top of page

The European Council adopted the Cyber Resilience Act - Are you prepared?

Great news! On October 10th, 2024, the European Council officially adopted the Cyber Resilience Act (CRA), marking a significant step forward in improving cybersecurity across the European Union.


What is the CRA

The Cyber Resilience Act (CRA) is a new piece of legislation that introduces mandatory cybersecurity requirements for both hardware and software products across the European Union. 

The CRA covers any product with digital components that can connect to a device or a network, including not only complete products but also their building blocks, such as hardware and software.

Products covered by sector-specific regulations that already have certification requirements similar to the CRA are explicitly excluded. These include, for instance, medical devices, in vitro diagnostic medical devices, and motor vehicles with their related components.


Requirements

The Cyber Resilience Act establishes two sets of requirements for manufacturers to follow.


  • Product requirements: These rules cover the entire lifecycle of a product, from the moment it is launched to when it is no longer in use. The aspect stressed by the CRA is to consider cybersecurity risks during each phase and document them thoroughly. Additionally, products must be free of known exploitable vulnerabilities when they are being put on the market.

  • Vulnerability handling requirements: Manufacturers must identify, document, and address vulnerabilities in their products.  This includes providing security updates without delay and having a clear policy for coordinated vulnerability disclosure to ensure that any security issues are promptly communicated and resolved.


Another crucial point of the Cyber Resilience Act is the incident reporting obligation. When a manufacturer becomes aware of an actively exploited vulnerability in a product with digital elements, they must notify the Computer Security Incident Response Team (CSIRT) within 24 hours at the latest. 


Conformity and CE mark

Products with digital components, including software, will be required to display the CE mark, indicating that they meet the requirements set by the Cyber Resilience Act (CRA).

How can compliance with the CRA be demonstrated? The requirements are expected to be standardized by European Standardization Organizations (ESOs) and expressed in the form of harmonized standards. Once these standards are available, they can be applied to ensure compliance depending on a product’s classification. Products are divided into three categories according to their level of criticality, as outlined in Article III of the Act. For default products, self-assessment is sufficient. For Critical Class I products, compliance can be demonstrated by applying a relevant standard or undergoing third-party assessment. Critical Class II products, however, require mandatory third-party assessment to ensure conformity.


Timeline

Now that the Cyber Resilience Act has been officially adopted, it will be published in the EU’s Official Journal in the coming weeks and will enter into force 20 days after publication. Once it takes effect, companies affected by the CRA will have 36 months to fully comply with the new cybersecurity requirements, setting the deadline for adaptation by the end of 2027. However, there is an exception: a shorter 21-month grace period applies for manufacturers’ obligations to report incidents and vulnerabilities (Article 11), with a compliance deadline expected by summer 2026.


How Security Pattern can help

We offer various consultancy services and training modules to support your organisation with cybersecurity challenges.


SBOM and Vulnerability Management



Compliance GAP analysis


  • During a Compliance Gap Analysis we support you in comparing your organisation’s procedures and controls with an existing standard.


Cybersecurity Training


  • Our training modules have been designed to introduce your team to the cybersecurity domain or carry professionals to the next level. 



Security Pattern’s cybersecurity experts have been supporting Device Manufacturers since 2017.




Comments


Commenting has been turned off.
bottom of page