img
Cyber Resilience Act

Readiness Assessment

Ready to Improve Your Product Security?

Cyber Resilience Act

Contact Us Today about the Readiness Assessment!

Contact Us
Step 1
Company Details

The Online Readiness Assessment will take up to 30 mins to complete. It should be completed on laptop or desktop.  In Section 1 you will fill in the high level company and product information to give context to the report.

Step 2
CRA Essential Requirements

Section 2 is related to the risk assessment, testing, secure configuration and security controls.  It is recommended that you have the required level of knowledge and experience to answer questions on these areas in relation to your product.

lap
Step 3
CRA Documentation Checklist

Section 4 is related to vulnerability management and disclosure, software bill of materials and the documentation requirements in the CRA.  Throughout the assessment you can access hints in relation to the questions being asked and also a glossary of terminology.

Step 4
CRA Readiness Report

You report will be emailed to the contact email address provided in section 1.  You will receive a comprehensive report with scoring per section, graphs and charts designed outlining your strengths and weaknesses against the essential requirements. The report also helps you understand the CRA and provides valuable recommendations to help you plan and budget for improved product security and at the same time CRA compliance.

1.1 //

Early Assessment

Our Readiness Assessment is designed for manufacturers of products with digital elements.  It is a useful tool for SMEs in particular to start planning early for the Cyber Resilience Act.  It is easy to use and there are many helpful guides and aids to assist you understanding the questions and the regulation and how it will impact your product development lifecycle.

1.2 //

Readiness Report

The report is comprehensive 16 pages on average with scoring by section to help you identify your areas of improvement.  This high level readiness report is aimed at helping SMEs and other enterprises start to plan early to improve product security and at the same time understand your obligations with this new legislation.

1.3 //

CRA Expertise

We have designed some additional aids such as CRA Guide, visual aids and glossary of terminology to help you understand the CRA.  These materials will be made available to you once you have purchased the assessment software. Cyber Cert Labs have have the expertise to help guide you.  As members of various industry bodies and CRA working groups we are tracking all of the developments so you don’t have to!

blogpost blogpost
Learn More About

Cyber Resilience Act

What is the Cyber Resilience Act?

The Cyber Resilience Act (CRA) is a first of its kind EU legislation that provides a baseline standard for the cybersecurity of connected products with digital elements. Products with digital elements are defined as products with software and/or hardware components and any associated remote data processing solutions. 

The CRA aims to address two clearly identified problems commonly found in digital products, these are: 

  • Products with digital elements are being manufactured with low levels of cybersecurity. This causes widespread vulnerabilities and security updates to address these vulnerabilities are lacking. This makes digital products attractive targets to cybercriminals as a vehicle to attack larger networks. 
  • Users of products with digital elements have insufficient understanding of product security and lack information that would allow them to make informed decisions on choosing products with proper cybersecurity features. 

The CRA is a horizontal legislation, this means it will cover a broad range of products across many sectors. Any product made available on the EU market that is in scope for the CRA will need to affix the CE mark for cybersecurity. Manufacturers, distributors, and importers from outside the EU will also have to comply. The CRA is an important consideration for many businesses developing new products.

What products are in scope and out of scope?
Products with Digital Elements (PDEs) Definition
  • any software or hardware product and its remote data processing solutions
  • including software and hardware components to be placed on the market separately
  • with a data connection to device or network
  • that are made available on the EU single market

 

Open Source 

Open-source software will be subject to light touch regulatory regime, this means the CE mark cannot be affixed to it. For-profit manufacturers using open-source software as part of their product with digital elements are responsible for making sure the open-source software components are compliant with the CRA. Free and Open-Source software requirements will include: 

  • Creating and documenting a cybersecurity policy to foster the development of a secure product with digital elements 
  • Vulnerability handling process 
  • Co-operation with market surveillance authorities 

 

Products Out of Scope

The CRA will not apply to the following products as some are already covered by other specific regulations such as:

  • Software as a Service – except for remote data processing solutions relating to a product with digital elements
  • Medical devices and in vitro diagnostic medical devices
  • Civil aviation safety
  • Motor vehicles and their trailers
  • Products with digital elements developed or modified exclusively for national security or defence purposes
  • or to products specifically designed to process classified information
What are the timelines for the CRA?

The European Union (EU) Council has adopted the Cyber Resilience Act on 10th October 2024, following the final text being adopted by the EU Parliament in September 2024. This latest step means the legislation will come into effect shortly.

The next step will be the signing of the legislative act by the presidents of the EU Council and Parliament, followed by publication in the Official Journal within a few weeks. Once published in the Official journal, the Cyber Resilience Act will enter into force 20 days later.

A 36-month transition period will follow, by the end of which all products with digital elements brought to market after the enforcement date must be fully compliant. Obligations around vulnerability reporting will be enforced after 21 months.

Who does it affect?

Manufacturers including software developers, importers and distributors of software and hardware products with digital elements who make their products available on the EU market will need to comply with the Cyber Resilience Act.  Entities outside of the EU who make products available on the EU single market will also need to comply.

The EU Commission conducted an impact assessment on the CRA. This outlined that small and medium sized businesses including micro-SMEs in scope for the Cyber Resilience Act would struggle to comply, mainly due to associated costs and lack of cybersecurity expertise. While this may cause some obstacles to overcome, the CRA seeks to strengthen product security which will benefit manufacturers overall. Customers will be more confident in the security of products they buy and manufacturers and society are strengthened against cyberattacks.

 

What are the categories of products?

Default (lowest risk level)

90% of products are estimated to fall into the default category. These products are deemed to have lower risk profiles than products in the other categories. Examples of products that fall into this category include: 

  • Smart home devices 
  • Printers 
  • Bluetooth speakers 
  • Media player software applications 

Manufacturers of products that fall into the default category can self-assess to show compliance with the CRA essential requirements as outlined in Annex I of the CRA. The self-assessment protocol is laid out in CRA Annex VIII.  

Important Class I 

The complete list of products that fall into Important Class I can be found in Annex III of the CRA, this includes; 

  • Identity management systems, privileged access management software & hardware, and access control readers 
  • Standalone & embedded browsers 
  • Password managers 
  • Software that searches for, removes or quarantines malicious software 
  • Products with virtual private network function 
  • Network management systems 
  • Boot managers 
  • Operating systems 
  • Routers and modems intended to connect to the internet and switches 

Manufacturers with products that fall into Important Class I can use the self-assess method to demonstrate compliance with the CRA essential requirements as long as they can apply one of the following: 

  • Harmonised Standard – a European standard developed by a recognised European Standards Organisation, following a request from the European Commission. Manufacturers can use harmonised standards to demonstrate that products comply with an EU legislation. Harmonised standards are currently being created specifically for the CRA. 
  • Common Specification – a detailed practical set of rules setting out how a product should comply with specific requirements adopted by the European Commission when no harmonised standards exist.  
  • European Cybersecurity Certification a scheme ENISA is developing on behalf of the European Commission to create a framework to certify products with digital elements meet the essential requirements of the CRA.  

If the manufacturer cannot use one of these schemes for their product, they must apply to have their product assessed by a third-party conformity assessment body. 

Important Class II 

Product types that fall into Important Class II category are: 

  • Hypervisors and container runtime systems supporting virtualised execution of operating systems 
  • Firewalls, intrusion detection & prevention systems 
  • Tamper resistant microprocessors & microcontrollers 

Products that fall into Important Class II must complete a third-party conformity assessment even if the product complies with harmonised standards, common specifications or a European cybersecurity certification scheme.  

Critical Class 

Products that fall into the Critical Class are: 

  • Hardware devices with security boxes 
  • Smart meter gateways 
  • Smart cards or similar devices including secure elements 
  • Other devices for advanced security purposes including secure crypto processing  

Products in the Critical Class are of the highest risk and therefore have the strictest compliance process. Critical Class products must complete a European Common Criteria (EUCC) cybersecurity certification assessment conducted by a conformity assessment body.  

What are the penalties for non-conformance?

Failure to comply with CRA essential requirements, vulnerability or incident reporting could incur penalties of:
Administrative fines up to €15 Million or 2.5% of global turnover whichever is higher.

Failure to comply with other obligations could incur penalties of:
Administrative fines up to €10 Million or 2% of global turnover whichever is higher.

Supplying misleading information to enforcement bodies or national CSIRT teams could incur penalties of:
Administrative fines up to €5 Million or 1% of global turnover whichever is higher.

Under certain circumstances EU authorities can require the recall or withdrawal of non-compliant products.

Important for SMEs 

Administrative fines do not apply to micro or SMEs for failures to meet the 24-hour deadline for early warning notification and subject to the principle that penalties should be effective, proportionate and dissuasive, Member States should not impose other kinds of penalties with pecuniary character on these entities. 

How to get help?

Cyber Cert Labs can help manufactures prepare for the CRA by providing education on what the CRA is and what they need to do to comply. Our readiness assessment, aids and guides breakdown of the new processes manufacturers will need to implement at each stage of the product lifecycle. This should make the process of integrating CRA compliance into an already familiar process less daunting.  Contact us today to begin your journey to secure your products!