In March 2024, the European Parliament overwhelmingly approved the EU Cyber Resilience Act, or CRA, which will now be formally adopted with the goal of improving the cybersecurity of digital products. It sets out to do this by establishing essential requirements for manufacturers to ensure their products reach the market with fewer vulnerabilities.
Most of its provisions will likely become enforceable in 2027, which means now is the time to start preparing. So let’s take a quick look at this sweeping cybersecurity regulation.
What Products Are Impacted by CRA?
The CRA applies to any software or hardware product and its remote data processing solutions, as well as products with digital elements whose intended use includes a logical or physical data connection to a device or network. Essentially, it requires anyone publishing software to provide a minimum level of cybersecurity protection and reporting. There are exceptions for products already covered by legislation specific to certain industries, including medical devices, vehicles, and the military.
The CRA seeks to strengthen the detection and response to cybersecurity incidents by:
-
Raising the level of cybersecurity across the EU;
-
Requiring all software components to obtain the CE mark, making it a badge of cybersecurity assurance​​; and
-
Holding organizations liable if found to be non-compliant.
Key Elements of CRA to Know for Software Developers?
The European Commission issued eight annexes to supplement the CRA, and these supplemental elements provide insight into how the CRA wants organizations to increase cybersecurity. For example, Annex 1 outlines the Essential Requirements a product must meet before it can be introduced into the market. These are divided into Information Security and Vulnerability Management, and documentation will be required to prove this.
There are also Reporting Requirements that make it mandatory for software publishers to disclose vulnerabilities within 24 hours of (Read more...)
