The new Cyber Resilience Act (CRA) adopted by the EU Council aims to enhance the safety and security of consumer products with digital components. The CRA sets EU-wide cybersecurity standards for products that are connected to another device or network, such as smart home appliances, wearable health technology, and baby monitoring systems.
While certain products like medical devices, networking devices, and cars are exempt from the CRA due to existing cybersecurity laws, the new regulation focuses on ensuring that hardware and software products are developed and placed on the market with fewer vulnerabilities. It also emphasizes the importance of manufacturers taking security seriously throughout a product’s lifecycle.
One of the key aspects of the CRA is the establishment of cybersecurity requirements based on the risk classification of products. Products with lower cybersecurity risks will undergo a basic conformity assessment, while those with higher risks, such as those managing critical infrastructure or personal data, will require stricter third-party assessments and certification.
The regulation also considers the challenges faced by microenterprises and small and medium-sized enterprises, aiming to minimize their regulatory burden. For example, free and open-source software distributed by microenterprises, especially if non-commercial, will face fewer regulatory obligations under the CRA.
To improve vulnerability handling, the CRA mandates that manufacturers set up a single point of contact for vulnerability reporting, report actively exploited vulnerabilities and severe incidents to designated cybersecurity teams, and document components contained in their products with digital elements. While Software Bill of Materials (SBOMs) do not have to be made public, the regulation emphasizes transparency in this regard.
The EU Council expects the CRA to be signed by the presidents of the Council and the European Parliament and published in the EU’s official journal in the coming weeks. The regulation will enter into force 20 days after publication and will apply 36 months after its entry into force, with some provisions taking effect earlier.
Overall, the Cyber Resilience Act represents a significant step towards enhancing cybersecurity standards for digital products in the EU. By setting clear requirements and standards for manufacturers, the CRA aims to improve the security and safety of connected consumer products, ultimately benefiting consumers and the digital ecosystem as a whole.