Overview of CRA

Overview of CRA

The Cyber Resilience Act (CRA) is a first of its kind legislation that provides a baseline cybersecurity standard for products with digital elements within the European Union. The CRA aims to address two main problems identified in products with digital elements:

  1. Products with digital elements are being manufactured with low levels of cybersecurity. This is resulting in widespread vulnerabilities and a lack of security patching to address these vulnerabilities. This makes these products attractive targets to cybercriminals as a vehicle to attack larger networks.
  2. Users of products with digital elements have an insufficient understanding of the product security. As well as a lack of information that would allow them to make informed decisions on choosing products with appropriate cybersecurity features and using them in a secure manner.

 

The CRA will apply to any products that adhere to all the following criteria:

  1. Products that directly or indirectly have a data connection to a device or network. For example, wireless speakers which connect to other devices via a Bluetooth connection or a USB drive that plugs into a computer.
  2. A hardware and/or software based product.
  3. Will be made available on the EU internal market.
Introduction

Obligations to comply with the CRA

Manufacturers of products with digital elements will have to comply with the following obligations to be compliant with the CRA:

  1. Cybersecurity must be taken into account at all stages of the manufacturing process; planning, designing, production, delivery and maintenance.
  2. All cybersecurity risks must be documented.
  3. Manufacturers must report all exploited vulnerabilities and cybersecurity incidents.
  4. Manufacturers must handle cybersecurity vulnerabilities for the product lifetime or five years whichever is shorter.
  5. Manufacturers must provide clear and understandable instructions on cybersecurity to users.

 

Other economic operators will also have obligations under the Act – read more about this here Cyber Resilience Act for Importers and Distributors

Conclusion

Cybercrime in 2021 cost €5.5 trillion globally. This figure has been steadily rising and large scale cyberattacks are becoming more frequent and sophisticated. This means it is imperative that cybersecurity keeps up with the growing threat. An EU wide approach to cybersecurity is beneficial as it makes cybersecurity requirements consistent across all Member States. It will also make compliance easier for manufacturers in the long term as there is one standard, they will have to adhere to rather than individual Member State laws.

However, some have raised issues with the CRA in its current form. The open source community has come out strongly against the CRA, as some of its wording (intentionally) implicates open source projects in commercial activity. Open source software would have to be compliant with the CRA, something which open source foundations like the Apache Software Foundation have said will put an unsustainable burden on the open source community, who work on these projects for free and release the product for free. Also, the current timeframe for reporting vulnerabilities of 24 hours has been met with some pushback from companies. They think this is too short a timeframe to disclose vulnerabilities and make cause higher risk of vulnerability exploitation and incentivise shallow fixes to save on time. All this and more will be explored fully in our upcoming articles, stay tuned!

Other articles Is your product in scope for Cyber Resilience Act?