The CRA, explained

Aimed at manufacturers, software developers, importers, distributors, and resellers, the Cyber Resilience Act sets out to ensure that products with digital components are secure throughout their lifecycle.

The Cyber Resilience Act was signed into law on October 10, 2024, and entered into force on December 10, 2024. Most provisions will become applicable 36 months later, while reporting requirements will take effect 21 months after the entry into force.

The CRA puts resilience at the CORE of IoT

Why does the Cyber Resilience Act matter?

benefits for both businesses and consumers

Harmony

The regulation will ensure an harmonized approach to IoT device security within the EU, making it easier for manufacturers to comply with the requirements and avoid overlapping regulations.

Security

The risk of cyber-attacks will significantly lower, protecting businesses and consumers, from potential data breaches, financial losses, and reputational damage.

Economy

The implementation of cybersecurity features enables to avoid the significant costs of handling data breaches, which can run into millions of dollars.

RELIABILITY

With the increased security provided by the CRA, there will be an increase in customer's trust, leading to increased demand for products with digital elements.

PROFITABILITY

This increase in demand can translate to more customers and increased profits for manufacturers and importers/distributors/resellers.

TRANSPARENCY

The regulation will improve transparency by making it easier to access clear information on the device, leading to better-informed purchasing decisions and customer satisfaction.

PRIVACY

A better protection of fundamental rights such as data and privacy protection by ensuring that data collected with IoT devices are secure and protected from potential breaches.

The CRA in video

To whom does the Cyber Resilience ACt Apply?

The Cyber Resilience Act applies to economic operators such as manufacturers, software developers, distributors, importers and other economic actors (such as resellers) who supply digital products to the European market.

There are some important exceptions:

Free and open-source software does not fall under the purview of the CRA. However, open-source software from which its developers derive some sort of commercial activity are subject to the Act’s requirements. Examples of commercial activities include:
○ Charging for the software itself or technical support beyond actual costs.
○ Monetization through platforms or services linked to the software.
○ Requiring personal data processing for purposes other than security, compatibility, or interoperability.
○ Accepting donations exceeding development and provision costs
⚠️ According to Article 64(10)(b), even if the free and open-source software falls under the purview of the CRA (because of commercial activities) fines for non compliance DO NOT apply to them.
Commercial cloud solutions fall within the CRA’s purview only if they are necessary for a product with digital elements to perform its functions and are developed under the manufacturer’s responsibility. For instance, a mobile application requiring access to a manufacturer-developed service via an API or database would be considered a remote data processing solution under the CRA. In other words, if a software product is used to remotely process data generated by a hardware product distributed in the EU, it would fall under the CRA’s scope.
⚠️ As such, pure SaaS and PaaS do not fall under the purview of the CRA.

Products that are covered by the following EU legislations do not fall under the purview by the CRA:
○ Regulation (EU) 2017/745 (medical devices)
○ Regulation (EU) 2017/746 (medical devices)
○ Regulation (EU) 2019/2144 (motor vehicles)
○ Regulation (EU) 2018/1139 (civil aviation)
○ Directive 2014/90/EU (marine equipment)
This CRA does not apply to products developed or modified exclusively for national security or defense purposes

Requirements and obligations

The Cyber Resilience Act imposes specific requirements and obligations on manufacturers, importers, distributors and third parties supplying digital products to the European market.

First is the obligation to take into account cybersecurity features during the design and development phase of their products. This means that cybersecurity considerations must be integrated into the product development process.

In particular, manufacturers must ensure that products meet the security requirements specified in the CRA including provisions related to security by design and default, risk management, incident management, and the protection of personal data (this is closely related to the GDPR).

Products must be updateable and patchable to address vulnerabilities that may appear. Information about products’ cybersecurity features must also be provided in a clear and comprehensive way to users.

If a manufacturer becomes aware of a cybersecurity risk, they must take immediate action to address it, including notifying users and the CSIRTs. They must also cooperate with national authorities in investigating and resolving cybersecurity incidents related to their products.

Failure to comply with the Cyber Resilience Act can result in penalties and sanctions, such as of fine of 15 millions euros or 2.5% of annual turnover, which ever is higher.

⚠️ A 36-month transition period follows the entry into force of Cyber Resilience Act, however, reporting obligations concerning actively exploited vulnerabilities and severe incidents impacting the security of products with digital elements will apply from 21 months after the entry into force of the Act.

Cyber Security News and Events

Check out the latest events on cyber security and the Cyber Resilience Act.