Read the full text
Read the explanations
GO TO THE EU's WEBSITE
European flag

FAQ

A collection of frequently asked questions on the Cyber Resilience Act and cyber resilience in general.

The Cyber Resilience Act is a regulation proposed by the European Commission that aims to improve the cybersecurity of IoT devices used in the European Single Market.

The legislation imposes mandatory cybersecurity features on both manufacturers and developers of IoT products. In order to ensure their products’ cyber resilience throughout their lifespan. It also gives more control to users by mandating manufacturers to provide them with free and automatic security updates and information about security risks.

The CRA was passed on the 10th of October 2024 and published in the European Official Journal on the 20th of November 2024.

It officially entered into force on December 10th 2024.

Then, it will be another 21 months before the reporting requirements become enforceable and another 15 months after that before the technical requirements also become enforceable (i.e: 36 months following the entry into force of the Act)

One common approach is to use a software composition analysis (SCA) tool. An SCA tool can generate an SBOM that lists all of the software components in the application, along with their names, versions, and vendors.

Another approach to preparing an SBOM is to manually collect the information about the software components in a product. However, this can be a time-consuming process, but it can be done by reviewing the source code of the product, the installation files, and the documentation.

Cyber resilience encompasses the ability of individuals or organizations to withstand, recover from, and adapt to cyber attacks. In addition, it offers several benefits, including protecting data and systems from unauthorized access or manipulation, reducing financial losses, reputational damage, increasing customer trust and satisfaction.

Cyber resilience is built on five pillars. By implementing those, organizations can strengthen their cyber resilience:

  1. Identification: Understanding an organization’s assets but also its threats and vulnerabilities.
  2. Protection: Implementing security controls.
  3. Detection: Continuously monitoring systems and networks for signs of attacks.
  4. Response: Having a plan for responding to cyberattacks, such as isolating affected systems, containing the damage, and restoring operations.
  5. Recovery: Having a plan for recovering from cyberattacks, such as restoring data, rebuilding systems, and compensating for losses.

ACHIEVING COMPLIANCE

I am an IoT device manufacturer

IoT device manufacturers are first in line when it comes to compliance. The CRA will change the way manufacturers operate.

Our guide covers what you have to do, how much time you have to comply and what the legal ramifications of non-compliance are.

Learn More

I am a software developer

Non-monetized free and open-source software is generally excluded from the CRA.

Standalone software and IoT software enabling remote data processing from IoT devices, provided they establish a data connection and are supplied within a commercial context are subject to the CRA.

Learn More

I import / distribute/ resell

IoT device importers, distributors and resellers have many requirements under the CRA and in some circumstances can even be considered as manufacturers themselves.

Our guides detail these stakeholders’ responsibilities and liabilities.

Learn More