The Cyber Resilience Act: Understanding the scope

The Cyber Resilience Act (CRA) is new landmark legislation that affects manufacturers of products with digital elements.  The main aim of this new regulation is to improve product security and reduce vulnerabilities and ensure users have enough information to make informed decision about their purchases when it comes to cyber security.  For many manufacturers the CRA will introduce changes to the design, development and maintenance of their products.  There will also be vulnerability reporting obligations while the product is available on the market and products will need to bear the CE mark for cyber security.

The first steps is to understand if this new legislation applies to your digital product are laid out in this article to guide your through the definition, product in scope and products out of scope and some notable exceptions.  The breadth of the products in scope for this new regulation is very broad and therefore it is impossible to name all products in scope so understanding the definitions will be key.

Introduction

Lets start with the definition of products with digital elements:
• any software and/or hardware product and its remote data processing solutions
• including software and hardware components
• with a data connection to device or network
• that are made available on the EU single market

Now lets see what products are out of scope:
• Software as a Service – except for remote data processing solutions relating to a product with digital elements. If the SaaS component of the product is necessary for the entire product to function correctly then the SaaS element of the product is in scope.

Some products that are already covered by other regulations are out of scope, such as:
• medical devices and in vitro diagnostic medical devices
• civil aviation safety
• motor vehicles and their trailers
• products with digital elements developed national security or defence purposes

What about Open-Source Software
The regulatory regime for open-source software will be light touch, which means it cannot bear the CE mark. Manufacturers that use open-source software as part of their product with digital elements must ensure that these open-source software components comply with the Cyber Resilience Act (CRA). Ultimately the manufacturer is responsible for all components of their product.

For free and open-source software, the following requirements will apply:
• Creation and documentation of a cybersecurity policy to promote the development of a secure product with digital elements;
• Implementation of a vulnerability handling process; and
• Cooperation with market surveillance authorities.

Product are divided into four different categories according to their risk levels and will have different requirements in terms of conformance depending on the category they are in.  To learn more about theses categories read our article on CRA Product Categories https://www.cybercertlabs.com/case_studies/cra-categories/