the Commission proposed in December 2020.

The public consultation will be open for the coming 10 weeks, until 25 May 2022. In addition, the Commission has published a call for evidence to create an overview of the problems currently identified and possible ways to address them. The call for evidence will be open for comments in parallel with the public consultation, also for 10 weeks.

Problem the initiative aims to tackle:

In a connected environment, a cybersecurity incident in one product can affect an entire organisation or a whole supply chain. This can lead to severe disruption of economic and social activities or even become life threatening. The lack of appropriate security in digital products and ancillary services is one of the main avenues for successful attacks.

When placing digital products or services on the market, vendors (e.g. hardware manufacturers, software developers, distributors and importers) often do not put in place adequate cybersecurity safeguards. The reasons for this can include:

(i) wanting to benefit from being the first to put a product or service on the market, due to network effects present in ICT markets;

(ii) lack of qualified security professionals; and

(iii) additional costs combined with lack of economic incentives.

Similarly, vendors’ response to vulnerabilities throughout their products’ lifecycle is too often inadequate. Moreover, vendors do not systematically provide information on product security (due to the lack of economic incentives), making it difficult for consumers to inform themselves and assess the security of the products and services they are using.

The current EU framework applicable to digital products comprises several pieces of legislation, including EU legislation on specific products covering safety-related aspects and general legislation on product liability.

However, the current legislation covers only certain aspects linked to the cybersecurity of tangible digital products and, where applicable, embedded software concerning these products.

The EU regulatory framework on products (e.g. the General Product Safety Directive and the Machinery Directive, both currently under review) does not prescribe specific cybersecurity requirements, e.g. covering the whole life cycle of a product.

‘Whole life cycle’ requirements are crucial in the case of digital products and ancillary services, as software needs to be updated on a regular basis.

In addition, the existing framework does not cover all types of digital products. In particular, the current framework fails to cover a variety of widely used hardware (e.g. hardware not falling under the Radio Equipment Directive or the Medical Devices Regulation).

Moreover, non-embedded software products are not addressed in the current framework, even though vulnerabilities in software products are increasingly serving as a channel for cybersecurity attacks, causing significant societal and economic costs.


Ursula von der Leyen, European Commission President, 2021 State of the Union address.

"If everything is connected, everything can be hacked. Given that resources are scarce, we have to bundle our forces. [...] This is why we need a European Cyber Defence Policy, including legislation setting common standards under a new European Cyber Resilience Act."

Ursula von der Leyen, European Commission President, 2021 State of the Union address.


European Cyber Resilience Act

2021 State of the Union Address by President von der Leyen

Cyber Risk GmbH, some of our clients