The EU Cyber Resilience Act (CRA) was formally approved by the European Parliament on March 29, 2024, following a political agreement reached in December 2023. The regulation establishes cybersecurity requirements for digital products to ensure their resilience against cyber threats and to provide for secure usage across the European Union (EU).
CRA Goals
The aim of the Act is to enhance the security of digital products and connected devices across the EU. Its primary goal is ensuring that hardware, software, and IT services sold in the EU meet robust security standards throughout their lifecycles.
Key elements of the CRA include
Mandatory Security Requirements: Products must follow secure-by-design principles, and include regular software updates and remediation of vulnerabilities
Market Oversight: Manufacturers are required to assess and mitigate cybersecurity risks before their products ship
Accountability: Responsibilities are outlined for manufacturers, importers, and distributors to maintain product security
Enforcement and Penalties: Non-compliance can result in significant fines or mandatory product recalls
The CRA strives to bolster consumer confidence, reduce the risk of cyberattacks, and ensure a safer digital ecosystem in the EU. But it can create myriad challenges for device manufacturers, especially in testing and establishing compliance.
Target Domains - IoT and Beyond
The EU Cyber Resilience Act (CRA) is broad in scope, covering a wide range of digital products, including both Internet of Things (IoT) devices and general-purpose software.
Why IoT?
IoT devices often have weak security measures, are connected to networks, and can serve as entry points for cyberattacks. These devices are highly integrated into critical infrastructure, homes, and industries, making them a high-priority area.
CRA Requirements for IoT
Use of secure-by-design principles
Supply of regular updates to address vulnerabilities
Protection against unauthorized access and data breaches
General Software
The CRA also applies to non-IoT software, including
Operating systems
Office software and productivity tools
Cloud services and other general-purpose applications
Exemptions
The CRA exempts certain tech categories, such as
Open source software developed or shared without commercial intent (see next blog).
Products already regulated under more specific frameworks (e.g., EU Medical Devices Regulation or the General Data Protection Regulation (GDPR)).
Impact Beyond of the EU
The CRA will likely have a significant influence outside the European Union, particularly due to the EU global regulatory clout and the interconnectedness of the tech industry.
Global Supply Chains
Many tech products and software are developed and distributed globally. To access the EU market, companies outside the EU will need to ensure their products comply with CRA requirements. Such requirements will ultimately force international companies to adopt CRA standards globally to streamline operations and avoid maintaining separate compliance systems for the EU.
Regulatory Benchmarking
The CRA could establish a de facto global standard for cybersecurity, much like the EU General Data Protection Regulation (GDPR) has influenced privacy regulations worldwide. Countries and regions may look to the CRA as a template for their own cybersecurity legislation, harmonizing global standards and practices.
Increased Compliance Costs
CRA rules could impose additional compliance costs on international companies. These costs could increase production costs and end-user prices and instigate changes in regional market availability, potentially impacting global consumers and businesses.
Legal and Policy Precedents
The CRA could inspire cross-border cybersecurity collaborations and initiatives, as governments recognize the importance of harmonized security standards to mitigate global cyber threats. It could also create pressure on non-EU companies to improve vulnerability reporting and patch management, even in regions without stringent cybersecurity laws.
Potential Trade Impacts
Non-compliance with the CRA could act as a trade barrier for companies wanting to sell their products in the EU, incentivizing higher global cybersecurity standards. Conversely, if companies or regions perceive CRA requirements as overly stringent or protectionist, it might lead to regulatory pushback or trade disputes.
Hopefully, the CRA will serve as a catalyst for stronger cybersecurity norms, driving regulatory convergence and improved digital resilience worldwide, benefiting businesses, governments, and users alike.
Next Time – CRA approach to open source and its impact on Test Automation