The Cybersecurity Resilience Act (CRA) is underway: How you might get ready for it now

The digital landscape is evolving rapidly, and with it comes the escalating threat of cyberattacks. To counter this, the European Union is taking a significant step forward with the development of the Cybersecurity Resilience Act (CRA). The CRA aims to establish stringent cybersecurity standards for products with digital elements manufactured and sold within the EU, enhancing user protection and harmonising regulations across member states.

As the CRA moves closer to finalisation, businesses need to start preparing now to meet these new requirements and ensure their products are compliant. This article provides an overview of the CRA, detailing its core requirements and the proactive measures companies should take to align with the upcoming regulations.

What is the CRA?

Cybersecurity Resilience Act (CRA) is a legislative framework, currently being developed by the European Union, aimed at strengthening the cybersecurity standards for certain products with digital elements manufactured and sold within the EU.

The CRA aims requires manufacturers to design and produce these devices in accordance with cybersecurity standards. The overarching goal is to enhance user protection. These products might be vulnerable to cyberattacks, allowing hackers to enter the user’s home network and access other devices in the network to steal their personal data. The CRA will also help harmonise regulations across different member states.

What are the requirements set out by the CRA?

The CRA sets out specific security requirements that all products with digital elements must meet and puts emphasis on proactive cybersecurity measures. These include secure design, secure development, and secure production processes, ensuring that cybersecurity is integrated throughout the product lifecycle. Below are some of them:

Security by design

The CRA emphasises the principles of security by design and by default, meaning that products must be designed and configured with security features from the outset. This approach includes conducting risk assessment to identify potential threats and vulnerabilities that could be exploited by cybercriminals. Risk assessment will help manufacturers better protect their products, and thus the users.

Regular security updates

Manufacturers will be required to monitor for new cyber threats and methods of cybercrime, and provide regular security updates to address any identified vulnerabilities. These updates must be made available for a specified period, ensuring that products remain secure over time.

Vulnerability handling

The CRA mandates the implementation of processes for handling vulnerabilities, including procedures for identifying, reporting, and mitigating vulnerabilities in a timely manner. This includes a requirement for manufacturers to establish vulnerability disclosure policies.

Compliance and conformity assessments

Products must undergo conformity assessments to ensure they meet the cybersecurity requirements set out in the CRA. These assessments may include self-assessments by manufacturers or third-party evaluations, depending on the product’s risk level.

Incident reporting

Manufacturers will be required to report significant cybersecurity incidents and vulnerabilities to a centralised EU database. This enables authorities to track and respond to emerging threats more effectively and helps in the dissemination of information about known vulnerabilities.

Market surveillance and enforcement

The CRA empowers national authorities to conduct market surveillance and enforcement actions. This ensures that non-compliant products are identified and removed from the market, maintaining high cybersecurity standards across the EU.

Information sharing

The CRA facilitates information sharing between manufacturers, authorities, and other stakeholders about cybersecurity threats, vulnerabilities, and incidents. This collaborative approach helps to enhance the overall cybersecurity posture of the digital ecosystem. The question of which manufacturers should report incidents to the appropriate authorities is governed by the NIS2 Directive.

User awareness and transparency

The CRA requires manufacturers to provide clear and accessible information about the cybersecurity features and limitations of their products. This helps users make informed decisions and encourages

When will the CRA come into force?

The exact date when the Cybersecurity Resilience Act (CRA) will come into force can vary depending on legislative processes and implementation timelines in different jurisdictions. Typically, once a law or directive like the CRA is passed, there may be a transition period before full enforcement begins. The anticipated timeframe for enforcement is likely around the year 2026 or 2027.

What actions should companies start taking to prepare for the CRA?

Firstly, businesses should conduct a comprehensive assessment of their current cybersecurity practices and capabilities to identify any gaps in meeting CRA requirements. This includes reviewing their product development processes to ensure integration of security-by-design principles.

Secondly, companies should establish or enhance their incident response plans to effectively detect, respond to, and recover from cyber incidents as mandated by the CRA.

Thirdly, they should initiate training programs for employees to increase awareness of cybersecurity risks and best practices. Additionally, businesses should engage with regulatory authorities and industry groups to stay informed about CRA updates and guidelines.

Lastly, they should begin implementing robust cybersecurity measures, such as regular security assessments and updates, to ensure ongoing compliance with the CRA’s standards. These proactive steps will help companies mitigate risks, enhance their cybersecurity posture, and align with regulatory expectations under the CRA.

Take first steps to ensure CRA compliance in a cost-effective way

The optimal way to ensure readiness for CRA compliance is to seek the assistance of cybersecurity experts who will prepare a strategy for implementing cybersecurity measures in your organisation. Spyrosoft can provide the necessary expertise and support to navigate the requirements effectively. We will not only assist you in selecting the best practices available on the market that align with the CRA, but also help implement them in an optimal and cost-effective manner, ensuring minimal impact on production and product costs.