What is the Cyber Resilience Act?

Halfway through Cybersecurity Month, it’s time to look at the latest EU-level regulation touching on cybersecurity – the Cyber Resilience Act, which is just now entering into effect.

The Cyber Resilience Act (CRA) is a compliment to existing EU regulations, including NIS2 which we covered last week. Unlike NIS2, which is focused narrowly on critical infrastructure and key fields, the Cyber Resilience Act is significantly wider in scope. Initially proposed on 15 September 2022 and adopted last week on Thursday, the CRA lays out cybersecurity requirements for products with digital elements.

What does the Cyber Resilience Act cover?

Some of the categories explicitly called out include the Internet of Things (IoT) connecting smart devices like refrigerators, microwaves and other interconnected home devices. Other articles and documents touch on other groups – toys, for example. The argument the European Union has put out is that there are vast categories of devices connected to the internet not covered by cybersecurity regulation of any kind, which provide a dangerous loophole for malicious actors to exploit.

As such, the CRA is put in place to regulate “the design, development, production and making available on the market of hardware and software products” and cover the results under new CE standards. The regulation will apply to all products that are connected either directly or indirectly to another device or to a network. The only exceptions are for products already covered by existing regulations (for example the automotive industry).

What will the CRA require from businesses?

The first and primary requirements placed down by the CRA fall on manufacturers, who are required to undertake regular risk assessments to determine cyber risks within their products, ensure default data protection, and regularly provide information regarding flaws while also patching them swiftly.

Per this GovInfoSecurity article, products that meet the regulatory conformity will also be required to affix a “CE” marking. Non-compliance could result in businesses facing up to 15 million euros or 2.5% of their global turnover, whichever is higher.

Finally, vendors will be required to report promptly – within twenty-four hours of detection – any exploited vulnerability in products they are selling. The report is meant to go to the European Union Agency for Cybersecurity, which will then forward it to relevant nation-level response teams or regulatory bodies.

Manufacturers will have to place compliant products on the Union market by 2027, giving them several years of grace period to ensure their full compliance with the new rulings.

What next?

With the arrival of the Cyber Resilience Act, the European regulatory landscape is becoming still more tightly governed. The result is hopefully going to be a safer online landscape, although some voices have raised concerns about the CRA’s likely impacts.

At the same time, that increased security will inevitably come at the cost of an ever more impenetrable environment with increasingly complex legal systems covering it. This may raise some issues coming forward, as manufacturers and vendors will have to take into account another layer of regulations in order to continue operating. We will continue to watch this space with interest and see how it develops going forward.

 

Your Data In Your Hands – With TECH-ARROW

by Matúš Koronthály