EU Cyber ResilienceAct (CRA) Explained

What is the EU Cyber Resilience Act (CRA)?

The EU Cyber Resilience Act sets minimum cybersecurity standards for products with digital elements, such as Internet of Things (IoT) devices. This includes most types of software as well as hardware that can connect to a network.

If you want the exact legal text, here’s the second recital of the Regulation:
“This Regulation aims to set the boundary conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufacturers take security seriously throughout a product’s life cycle. It also aims to create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.”

Just like we expect safe food and medications, we now expect safe hardware and software. Just as there are minimum safety standards for food and medicine, we now have similar standards for hardware and software.

The regulation went into effect on December 10, 2024, but it will gradually phase in its requirements. It will start applying in June 2026 and be fully applicable by December 2027.

What Are the Actual Cybersecurity Standards to Be Met?

The CRA cybersecurity standards fall into two categories: essential standards and vulnerabilities handling standards.

Hardware or software with digital elements must incorporate essential standards into their design. As you might expect, these standards are quite general, leaving it up to you to decide which specific measures to implement to ensure your product’s safety.

Paragraph 1 of Annex 1 says: “Products with digital elements shall be designed, developed, and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks.”.  This is the spirit of the regulation: do whatever you think you need to do; just make sure that the product is safe. If you are aware of any vulnerabilities, refrain from putting the product on the market.

More in detail, you must:

• Set secure default settings
• Enable access controls
• Limit the use of data
• Provide regular updates to address vulnerabilities, and so on and so on.

When it comes to managing vulnerabilities, the regulation requires you to identify and fix them as quickly as possible. However, this doesn’t mean waiting for an issue to arise. We expect you to adopt a proactive approach by conducting regular checks, updates, and maintenance to proactively prevent problems before they arise.

On top of these standards, covered businesses must:

• Accompany the product or software with a user manual
• Issue an EU Declaration of Conformity and affix the CE marking
• Prepare technical documentation for the hardware or software

To What Products Does the Cyber Resilience Act Apply?

The CRA applies to hardware and software, but not universally. There’s a clear distinction between the products it covers and those that fall outside its scope.

The regulation categorizes the products it governs into two types:

1. Critical products: These products are essential for secure operations and are divided into three subcategories:
2. Hardware devices with security boxes. Examples include POS terminals, encrypted external storage devices, or devices that store digital keys.
3. Smart meter gateways and systems. This includes devices used to measure energy consumption or transmit data between energy systems.
4. Smartcards and similar devices. Examples include payment cards, electronic identification cards, SIM cards, secure USB keys, and similar secure devices.
5. Important products: We further divided these into two classes:
   Class I - a broad category that includes products like password managers, smart home virtual assistants, internet routers, smart door locks, security cameras, and more.
6. Class II - a narrower category covering specialized products like firewalls, tamper-resistant microprocessors and microcontrollers, hypervisors, and container runtime systems.

Products Exempt from the CRA

The EU Cyber Resilience Act includes several important exemptions. Products already covered by industry-specific regulations are not subject to this law. These include items provided exclusively for national security and defense purposes, medical devices, motor vehicles, civil aviation products, and marine equipment.

Free and open-source software remains exempt unless the business charges for the software itself, charges for technical support services related to the software, or processes personal data beyond what is necessary for its functionality.

In general, SaaS and PaaS products are exempt, as these services, in their purest forms, are not inherently tied to the operation of a product with digital elements. However, the regulation would apply if the service directly connects to a device's functionality, like software for a fitness wearable.

CRA v NIS2 v GDPR v DORA

If you’re feeling confused about how the EU Cyber Resilience Act (CRA) differs from the GDPR, NIS/NIS2, or DORA, let’s clarify the distinctions:

• The NIS2 Directive (and the earlier NIS) focuses on national security aspects of cybersecurity. It aligns EU member states around the need to protect critical infrastructure and government bodies. Critical infrastructure refers to systems and services essential for a country to function, such as banks, energy systems, hospitals, and other crucial entities. We must safeguard these systems and services to prevent potentially catastrophic consequences.
• GDPR is all about protecting personal data. It applies only to the processing of personal information and requires companies handling such data to implement adequate security measures.
• The CRA is different because it targets devices that can connect to a network and the software they use. It places responsibility on manufacturers, developers, and operators to ensure these products are secure from a cybersecurity perspective.
• DORA, or the Digital Operational Resilience Act, is limited to financial institutions. It focuses on how these institutions should manage cybersecurity risks. DORA is an example of a sector-specific regulation in the EU, much like the existing rules for civil aviation, healthcare, and maritime sectors. Where these sector-specific laws don’t apply, the CRA steps in to fill the gap, covering all other network-connected devices and their software.

Does the EU Cyber Resilience Act Apply to Your Business?

The Cyber Resilience Act applies to three types of businesses:

• The first category includes manufacturers of devices that use software. This covers producers of smartwatches, cars, robot cleaners, smart TVs, and any other products capable of connecting to a network.
• The second category is software companies, though not all of them. The regulation applies only to software that interacts with hardware. The regulation does not apply to pure SaaS products like Google Analytics, Jira, or HubSpot. However, software that connects with devices like wearables or smart TVs falls under its scope. For instance, the regulation would cover Strava, which connects to smartwatches, and YouTube, which connects to smart TVs. On the other hand, HubSpot, which does not integrate with such hardware, remains outside the regulation’s scope.

It’s also important to note that products and entities regulated by sector-specific laws, such as those in healthcare or finance, are exempt from the CRA. This regulation covers only the areas left unregulated by other laws.

tvOS apps connected to Apple TV face specific regulatory requirements.

• The third category includes importers, distributors, and resellers of products covered by the CRA. We expect these businesses to ensure that the products they handle comply with the law.

Whether the CRA applies to your business depends on the products you work with. If you sell devices that can connect to a network, the CRA definitely applies. If you make or sell software for such devices, the regulation may apply.

Cyber Resilience Act Compliance Requirements

In general, the CRA requires businesses to ensure their products are secure from a cybersecurity perspective. The CRA requires businesses to conduct a prior risk assessment, provide a user manual with the product, and ensure the identification and appropriate resolution of vulnerabilities.

For each type of business that falls under the CRA scope, the steps toward compliance look as follows:

CRA Compliance for Manufacturers

Before placing a product on the European market, the manufacturer under the CRA scope must:

• Conduct a cybersecurity risk assessment
• Vet third-party vendors to ensure that their components are safe to integrate
• Have policies to address vulnerabilities
• Conduct conformity assessments
• Issue an EU declaration of conformity and affix the CE marking
• Provide support for at least five years unless the product lifespan is shorter
• Provide updates for at least 10 years
• Prepare technical documentation and keep it for 10 years
• Accompany the product with a user manual containing information on handling vulnerabilities
• Inform relevant CSIRTs and users for discovered vulnerabilities or cybersecurity incidents

CRA Compliance for Software Developers

It is mandatory for software developers to adopt a risk-based approach when designing the software. It should result in the following:

• Ensure products are with secure default settings and allow users to easily reset to a secure setting
• Limit the attack surface area
• Eliminate known vulnerabilities
• Process only the barely necessary data and use encryption whenever possible
• Ensure that core functionalities remain available even in the case of incidents
• Ensure data removal and portability
• Implement access controls
• Issue an EU declaration of conformity
• Issue a Bill of materials

CRA Compliance for Importers, Distributors, and Resellers

If your business does not make hardware or software, using it in the market requires CRA compliance.

Your duties include:

• Check if the manufacturer or software developer has an EU Declaration of Conformity, technical documentation, CE marking, and user manual
• When importing products from outside the EU, ensure that the product or software complies with the CRA standards and has the required documentation
• Inform manufacturers, software developers, and authorities in the case of discovering a vulnerability
• Refrain from making available on the market products that are not compliant with the CRA

What to Do Next

The answer to this question is straightforward: make sure your product is safe. While compliance with the Cyber Resilience Act may be mandatory for certain businesses, the principles behind it benefit all companies working with digital products. You don’t need to wait for authorities to pass legislation to start prioritizing security. Taking proactive steps to ensure your products are safe demonstrates responsibility and builds trust with your customers.

In a world where cybersecurity threats are constantly evolving, ensuring the safety of your hardware and software is not just about meeting legal requirements; it’s about protecting your customers, your reputation, and the stability of the digital ecosystem. By embedding cybersecurity into the design and operation of your products today, you’re not only preparing for regulations like the CRA but also setting your business up for long-term success in an increasingly connected and security-conscious marketplace.